In most organizations, mainframe security is something that’s taken for granted. After all, the earliest mainframes were practically impenetrable – we call that The Fortress Myth. Even today, when mainframe access has grown far more complex, most IT leaders continue to assume that their mainframes are inherently secure. This is a critical oversight, since there can be no system security without operating system integrity.
Key Resources’ team of mainframe security experts will deliver a quality Vulnerability Assessment of your organization’s mainframe. Our Vulnerability Management Program enables clients to better protect their IBM® z/OS® systems, the data accessed through those systems, and their corporate reputations by identifying vulnerabilities before they can be exploited (zero day vulnerabilities).
Our mainframe security experts will:
- identify potential vulnerabilities
- collect information about these vulnerabilities
- create exploits if necessary
- and will assist the client when presenting this information to Internal Development teams or Independent Software Vendors (ISVs).
Our proven methodology ensures our clients get results, on time and within budget. Our Vulnerability Assessment includes, but is not limited to:
- the outcomes from comprehensive testing
- as well as detailed reports designed to help the organization remediate any exposures, whether they are in a third-party vendor’s software or internal to the organization
Using a combination of manual and automated techniques we perform controlled, automated penetration tests on your mainframe. Based on the vulnerabilities we find, we will attempt to gain access to system software files, security files and databases, applications and their databases, and other critical services. We will identify vulnerabilities on your system that you were unaware of (zero day vulnerabilities). Each of these identified vulnerabilities may allow unauthorized users the ability to bypass your configured security with no trace of the actions.
Before the project begins the Key Resources, Inc. (KRI) Ethical Hacking Team (EHT) will work with you to identify the target for the Vulnerability Assessment. Typically, these scans are divided up as follows:
A Vulnerability Assessment is completed in four phases. The Mainframe Systems Vulnerability Assessment includes:
- Phase 1: Tools based extract processing based upon client target
- Phase 2: Test case generation and execution
- Phase 3: Analysis of test case results, generation of exploits and the demonstration (if required) of the ability to exploit security weaknesses
- Phase 4: Remediation Reporting
During the first phase the Key Resources team will review the targeted authorized routines on your z/OS system. This may include SVCs, PC routines; APF authorized programs and system exits. There may be several thousand authorized programs identified in this phase.
During phase two, the our team will probe each of the authorized routines looking for vulnerabilities. Multiple probes will be done for each authorized routine. The following categories of vulnerabilities will be identified:
- Store into caller specified addresses in system key
- Branch to caller specified addresses in system key
- Load information into General Purpose Registers in system key
- Return control in an authorized state
During phase three the Key Resources team will:
- Analyze the results from each test case
- Create an exploit, if required. All exploits will be high risk vulnerabilities.
During phase four the Key Resources team will:
- Create a remediation report of all vulnerabilities found
- Prioritize vulnerabilities
- Assist client in the remediation process by helping them report the vulnerability to the vendors involved or help their internal design teams re-design their software to avoid the vulnerability issue
The Lifecycle of a Vulnerability
The lifecycle of a vulnerability on the mainframe is the same as it is on all software platforms.