The mainframe is known for unmatched security, but even high-tech strongholds can fall victim to the growing tactics in hacker’s arsenals. For organizations across industries, ensuring the safety of your enterprise and client data needs to be at the forefront of your IT strategy. 

Across enterprises, penetration testing, or Pentesting, is a key security practice, providing necessary insights for system configuration integrity. Interestingly, it’s a relatively recent practice on the mainframe.

A modern mainframe security strategy requires multiple forms of monitoring and testing. With many organizations suffering from a mainframe security awareness gap, many forget that examining OS-level code is just as important as attempting to poke holes in configuration. Together, pen tester, Chad Rikansrud, Practice Director at NetSPI, and Lou Losee, Director of Security Services & Compliance Officer at KRI, shared how the differences between penetration and vulnerability testing come together to support a complete mainframe security strategy. 

What is penetration testing?

Pentesting is an authorized, planned attempt to hack into a company’s system. Essentially, pen testers play the role of hackers to determine how likely or easy it would be for hackers to wreak havoc. 

Many pen tests begin as black box tests, in which pen testers have little to no information about the system or its security configurations, simulating a hacker with unprivileged access. Pen testers are on the hunt for issues in the system’s configuration, looking for ways to retrieve sensitive data and escalate privilege. Once the test is completed, pen testers report on every open door and soft spot. After organizations work to close these gaps, pen testers will usually re-test the systems to ensure security teams were successful. 

Rikansrud shared what a typical Pentesting engagement looks like here.

Why is Pentesting important?

Think of Pentesting like preparing for a big game. Having a scrimmage with your teammates is good practice, but you already know each other’s strengths and weakness and you’re likely to go easy on each other. Scrimmaging a team you’ve never faced before is more similar to what you’ll face in the game and can better inform where your team needs to improve. 

The same goes for testing your IT environment. Testing by IT teams is worthwhile, but bringing in an unbiased, unknowing pen tester who can step into the shoes of an attacker doubles down on security checks. By leveraging both human and computer-driven techniques to access information and check system security, pen tests are as close to an actual attack as possible. But performing this test once does not imply eternal security – each change in an IT environment puts a system at risk for holes in configuration for hackers to exploit, which is why conducting pen tests annually, or semiannually is critical.

What is vulnerability scanning?

Mainframe vulnerability scanning is the practice of scanning application and/or operating system code to look for unknown or zero-day vulnerabilities. Mainframe OS code-based vulnerabilities are essentially areas of flawed code that allow a program to bypass security controls. These vulnerabilities can arise any time a change is made to mainframe operating system code and/or third-party vendor software. 

Scanning both application and operating system code helps organizations ensure that they’re securing their environment at every level. The goal is to identify, rank and report vulnerabilities that, if exploited, could result in compromising the system. Deploying an automatic solution, like z/Assure Vulnerability Analysis Program (VAP), helps teams quickly assess OS-level code any time changes occur in the mainframe environment. 

Why implement vulnerability scanning?

Malicious attempts to access information are ever-rising, with ransomware costs increasing 57-fold over the past 6 years. An essential part of protecting against breaches is scanning for both application and operating system (OS) code vulnerabilities. 

Each time a vendor develops an update, they could be opening the door to hackers. Companies that implement vulnerability scanning are actively protecting their data, as well as their customers’, by automatically scanning their system for integrity vulnerabilities with greater speed and at higher frequency than would be possible manually. By detecting broken code, vulnerability scanning provides organizations with the information they need to alert vendors. In a perfect world, vendors themselves would deploy vulnerability scanning to snag vulnerabilities before they even enter systems. 

So, what is the superior approach?

One without the other doesn’t cut it.

Both Pentesting and vulnerability scanning are essential to an organization’s security strategy. Pentesting enables organizations to figure out which known vulnerabilities they have, while vulnerability scanning helps determine which unknown vulnerabilities are haunting them. 

With cybersecurity attacks on the rise, and hackers leveling-up their tactics each day, it’s never been more important for organizations to know what they’re up against. Since Pentesting has been around for a few decades, there needs to be more information about how including vulnerability scanning in the cybersecurity mix optimizes organizations’ defenses. The combination of these practices provides a complete picture of vulnerabilities, helping ensure the security of both the mainframe and the business as a whole.