Mainframes are not invulnerable, despite a more than half-century record of unparalleled security. Penetration testing (“Pentesting”) is one tool that can ensure critical mainframe systems are secure. “Pentesting’s main objective is to identify security weaknesses, which can then be remediated, thus improving the firm's security posture,” says Mark Wilson, technical director at RSM Partners Ltd. “Penetration testing can also be used to test an organization's security policy, its adherence to compliance requirements, its employees' security awareness, and the organization's ability to identify and respond to security incidents.”
At SHARE Pittsburgh (August 2019), Wilson’s Mainframe Pentesting 101 and 102 combined session touched upon what a mainframe pentest looks like, what skills and techniques are required to execute it, and what should be considered when conducting a mainframe pentest. He also explained the differences between vulnerability scanning and security audits/assessments, as well as how to analyze some of the data gathered when “footprinting” a mainframe system.
Wilson says, “From a mainframe perspective, penetration testing tends to start from the position of an employee going rogue or a bad actor compromising the credentials of an employee.” However, he says actual attacks also include attempts to elevate privileges to gain control of the mainframe, access and extract sensitive data from the organization, and destroy the organization’s data assets. Both sides of the equation should be considered when conducting a pentest.
Wilson continues sharing his pentesting knowledge at SHARE Fort Worth (Feb. 23-28, 2020). Pentesting 103 will demonstrate some of the technical tricks Wilson and his team have created over the last two decades. As a technical session, there will be plenty of assembly, Python, and Rexx code displayed and discussed. He adds that attendees will learn “how to elevate your privileges so that your address space becomes supervisor state/key 0 and how to cover your tracks and make it look like someone else did it.”
Become a Security Warrior
At SHARE Pittsburgh, Wilson’s session attendees had the opportunity to answer questions to earn SHARE’s Security Warrior digital badge. The badge, also available at SHARE Fort Worth, demonstrates that attendees went to a minimum of 15 sessions out of the more than 30 available in the security track. Attendees have to register their attendance via SHARE’s online tracking program and must correctly answer a series of questions to confirm their eligibility to obtain the Security Warrior badge.
For those looking to secure the Security Warrior digital badge at SHARE Fort Worth, Wilson says attendees should look for “the final piece in the jigsaw, and some real world examples of code/tools that they could use if required.” Continue your z/OS penetration testing education journey with Wilson’s latest session, Pentesting 103, at SHARE Fort Worth, and you’ll be one step closer to your own Security Warrior digital badge.