Young, the Mainframe Hacker: Tools and Rules

By Reg Harbeck with Phil Young

This is part nine of a 10-part series on security for the mainframe. During SHARE San Jose 2017 Reg Harbeck, chief strategist with Mainframe Analytics Ltd. and member of the SHARE Editorial Advisory Committee, sat down with Phil Young, co-founder of zedsec 390 to explore critical security topics, and offer tips and tactics to help create a more secure mainframe environment.

I get it, a few mainframes that were overexposed got hacked. Get the word out, get mainframe shops to start behaving. Isn’t that good enough? Will the “wild west” of distributed computing and the tools that go with and against it become the norm on the mainframe?

Here is how Phil describes it:

So, to me, in a perfect world—and this is actually probably 10 years out—everything that happens on open systems is going to happen on the mainframe.

Today in a modern enterprise you have IDS [Intrusion Detection Systems]. You have authenticated vulnerability scanners, so products like Qualys and Nessus, they should support this platform [z/OS]. They don’t today. They provide unsupported features with unauthenticated scanning. For example, right now, if you do a vulnerability scan with Qualys, it’s just scanning for open ports, and looking for things like and provides reports which boil down to: “Oh, your SSL certs are expired.” It doesn’t really provide any helpful scanning such as telling you you’re running a vulnerable version of WebSphere [IBMs HTTP Server]. Conversly, on Windows, you give it [Qualys] a username and a password, it has the ability to log onto every Windows server and collect all the internal information, such as configuration files, and find vulnerabilities and commonly insecurity configurations. For example, it would tell you that IIS [Windows HTTP Server] is not configured security in a report on top of telling you you’re running a vulnerable version and that an update is available. Unfortunately, today neither of the big [vulnerability] scanners support the [mainframe] platform.

10 years from now, I want to see the mainframe have everything that every other critical enterprise platform has. All the tools that are standard in-the entire toolset that a penetration tester would use should be able to provide support. Nessus, Burp, NMAP, Metasploit, are all tools used by penetration testers to mimic bad actors. If these tools had, better support for mainframe penetration testers would be able to identify vulnerabilities before the bad actors do. All these tools that are in their toolset should have equivalency or support for the mainframe. So, then you can have quarterly mainframe and mainframe based applications penetration tests. There are thousands of CICS applications that have never been tested for security because the skillset and the tools just don’t exist.

CICS is an area of interest to me recently. Once I realized it’s not that different from a web app I started to think about the current lack of research or discussions. When you break it down it’s just screens with data behind it. How can I manipulate the business logic to gain access to areas of the application I shouldn’t? The end game, to me is that mainframe applications are being treated no differently than open systems. For example, you have an instance of this CICS application that’s going to be pushed into production. The application pen test team is now part of the deployment roadmap and they test the application before it ends up in production. And when they find vulnerabilities the vendor is able to fix them, making the application more secure for everyone.

Based on what Phil describes, we need to get the right tools and get into better habits. But the question remains: Who are the people in mainframe organizations who actually need to be doing something about this? Until next time…

Read part 8 - Young, the Mainframe Hacker: Breach Combers.
Read part 7 - Young, the Mainframe Hacker: Ob-Sec-urity.
Read part 6 - Young, the Mainframe Hacker: Public Disclosures.
Read part 5 - Young, the Mainframe Hacker: A Patchy SLA?.
Read part 4 - Young, the Mainframe Hacker: Pro Script Shun?.
Read part 3 - Young, the Mainframe Hacker: Inoculating the Herd.
Read part 2 - Young, the Mainframe Hacker: Young Mainframe Devolution.
Read part 1 - Young, the Mainframe Hacker: The Saga Begins.

Recent Stories
Incorporating Security Intelligence and Cognitive Security for Threat Detection

The Mainframe Security Threat, Inside and Out

IBM Systems Magazine: November Editor's Picks for SHARE