1. z/Assure Vulnerability Analysis Enterprise SolutionBy Robert Fragola www.kr-inc.com1 Key Resources, Inc. 2012

2. Compliance Requirements SOX requires publically traded companies toput controls into place to protect reporting andfinancial information PCI Requirement 11.3 Guidance --Vulnerability scans and penetration tests willexpose any remaining vulnerabilities thatcould later be found and exploited by anattacker. NIST 800-53 The organization includes, aspart of a security-control assessment,malicious user testing and penetration testing2 Key Resources, Inc. 2012 3. What is an Integrity - Based Software Vulnerability? A weakness in z/OS systems, that allows the exploitationof products from Independent Software Vendor (ISV)and/or in-house developed authorized interfaces (SVCsand PCs) as well as (APF) authorized applications. Vulnerabilities can compromise all data on your system aswell as the system itself- Disrupt System Availability- View and Modify Sensitive Information It can allow an Internal attacker to circumvent RACF,ACF2 or Top Secrets installation controls- Cause Compliance Violations- Severely Damage the Firms Reputation3 Key Resources, Inc. 2012 4. Exploiting Integrity - BasedSoftware Vulnerabilities An Exploit is a way of taking advantageof a software Vulnerability Bypassing the installation-securitycontrols Gain unauthorized access to datawithout proper permission and Without any logging (SMF)4 Key Resources, Inc. 2012 5. Big Three Security Systems RACF developed by IBM and introduced in 1976 ACF2 authored by Barry Schrager, MainframeHall of Fame member, founder of SKK andintroduced in 1978 (now owned by CA) Top Secret developed by CGA Allen andintroduced in 1981 (now owned by CA) ACF2, Top Secret and RACF depend on systemintegrity because any program that can leveragea system integrity vulnerability can get access toany data it wants. There can be no system security without5operating system integrity Key Resources, Inc. 2012 6. According to Gartner The IBM z/OS mainframe continues to be an important platform for many enterprises, hosting about 90% of their mission-critical applications. Enterprises may not take the same steps to address configuration errors and poor identity and entitlements administration on the mainframe as they do on other OSs. Thus, the incidence of high-risk vulnerabilities is astonishingly high, and enterprises often lack formal programs to identify and remediate these. Key Resources, Inc. 20126 Gartner Research Note G00172909 7. Vulnerabilities May Have BeenAdded During routine maintenance activities or the installation of new ISV products or locally developed authorized code By well meaning Systems Programmers who wanted a programming function Who did not think of the implications Who have long since left or retired7 Key Resources, Inc. 2012 8. z/Assure a New IBM z/OSVulnerability Analysis Solution Created by Preeminent Security Developers z/Assure is Independent of ACF2, RACF andTop Secret Performs Penetration Tests on z/OS systems,as well as ISV,3rd Party and In-houseDeveloped Applications Ensures Compliance Standards and ProtectsYour Most Important Resource Your Data8 Absolutely 2012 other product like this on the Key Resources, Inc. no 9. Eliminating Integrity - BasedSoftware Vulnerabilities Must be Identified using the VAT EnterpriseSolution Remediated by the Code Owner Over Time, New Vulnerabilities could beIntroduced On-going Identification and Remediation isrequired using the z/Assure Solution9 Key Resources, Inc. 2012 10. Vulnerability Exploit Demonstration z/OS 1.11 No extra-ordinary security authority isrequired Security System is RACF (it does notmatter exploit would work with ACF2or Top Secret with minor changes)10 Key Resources, Inc. 2012 11. Access a Dataset11 Key Resources, Inc. 2012 12. Denied by RACF 913 ABEND!!12 Key Resources, Inc. 2012 13. Run an Exploit13 Key Resources, Inc. 2012 14. Now in RACF PRIVILEGED!!14 Key Resources, Inc. 2012 15. Access the Dataset Again15 Key Resources, Inc. 2012 16. Now Have Access!!16 Key Resources, Inc. 2012 17. The Exploiter Has Complete Control The Exploiter may be a knowledgeableinsider (high level of technical expertise) They could be an insiders with lowlevels of technical expertise whoobtained the exploit from knowledgeableoutsiders17 Key Resources, Inc. 2012 18. But, you say: These attacks would not be from insiders Insiders are a trusted bunch of people Well 18 Key Resources, Inc. 2012 19. 2008 Strategic Counsel Survey Commissioned by CA Technologies Internal Breaches are Rising 2003 15% of breaches 2006 42% of breaches 2008 44% of breaches The biggest security threats are from theinside! And, they are increasing!19 Key Resources, Inc. 2012 20. 2010 CSO Magazine Survey 2010 CyberSecurity Watch Survey the most costly or damaging attacksare caused by insiders Almost three quarters (72%), on theaverage, of insider incidents are handledinternally without legal action or theinvolvement of law enforcement20 Key Resources, Inc. 2012 21. Is My Firm At Risk? Yes, Because You Have IBM, ISV,and In-House Developed Systems that Contain Vulnerabilities21 Key Resources, Inc. 2012 22. How Well Does z/Assure Work? At a recent assessment we found 15 vulnerabilities in IBM and ISV code On average over 50% of the reported vulnerabilities are zero day vulnerabilities A single vulnerability will compromise all data as well as the system itself Vulnerabilities were found in software from premiere software vendors such as: IBM, CA, BMC, EMC and Compuware Vulnerabilities are also normally found in In-house Developed Applications, Authorized Interfaces and System Exits22 Key Resources, Inc. 2012 23. How Can You Take Advantage of the z/Assure Enterprise Solution? Option1 Assessment: Initial on-site Assessment using the z/Assure Solution Manually review installation added authorized code such as: SVCs, PCs and Exits Produces initial list of Integrity-based vulnerabilities Provide z/Assure training for your staff23 Key Resources, Inc. 2012 24. How Can You Take Advantage of the z/Assure Solution? Option 2 Enterprise Deployment: Customer licenses z/Assure enterprise class license Annual license fee charged by the number of LPARs protected by the z/Assure Solution Typically installed in hardening systems24 Key Resources, Inc. 2012 25. Questions and Next Steps: z/Assure EnterpriseSolutionwww.kr-inc.com914 393-700025 Key Resources, Inc. 2012