We never take safety for granted: much less at the highest level

Mainframe Penetration Test & Vulnerability Assessment

What is it about?
A key component of complex information systems, mainframes are paradoxically often considered “free” from security problems and rarely subjected to specific tests, due to their recognised operational capabilities and above all their reliability.

CryptoNet Labs offers a Mainframe Security Assessment service for security management, area by area (RACF structure, DB2 collections, job batch submission…)
starting from IBM guidelines and based on our vaste experience in this field.

Through interviews, compilation of evaluation grids, extractions through TSO or REXX CLIST and IEFUJV procedures, the best practices of minimum privilege, weak link, separation and more are examined. The collection of information concerns:

  • CICS (e.g. sit, lanci, ecc.)
  • RACF (e.g. flatfile), Top Secret, ACF
  • DB2
  • other elements, such as JES, TSO, MQSeries, OPC, etc.
  • other installed products, such as QMF for Windows, CANDLE, Session Manager or TPX
  • the submission by the user of BATCH or CLIST TSO jobs
  • how to access the CICS, IMS, DB2, TSO, FTP, Open Edition and WAS subsystems
  • methods of access to the z/OS system by web applications

Controls cover the following areas: authentication, user profiles and permissions, communications, data storage and encryption, backup and recovery, separation of development and testing environments, error management, upgrade and upgrade modes, etc.

Who can benefit from it
Companies and organisations, not only in the financial sector, with IT system based on mainframe architecture, so as to not expose themselves to risks and non-conformities, and plan appropriate corrective actions.