Re: Mainframe's security assessments costs
Costin Enache wrote: >Why you need the assessment for? If you need it for some certification / legal >purpose, then there are cheap, not too technically advanced solutions out >there. If you are actually looking into detecting and addressing security >issues, then it gets complicated :) Good first question! Ask that 'WHY' question and ask it again. ;-) >... a penetration test, ... From where? Costs can vary wildly depending on type of Pen Test and origin of those tests (within mainframe or from outside) and usage of whatever utilities. >Once you have decided what type of assessment you are looking for, you should >define the scope of the project: ... Another good question: What is the scope? z/OS? Application? Mainframe Network and/or other network connecting to the mainframe? OMVS setup? RACF or ESM? etc. >There will be plenty of companies claiming to do mainframe security >assessments, coming from the penetration testing field, with little if any >mainframe experience, who would fire some tools, maybe crash some things, give >you an absurd, pointless report. Indeed. One PT in the past resulted in heavy network load. Next time, 'they' have to arrange for a date/time *before* they repeat their PT. 'They' tried once to repeat their PT without formal approval and later complained why we blocked their system to access our mainframe. Tsk, tsk, tsk. Too bad, too sad. >Maybe it will be cheap, but useless. Those cheapies asked me *why*, oh *why* is there not an Anti-Virus package and Malicous Software detection installed on z/OS (excluding Linux and similar animals of course). >Before selecting a provider, make sure you talk to them, interview the >auditors and make sure they are familiar with mainframes, ... You can also ask them, if they find a problem, what would *they* suggest to fix it. It will demonstrate their real skills. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe's security assessments costs
Costin Enache wrote: If you are actually looking into detecting and addressing security issues, then it gets complicated:) The different between cloaking the gluteus and actual forensics! -- Jack J. Woehr # Science is more than a body of knowledge. It's a way of www.well.com/~jax # thinking, a way of skeptically interrogating the universe www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe's security assessments costs
Hi, Some topics that we had to address when performing mainframe security assessments: Why you need the assessment for? If you need it for some certification / legal purpose, then there are cheap, not too technically advanced solutions out there. If you are actually looking into detecting and addressing security issues, then it gets complicated :) The possible range of services on this topic is huge. You should decide what you want to have, what kind of security assessment you are looking for - for example you have the "classic" mainframe security audits, more like security reviews, where some programs are used to list and catalog the authorizations, profiles, etc., interview personnel and determine the access needs, etc. You can alternatively look for a combination of the above and a penetration test, actively searching and exploiting security issues found in your environment. Or you can have a PT targeting the mainframe environment, where you can chose the "white box" (i.e. fully disclosed, insider view) or the "black box" (i.e. simulation of a real opportunistic attack) perspectives, each with its own pluses and minuses. Once you have decided what type of assessment you are looking for, you should define the scope of the project: are you looking into an o/s-only assessment (i.e. basic z/OS or z/VM components, maybe RACF, USS, and some "standard" subsystems), or maybe an application-oriented audit, where you select one or more applications that might be mainframe-only or might include other components to audit going from the o/s to the application layer (say you use the mf for banking, ATMs, credit card operations, you would select the subsystems and applications for the business critical operations in this respect). You could limit the assessment to one or more instances/LPARs, subsystems, ... include or not other components such as SE/HMC in the scope. Most often, event a narrowed-down scope gets to be too large for a complete security assessment, and a "limited" version is performed, either by limiting the total man/days to a fixed amount calculated based on a budget, or by sampling, reviewing the results, then shifting the focus to the areas found to be suffering from security issues. There will be plenty of companies claiming to do mainframe security assessments, coming from the penetration testing field, with little if any mainframe experience, who would fire some tools, maybe crash some things, give you an absurd, pointless report. Maybe it will be cheap, but useless. Before selecting a provider, make sure you talk to them, interview the auditors and make sure they are familiar with mainframes, maybe examine their research environment to see of they have a proper, recent mf environment to do testing, and check for specific references in the mainframe field, not just generic penetration testing. As for the costs, expect to pay in the range of 1500 - 2000 Euro for a man/day in EU. We've never had a project to perform a complete security assessment of a mainframe environment, maybe other had this and can share approximate sizing; usually we've seen application-oriented ones, o/s layer and basic subsystems, or by sampling. The size of such projects grossly goes from 40 to 100 man/days, depending on the actual scoping. This is very imprecise, but I guess you wanted to see some numbers as well. Regards, Costin -------- On Mon, 15/8/16, x ksi wrote: Subject: Mainframe's security assessments costs To: IBM-MAIN@LISTSERV.UA.EDU Date: Monday, 15 August, 2016, 1:51 Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe's security assessments costs
Steve, I would agree that software with human checking is the way is _should_ be done, but I've had a client tell me they were handed nothing more than software output and a large bill. That is why I advised Filip not to assume anything and to ask questions. Regards, Bob -Original Message- Date:Mon, 15 Aug 2016 09:33:11 -0500 From:Steve Beaver Subject: Re: Mainframe's security assessments costs Vanguard has their VCM that will handle a lot of the checking you are looking for, But no one handles it all without some human checking Steve -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Hansel Sent: Monday, August 15, 2016 9:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe's security assessments costs Hi Filip, I'm not sure asking others about pricing would be of much benefit because such pricing is likely to be based on their unique configuration and the type of assessment, and besides, they probably can't disclose such pricing because it is likely to be protected by a confidentiality agreement. Some of the factors we consider in pricing an assessment are the number of RACF databases to be reviewed, number of z/OS system images (a.k.a. LPARs) sharing each set of RACF databases, number of profiles defined by class in each database, number of CICS regions (SIT PARM analysis), whether Unix File System security permissions are to be examined, and whether the assessment can be performed remotely. To compare offers, you need to look closely as nature and depth of the review. Some will simply run a software tool and issue findings that in some cases are based on arbitrary thresholds (e.g., 'n' number of IDs with NOINTERVAL or OPERATIONS). Others will bore into the details and attempt to identify IDs that perhaps shouldn't have NOINTERVAL or look for SURROGAT profiles that allow unprivileged users inappropriate use of OPERATIONS IDs. Don't assuming anything. Ask questions. Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Mon, 15 Aug 2016 09:51:48 +1000 From:x ksi Subject: Mainframe's security assessments costs Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe's security assessments costs
Vanguard has their VCM that will handle a lot of the checking you are looking for, But no one handles it all without some human checking Steve -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Hansel Sent: Monday, August 15, 2016 9:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe's security assessments costs Hi Filip, I'm not sure asking others about pricing would be of much benefit because such pricing is likely to be based on their unique configuration and the type of assessment, and besides, they probably can't disclose such pricing because it is likely to be protected by a confidentiality agreement. Some of the factors we consider in pricing an assessment are the number of RACF databases to be reviewed, number of z/OS system images (a.k.a. LPARs) sharing each set of RACF databases, number of profiles defined by class in each database, number of CICS regions (SIT PARM analysis), whether Unix File System security permissions are to be examined, and whether the assessment can be performed remotely. To compare offers, you need to look closely as nature and depth of the review. Some will simply run a software tool and issue findings that in some cases are based on arbitrary thresholds (e.g., 'n' number of IDs with NOINTERVAL or OPERATIONS). Others will bore into the details and attempt to identify IDs that perhaps shouldn't have NOINTERVAL or look for SURROGAT profiles that allow unprivileged users inappropriate use of OPERATIONS IDs. Don't assuming anything. Ask questions. Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Mon, 15 Aug 2016 09:51:48 +1000 From:x ksi Subject: Mainframe's security assessments costs Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe's security assessments costs
Hi Filip, I'm not sure asking others about pricing would be of much benefit because such pricing is likely to be based on their unique configuration and the type of assessment, and besides, they probably can't disclose such pricing because it is likely to be protected by a confidentiality agreement. Some of the factors we consider in pricing an assessment are the number of RACF databases to be reviewed, number of z/OS system images (a.k.a. LPARs) sharing each set of RACF databases, number of profiles defined by class in each database, number of CICS regions (SIT PARM analysis), whether Unix File System security permissions are to be examined, and whether the assessment can be performed remotely. To compare offers, you need to look closely as nature and depth of the review. Some will simply run a software tool and issue findings that in some cases are based on arbitrary thresholds (e.g., 'n' number of IDs with NOINTERVAL or OPERATIONS). Others will bore into the details and attempt to identify IDs that perhaps shouldn't have NOINTERVAL or look for SURROGAT profiles that allow unprivileged users inappropriate use of OPERATIONS IDs. Don't assuming anything. Ask questions. Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Mon, 15 Aug 2016 09:51:48 +1000 From: x ksi Subject: Mainframe's security assessments costs Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe's security assessments costs
I suspect it varies greatly depending upon the services provided, and undoubtedly from vendor to vendor. Why don't you ask? If you are considering security assessments from three vendors, it would be reasonable to ask - what services and deliverables were proposed? - what the cost would be for those services? - was that cost figure an estimate against a number of hours, or a fixed bid? I suspect most such contracts contain a confidentiality clause, I doubt that most of the sysprogs on this list were involved in financial negotiations, and I doubt most mainframe shops would be willing to name a figure here. In any event a number would be worthless without knowing what services were provided, and the quality of those services. Disclaimer: Neither I nor my employer are in the business of security assessments, but we have various business relationships with firms that do. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of x ksi Sent: Sunday, August 14, 2016 7:52 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Mainframe's security assessments costs Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Mainframe's security assessments costs
Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN