1. Page 0 Copyright Net`Q GmbH, 2000-2012 Peter Hager, CEO Earl Rasmussen, President Vanguard Security and Compliance Conference June 25, 2012 Net‘Q brings Security into the Net Securing Cyber Space: Safeguarding Access to Critical Resources

2. Page 1 Copyright Net`Q GmbH, 2000-2012 Agenda Changing Environment Mainframes, the Internet, the Cloud Increased Security Threats Security Cases Impact Solutions Summary

3. Page 2 Copyright Net`Q GmbH, 2000-2012 Role of Mainframes Over 70% of World’s Critical information Major Industry/Government reliance: Finance Energy Retail Telecommunications Transportation Government Cloud Computing Environment

4. Page 3 Copyright Net`Q GmbH, 2000-2012 Role of Mainframes 70 percent of all corporate data and 75 percent of all business logic still resides on mainframe Executing nearly 30 billion transactions a day valued at over $1 trillion a week Running $30 trillion of applications 73 Percent of Organizations confirm that the Mainframe is part of their Cloud Computing Strategy Over 60% of World-wide WAN Traffic is SNA Based

5. Page 4 Copyright Net`Q GmbH, 2000-2012 Millions invested in protecting mainframes Yet ….. Estimates are that 90% of mainframes worldwide are insecure And …. Nearly 95% are interconnected

6. Page 5 Copyright Net`Q GmbH, 2000-2012 Increased Security Threats “New technologies that enhanced the availability of SNA with more dynamic network recovery and the use of the faster IP infrastructure has “opened” the SNA networking environment. “ “Organized crime and unorthodox governments have the resources to hire career IT criminals that have the sophistication to attack a SNA network in order to find a big prize.” Source: “Securing an SNA Environment for the 21st century”, White Paper, IBM, 2008

7. Page 6 Copyright Net`Q GmbH, 2000-2012 2011 Breaches Continue to Grow Incidents skyrocketed to over 174 million records 94% of Data breaches on servers 58% of Breaches Involved activist groups 98% of Breaches from external agents 81% of Breaches involved hacking 69% of Breached records involved malware 92% of Breaches were discovered by third parties Source: Verizon 2012 Data Breach Investigation Report

8. Page 7 Copyright Net`Q GmbH, 2000-2012 Small-Medium Business Targeted Over 55% of SMB experienced fraud attacks. 50% experienced multiple incidents. 80% of attacks were undetected by the bank. 87% failed to recover from lost funds. 40% of those compromised changed banks. Only 30% of SMBs feel banks are adequately safeguarding their accounts. Guardian Analytics and Ponemon Institute Source: Guardian Analytics and Ponemon Institute

9. Page 8 Copyright Net`Q GmbH, 2000-2012 Cyber Crime Targets Banking and Finance Hospitality Retail Manufacturing Government Telecommunications Health Care Energy

10. Page 9 Copyright Net`Q GmbH, 2000-2012 The Risk – Are You Safe? Adverse Economic Impacts Loss of Sensitive Data Compromised Intellectual property Privacy Invasion and Personal Data Theft Legal Implications Reduced Trust and Confidence There are two types of companies: Those that have been hacked and those that have been hacked but do not know it!! TJX Monster.com DuPont Sony E-Trade Bank of America Heartland Payment Systems Bank of Scotland Google LinkedIn RSA Security Hannaford Bros. Epsilon HBGary WordPress Health Net Global Payments

11. Page 10 Copyright Net`Q GmbH, 2000-2012 New “Flame” Cyber Weapon Kaspersky Labs have uncovered a massive cyber threat Creators of the virus used a network of some 80 servers across Asia, Europe and North America to remotely control infected machines

12. Page 11 Copyright Net`Q GmbH, 2000-2012 Codename Worm.Win32.Flame

13. Page 12 Copyright Net`Q GmbH, 2000-2012 Did you ever hear about new codename Worm.Z.Frame?

14. Page 13 Copyright Net`Q GmbH, 2000-2012 Documented Hacking Cases We have documented cases of security violations which have occurred in the mainframe environment They have caused unauthorized viewing of data, free access to databases, unauthorized access to applications, and prolonged outages

15. Page 14 Copyright Net`Q GmbH, 2000-2012 Security Cases Security Case 19 – Hijacking Security Case 20 – Malicious Software Security Case 21 – Rogue Intermediate Network SNA Switches Hacker-to-Go

16. Page 15 Copyright Net`Q GmbH, 2000-2012 Security Environment Large Institutions Multiple External Connections IP Sec (to external connections) IP Firewall SSL Encryption RACF Single Sign-On Secure ID Cards

17. Page 16 Copyright Net`Q GmbH, 2000-2012 TN Server APPL Migrating SNA/APPN/APPC to IP TN3270 - Telnet 3270 3270 data streams encapsulated in TCP packets. TN- server converts TCP Packets with SNA Packets. DLSw IP@ EE V VIP@ TN3270 IP@ APPL EE - Enterprise Extender SNA (HPR) frame encapsulated in UDP packets DLSw - Data link switching SNA frame encapsulated in TCP packets APPL IP-HDR Encypted Data Applications see SNA/APPN/APPC Networks see IPSec Circuit is still SNA/APPN/APPC SNA-Circuit TN3270 EE DLSwEE APPL

18. Page 17 Copyright Net`Q GmbH, 2000-2012 IP Encrypting SNA data Positive SNA packets are encrypted when transported between IP addresses Negative SNA packets are encrypted when transported between IP addresses SNA packets appear unencrypted at SNA/APPN/APPC nodes Content of SNA Packets appear unencrypted to applications IP based firewalls have no control over SNA activities Circuit EE DLSwEE TN3270 Circuit is still SNA/APPN/APPC APPL

19. Page 18 Copyright Net`Q GmbH, 2000-2012 Migrating SNA Summary SNA Hardware Devices disappeared NCP, 3745, 3174, 3600 and many more … Peripheral Terminal became Applications. Most of the legacy Applications still exist and are running ( IMS, CICS, TSO, TSO, RACF, JES, NetView ) VTAM API interfaces have not changed.

20. Page 19 Copyright Net`Q GmbH, 2000-2012

21. Page 20 Copyright Net`Q GmbH, 2000-2012

22. Page 21 Copyright Net`Q GmbH, 2000-2012 One of many good moments to switch is shortly before the target application times out. Idle time is easy to monitor and calculate by third party application 1.Send timeout message to innocent user before target application times out 2.Switch to rogue user 3.In case innocent user logs on again, switch back to innocent user 4.Activity of rogue user will avoid timeout at target application Rogue 3rd Party Application Hijack TN3270 SSL-Encrypted Connection APPL Target Application Telnet Server ? Switch at the moment ? Switch at the right moment APPL Telnet Server Switch Rogue Innocent

23. Page 22 Copyright Net`Q GmbH, 2000-2012 Malicious Software Rogue 3rd Party Application APPL Target Application Telnet Server Switch Innocent Copy of Rogue 3rd Party Application 3, 4 1, 2 1.A customer who experienced Hijacking found suspicious files on several mainframes. These suspicious files independently started sessions to other applications. 2.After in-depth analysis the customer discovered that the suspicious files were ‘replications’ of the same type. 3.In a test project they tested how successful ‘harmless replicated files’ could be distributed. The result after one weekend was 500 replicates at 20 different networks.

24. Page 23 Copyright Net`Q GmbH, 2000-2012 TN Server Rogue Intermediate Network - 1st step to get more … SNA CPE CPI CPX Entry Network: NETE Intermediate Network: NETI Destination Network: NETD CPIx Innocent User 1. Initself TNLU001 - LUCICS 2. Send Search / Locate to CPI 3. CPI finds LUCICS inside NETI 4. Logon Exit driven in Rogue LUCICS Logon exit of Rogue application sends both partner names to another rogue location. There are several ways to do: FTP, Email info or IN$FILE. 5. Rogue LUCICS issues CLSDST, OPTCD=PASS to NETD.LUCICS 6. Logon to real LUCICS completes successfully Rogue Real 1 2 3 4 6 5

25. Page 24 Copyright Net`Q GmbH, 2000-2012 TN Server 2nd step done through another Rogue Party SNA CPE CPI CPX Entry Network: NETE Intermediate Network: NETI Destination Network: NETD CPIx Innocent User Rogue Real 1 2 3 4 Rogue Network: NETR Spoofed Network: NETE 6 Ra Rb 5 R. Remote location starts up two applications and a) Starts session NETR.LUCICS - NETE.TNLU001 b) Starts session NETE.TNLU001 – NETD.LUCICS 5. As soon as the remote location was able to contact NETI, Rogue LUCICS issues CLSDST, OPTCD=PASS to NETR.LUCICS 7

26. Page 25 Copyright Net`Q GmbH, 2000-2012 Switch in Spoofed NETE.TNLU001 can Hijack like reported in Violation Case 19-3 RACF in real z/OS does not recognize it gets spoofed IP based firewall does not recognize this attack APPN-EE Firewall protects, as it is being able to check authentication of CP-CP connections and it is discovering insufficient security definitions Rogue Intermediate Network, what another Rogue Party can do.. Telnet Server TNLUXXX Telnet Server Switch Rogue Innocent Rogue NETR Spoofed NETE Real NETE

27. Page 26 Copyright Net`Q GmbH, 2000-2012 Rogue Scripts Rogue Scripts and Programs inside NETR.LUCICS can be hacked selectively. All sessions sending search/locates through Intermediate Network NETI Regardless from which Entry Network to real LUCICS they are coming through. fe. NETE1, NETE99 … Possible attacks: a)Hijack authenticated sessions b)Copy data, c)modify data d)spy for events e)denial of service Rogue Intermediate Network, what another Rogue Party can do.. Rogue NETR Spoofed NETE Real Innocent ATM, Terminal Printer 3270, TelNet3270, TPX, NVAS … Printer Real Entry Network APPC, MQ-Series, CICS, IMS, DB2 Rogue APPL

28. Page 27 Copyright Net`Q GmbH, 2000-2012 Parallel Sysplex Concept Entry Node (EN) Network Node (NN)

29. Page 28 Copyright Net`Q GmbH, 2000-2012 SNA Switching EN NN Local Router NN.. EN AS-400 EN z/OS EN NN Extends Parallel Sysplex to the Desktop Un-Authenticated CP-CP Sessions Enables Encrypted Open Access to Core Mainframe DLSw

30. Page 29 Copyright Net`Q GmbH, 2000-2012 Plug to any Laptop or PC *** Legally Free Software *** Develop & Test VTAM Applications. TSO - H-Assembler - LinkEdit - VTAM plus Web and FT access *** Downloadable z/OS Software from Internet available *** z/OS 1.10 including APPN Crossnet and RACF and REXX IP much more … Both versions need just 8 GB USB stick Hacker-to-Go …

31. Page 30 Copyright Net`Q GmbH, 2000-2012 Logon User Data Up to 255 bytes Created by application code or entered by terminal users Transmitted within the logon flows Provided by Communication Servers to Applications in clear text Can contain any text string including USERID, PWD, PIN CODES, Social security IDs or other sensitive data Often there was no security policy existing when legacy applications were originally designed Pertains to all types of SNA sessions

32. Page 31 Copyright Net`Q GmbH, 2000-2012 User Data carried on logon flows Logon User Data Included inside the logon flows search/locates and provided to applications Distributed intra and cross LPAR, cross DLSw ( SNASw ), cross MS HIS Searches can distribute user data to external networks / applications ADJCP and ADJSSCP tables of Comm Server define search order Original Comm Server has no control over how adjacent servers search Start Parameter SNVC of original Comm Server defines search depth EE CP-CP Circuit Comm Server Comm Server EE CP-CP Circuit Comm Server EE CP-CP Circuit CDRM-CDRM Circuit APPL1 APPL2 APPL3

33. Page 32 Copyright Net`Q GmbH, 2000-2012 User Data transported inside BIND Bind User Data Up to 65 bytes Created by application code Carried within the SNA BIND command and delivered to partner applications Provided by Communication Servers to Applications in clear text User Data is carried crossnet if search locate found the partner there. LU-LU Circuit APPL

34. Page 33 Copyright Net`Q GmbH, 2000-2012 User Data transported inside BIND to TN3270E Bind User Data TN3270 server provides User Data to TN3270 client ( RFC 1647 ) User Data is provided in clear text to TN3270 client IP based firewall has no control over user data, because telnet server encrypts IP data packets. LU-LU Circuit APPL Telnet Server Check: IP@, Telnet, SSL

35. Page 34 Copyright Net`Q GmbH, 2000-2012 Observation 1, providing UID & PWD A large financial organization. We have found applications transmitting USERID and PASSWORD as User Data, of which many of them were of privileged users / administrators. In a conference call, network team assured that this was just inside their own network. Closer analysis of recordings revealed that USERIDs and PASSWORDs were distributed to other networks. In some cases USERIDs and PASSWORDs were received from a third party CP which did not have direct a CP-CP connection.

36. Page 35 Copyright Net`Q GmbH, 2000-2012 Observation 2, Injection Another large financial organization. Hackers were sending in User Data inside Logon requests in the form of an inquiry such as: INQ userid opt=PWD|PIN|SSID An exit of the destination APPL reacted by sending the WWD|PIN|SSID included in the BIND command back. Closer analysis of recordings showed USERIDs and PASSWORDs were distributed to other networks. In some cases USERIDs and PASSWORDs were received from third party Gateways which did not have direct a CP-CP connection.

37. Page 36 Copyright Net`Q GmbH, 2000-2012 User Data – Security Considerations Be aware of the Transmission of sensitive Information Ensure Security Policy Compliance Coordinate between System, Security, Risk, and Business Review Policies for USERDATA and applications using USERDATA Collect, Record, and Analyze USERDATA Monitor and Manage use of USERDATA Re-evaluate Periodically Security Risks and Implications Single Sign-on and Secure ID Cards may solve the USERID/PASSWORD problem

38. Page 37 Copyright Net`Q GmbH, 2000-2012 What can hackers do? Identification Theft Data Theft and Modification Fraudulent Transactions Monitor Real-Time Data Flow Malicious Software / Malware Intrusion Activities recorded as authorized user/application

39. Page 38 Copyright Net`Q GmbH, 2000-2012 Neutralizes Security Investments IP Firewalls Encryption Secure ID cards Single Sign-on with changing passwords RACF Pass Ticket RACF/TSS/ACF2 will not recognize

40. Page 39 Copyright Net`Q GmbH, 2000-2012 APPN-EE Firewall Components Host Part Net-Examine Base Package Optimization Compliancy Client / Master  MASTER Set Handler  CLIENT Functions Corporate Compliance Suite Sarbanes-Oxley Compliance Suite NIST Compliance Suite Suites  VTAM Security Generator  RACF/ACF2/TSS Security Generator  VTAM Performance Generator  Corporate Compliancy  Sarbanes-Oxley Compliancy  NIST Compliancy

41. Page 40 Copyright Net`Q GmbH, 2000-2012 Product Operation Scheme Mainframes SysPlex 1SysPlex 2 SysPlex nn Security Server Web Server Firewall Net-Examine Suite + Add-on Functions Firewall Ongoing Security Examinations Precustomized Net-Examine Clients Downloadable NetView Tivoli zSecure Suite VanGuard Other Security Management Sys Cons Sys Cons Sys Cons Remote Virtual Resources FW Config File VTAMLST PARMLIB SMF

42. Page 41 Copyright Net`Q GmbH, 2000-2012 US Financial Industry Findings

43. Page 42 Copyright Net`Q GmbH, 2000-2012 Administrate SNA Firewall Both, Security and Network Team needs to agree on any changes Get for more info at: http://www.net-q.com/ssl/NetQRuleChangeProcess2.htmlhttp://www.net-q.com/ssl/NetQRuleChangeProcess2.html

44. Page 43 Copyright Net`Q GmbH, 2000-2012 TN3270 SSL Encryption in IP Network TN Server IP LUCK checks Conditions for 3 rd Parties SNA Check: IP@, Telnet, SSL RACFRACF Single Sign-on APPL Target Application IP@IP@ IP@IP@ 1 Same day, while innocent user‘s session is active 1.Check condition to start session to PLU 99% of chance to activate session from LUCK 2.Check condition to start session to SLU No chance while TN Server LU is in session with Target Application LUCK Innocent 2

45. Page 44 Copyright Net`Q GmbH, 2000-2012 TN3270 SSL Encryption in IP Network TN Server IP SNA Check: IP@, Telnet, SSL RACFRACF Single Sign-on APPL Target Application IP@IP@ IP@IP@ When Innocent User logged off 2.Good % of chance to activate session from LUCK Reports successful 2 LUCK Innocent X 1 LUCK checks Conditions for 3 rd Parties

46. Page 45 Copyright Net`Q GmbH, 2000-2012 TN3270 SSL Encryption in IP Network TN Server IP SNA Check: IP@, Telnet, SSL RACFRACF Single Sign-on APPL Target Application IP@IP@ IP@IP@ When both PLU and SLU accept session 1.Update LUCK Status-Databases 2.Give Info to other 3rd parties (List congigurable) o Same LPAR o External LPAR in same SysPlex o External LPAR in same Network o External LPAR in other Network 2 LUCK Innocent X LUCK informs other applications

47. Page 46 Copyright Net`Q GmbH, 2000-2012 LUCK Does... Checks Status of Logical Units Checks Connectivity to Logical Units using pre- given Logmodes/Bindimages within Network and Cross Network Establishes and immediately terminates Sessions to PLU/SLU Creates Security reports Designed for large networks

48. Page 47 Copyright Net`Q GmbH, 2000-2012 LUCK Does Not... Does not send or receive data on any session Does not keep any sessions connected Does not Acquire Resources except specially requested Does not only check TN3270 LU, it checks all LU

49. Page 48 Copyright Net`Q GmbH, 2000-2012 LUCK, Input Output LUCK Net- Examine VTAMLST APPN-EE Firewall z/OS Comm Server Manually configured input Trace files z/OS Comm- Server Primary Log ExternalLUCK Secondary Log Postponed Database Error Log Predictive Security Reports FTP

50. Page 49 Copyright Net`Q GmbH, 2000-2012 Predictive Security Report How many sessions would allow   3 rd Man in middle attacks   Hijacked Sessions   Obsolete Secure ID cards like RMF   Obsolete RACF Pass Tokens

51. Page 50 Copyright Net`Q GmbH, 2000-2012 Codename Worm.Win32.Flame

52. Page 51 Copyright Net`Q GmbH, 2000-2012 Did you ever hear about new codename Worm.Z.Frame?

53. Page 52 Copyright Net`Q GmbH, 2000-2012 New APIs make things easier REXX IP socket API REXX VTAM API Others are available, list is not complete... -REXX language used for z/OS exits, -Search Internet for others -Check for homegrown REXX solutions REXX SAF API REXX SQL REXX UTIL ITIES

54. Page 53 Copyright Net`Q GmbH, 2000-2012 New API makes things easy REXX IP socket API, provided by IBM with z/OS V1R7, ( since 2005 ) The sample programs and the jobs that you can use to run them are located in the SEZAINST file. The following information applies to the batch jobs: The batch job REXXAPI runs standalone socket EXECs and TCP/IP clients. The batch job REXXAPIS runs TCP/IP servers. The batch job REXXAPIT runs the subtask that is required to test the REXAPI04 program. REXX VTAM socket API This API function package eliminates the need of coding VTAM applications in Assembler language. Basically this technology can be used with VTAM similar to coding mainframe exits in REXX language. It enables the ability to code all interfaces to VTAM SNA, z/OS Console and Trace capture in REXX language.

55. Page 54 Copyright Net`Q GmbH, 2000-2012 REXX VTAM socket API sample Command ===> Scroll ===> PAGE 000084 /* Open the ACB */ 000085 Call NRXFVTAM 'OPEN_ACB',WKAR._ACB1._ADR_C /* result is RC from z/OS 000086 If result>0 Then Do; Say NRXF.0ERMSG; Exit; End 000087 Say 'ACB1 opened successfully.‘ 000092 /* SETLOGON */ 000093 TESTRPL1.0PARMLIST = 'OPTCD' 000094 TESTRPL1.0OPTCD = 'SYN START’ 000096 Call NRXFVTAM 'SETLOGON',WKAR._RPL1._ADR_C,'TESTRPL1.' 000097 If result='' Then Do; Say NRXF.0ERMSG; Exit; End 000098 If result<>0 Then Do; Say NRXF.0ERMSG; Exit; End 000099 Say 'SETLOGON is done. Feedback = 'NRXF.0FEEDBACK_X 000102 /* INQUIRE STATUS */ 000104 Call NRXFMEM 'VALUE','WKAR._NIB1._NIBNET',left(netid,8) 000105 Call NRXFMEM 'VALUE','WKAR._NIB1._NIBSYM',left(luname,8) 000112 Call NRXFVTAM 'INQUIRE',WKAR._RPL1._ADR_C,'TESTRPL1.' 000113 If result='' Then Do; Say NRXF.0ERMSG; Exit; End 000114 If result<>0 Then Do; Say NRXF.0ERMSG; Exit; End 000115 Say 'INQUIRE STATUS is done. Feedback = 'NRXF.0FEEDBACK_X

56. Page 55 Copyright Net`Q GmbH, 2000-2012 FRAME Client capabilities I FRAME automates activities and interfaces to VTAM, IP and files... Tries to interconnect to other servers/clients whatever connection-type is first successful Remotely controlled by external FRAME servers External FRAME servers receive captured applications May be able to login using TN3270, WebSphere or SNA if userid & password are known by one of the controlling servers If ‘predefined’ userids & passwords FRAME can access files and can do transactions based on the users profile Target Addr Space 1.USER DATA transmission 2.IP connection 3.SNA/LEN/APPN connection Client -Server connection Frame Running Outside the target and only IP connectable

57. Page 56 Copyright Net`Q GmbH, 2000-2012 FRAME Client capabilities II FRAME automates activities and interfaces to VTAM, IP and files... Target Addr Space 1.USER DATA transmission 2.IP connection 3.SNA/LEN/APPN connection Client -Server connection Frame Running outside the target and SNA connectable Hijacking connections within/cross LPAR or cross NET Replicate FRAME using hijacked USERID rights Send/receive User data to provide info to new replicates Capture data flows Capture 3270 panels Read /write datasets based on hijacked USERs rights Acsess Sys console Issue VTAM / TCP commands Access Trace and CNM Data More.. APPL1APPL2

58. Page 57 Copyright Net`Q GmbH, 2000-2012 FRAME Client capabilities III FRAME automates activities and interfaces to VTAM, IP and files... Target Addr Space 1.USER DATA transmission 2.IP connection 3.SNA/LEN/APPN connection Client -Server connection Frame Running inside the target and SNA connectable Hijacking connections within/cross LPAR or cross NET Replicate FRAME using hijacked USERID rights Send/receive User data to provide info to new replicates Capture data flows Capture 3270 panels Read / write datasets based on hijacked USERs rights Access Sys console Issue VTAM / TCP commands Access Trace and CNM Data More ? APPL1APPL2

59. Page 58 Copyright Net`Q GmbH, 2000-2012 REXX Interpret Instruction /* REXX EZARXR02 */ src = socket("INITIALIZE","MYSET01",10); if perror(src,"INITIALIZE") = 0 then do src = socket("SOCKET","AF_INET6","STREAM"); if perror(src,"SOCKET") = 0 then do parse var src l_retcode l_sockid src = perror(socket("CLOSE",l_sockid),"CLOSE"); end; /* SOCKET */ end; /* INITIALIZE */ src =perror(socket("TERMINATE","MYSET01"),"TERMINATE"); exit 0; /* Routine returns -1 if first word if arg 1 not zero */ perror: if word(arg(1),1) = 0 then return 0; else Say arg(2) "Error : "arg(1); return -1; Local File /* REX Base code */ Rc=rexint( file5, [Servers] ) Return 0 REXINT: rexfile = arg(1) Servers = arg(2) If Servers = '‚ rc=(rexint_local) Return 0 REXINT_LOCAL: /* INTERPRET LOCAL FILE */ do while lines(rexfile)>0 line = linein(rexfile) INTERPRET line End return

60. Page 59 Copyright Net`Q GmbH, 2000-2012 /*Open the ACB */ Call NRXFVTAM 'OPEN_ACB',WKAR._ACB1._ADR_C If result>0 Then Do; Say NRXF.0ERMSG; Exit; End Say 'ACB1 opened successfully.‘ /* SETLOGON */ TESTRPL1.0PARMLIST = 'OPTCD‘ TESTRPL1.0OPTCD = 'SYN START’ Call NRXFVTAM 'SETLOGON',WKAR._RPL1._ADR_C,'TESTRPL1.‘ If result='' Then Do; Say NRXF.0ERMSG; Exit; End If result<>0 Then Do; Say NRXF.0ERMSG; Exit; End Say 'SETLOGON is done. Feedback = 'NRXF.0FEEDBACK_X Remote Code Executing Locally Remote Server Files Multiple Remote servers searched for files Multiple Media types tried to connect each server

61. Page 60 Copyright Net`Q GmbH, 2000-2012 Another way to run z/OS Free Hercules z/OS Emulation Search Google : Free Download Hercules Emulation Free z/OS Search Google: Free Download ibm adcd z/os 1.13 Warning: You may have already bought a license from IBM? You can run z/OS either Windows, Linux or APPL platform Free TN3270 emulation on Windows, Microsoft Mobile, IPad, IPhone IBook, Blackberry or Android REXX VTAM API downloadable from Internet REXX IP Sockets API included in z/OS Literature: Search Google : REXX Language: A Practical Approach to Programming Search Google : MVS TSO: Commands, CLIST & REXX

62. Page 61 Copyright Net`Q GmbH, 2000-2012 FLAME - FRAME Comparison Programming LanguageLUAREXX PCs connected to local LAN Flash drives?  Bluetooth  Can record sounds and videos  Captures screenshot images Log messaging conversations Hijacking connections within/cross LPAR or cross NET? Replicate FRAME using hijacked USERID rights? Send/receive User data to provide info to new replicates  Capture data flows Capture 3270 panels? Read / Write datasets based on hijacked USERs rights  Access Sys console  Issue VTAM / TCP commands at mainframe console  FLAME FRAME

63. Page 62 Copyright Net`Q GmbH, 2000-2012 In-Depth and Holistic View Look Across the Entire Organization Keep Aware of Emerging Threats Understand Security Risks and Business Impact Conduct an In-Depth Assessment Review Organizational Policies Cross Organizational Communications Be Proactive

64. Page 63 Copyright Net`Q GmbH, 2000-2012 Summary Mainframes will continue to play a critical role Mainframe are being integrated as part of organizational Cloud Strategies Security Continues to be a Concern Threats are Similar whether IP or SNA based Security Necessitates an In-Depth and Holistic Perspective Security is not an IT Decision – It’s a Business Decision

65. Page 64 Copyright Net`Q GmbH, 2000-2012 Questions?

66. Page 65 Copyright Net`Q GmbH, 2000-2012 Contact Peter Hager  (202) 470-2563 CEO Net`Q GmbH  p.hager@net-q.comp.hager@net-q.com Earl Rasmussen  (202) 470-2697 President, Net‘Q America  e.rasmussen@net-q.come.rasmussen@net-q.com

67. Page 66 Copyright Net`Q GmbH, 2000-2012 Thank You!