“Our IBM i penetration tests rattle on the front door, garage door, porch windows, etc. and if we can enter the ‘house,’ go looking through the rooms for an ‘open safe’ and view its contents.” ~ Carol Woodbury
Running network penetration tests on IBM i only goes so far because they test for open ports and unsecured services, not access to the actual data itself. In other words, networks scans knock on the door, but we go into the house and look around.
Our IBM i penetration testing protocol attempts to access data using typical end-user profiles that shouldn’t be able to do so.
Pen testing provides peace of mind knowing your security strategy is performing as expected. Or it provides an actionable list of ranked, exploitable issues and guidance on how to resolve them, along with complete documentation and objective proof of vulnerability.
1.) Run a data collection utility on the subject LPAR to provide the configuration data necessary to design the test
2.) Scope meeting with client to define user roles and test profiles on subject LPAR
3.) Customer creates a virtual PC on their network and grants access to Kisco
4.) A Kisco tester connects to the virtual PC and executes our proprietary testing protocol
5.) The actual testing phase of the process requires about one day per LPAR
6.) Results are analyzed and organized into our proprietary risk matrix and report framework
7.) Findings and recommendations are shared with the customer
Kisco’s proprietary penetration testing protocol for IBM i is know as a “gray box” test.
In gray box testing, the tester has some knowledge of the system's or application's internal workings, such as its architecture, design, or code, but not full knowledge. This partial knowledge can help testers understand the level of access a privileged user could gain and the potential damage they could cause. Gray box testing can also be used to simulate an insider threat or an attack that has breached the network perimeter.
Contact Kisco Today