The BCPii hypervisor control function is a pretty new z/OS feature. It allows you to control the mainframe on its HMC console level, means you access the hypervisor directly from z/OS. Therefore, BCPii authority stands for owning “real power.” Without doubt BCPii enables great functionality in the field of smart system automation, such as dynamic capacity management, etc., and lets you avoid necessary personal visits of the cold and windy server rooms. On the other hand, professionally acting hackers also receive new levels of power by now potentially controlling your entire mainframe platform. How is this possible, even BCPii is a protected feature? The answer is easily given. Professional attacks always also imply the deactivation of your security system in use, means of RACF, CA-TSS or CA-ACF2. Means any perfectly configured BCPii protection simply becomes void for the hacker during such a professional attack. In case BCPii is enabled, hackers are much more easily able to perform cross-LPAR attacks, and to reach and touch your production systems. For example, in case the actual hack happens on a test LPAR sharing the same physical machine with production. One detail has to be mentioned here, namely that such attacks will not focus on direct data access but on the LPARs’ overall operational availability or behavior.
In case of a critical mainframe infrastructure the golden rule claims “no BCPIii without strong intrusion detection (IDS),” otherwise you – irresponsibly – accept a significant operational risk. The requirement “strong” means: it’s an intrusion detection system that is not just evaluating SMF and syslog records or similar regular sources, but is also able to detect dynamic manipulations, the bypassing of the security system, and other fancy tricks in real-time. We apologize for this clear and frankly statement and opinion, and also for pointing to SF-Sherlock within this context. But its unique IDS component exactly focuses on also these most dangerous and tricky attack methods; this in order to secure your mainframe platform against professional attacks. If you are curious about on how such a hack looks like, the best way is to invite us for a penetration test.