The BCPii hypervisor control function is a pretty new z/OS feature. It allows you to control the mainframe on its HMC console level, meaning that you access the hypervisor directly from z/OS. Therefore, BCPii authority stands for owning “real power.” Without doubt BCPii enables great functionality in the field of smart system automation, such as dynamic capacity management, etc., and lets you avoid necessary personal visits to the cold and windy server rooms. On the other hand, professionally acting hackers also receive new levels of power by now potentially controlling your entire mainframe platform. How is this possible, since BCPii is a protected feature? The answer is easily given. Professional attacks always also imply the deactivation of your security system during use, meaning that of RACF, CA-TSS or CA-ACF2. This means that any perfectly configured BCPii protection simply becomes void for the hacker during such a professional attack. In case BCPii is enabled, hackers are much more easily able to perform cross-LPAR attacks, and to reach and touch your production systems. For example, in case the actual hack happens on a test LPAR sharing the same physical machine with production. One detail has to be mentioned here, namely that such attacks will not focus on direct data access but on the LPARs’ overall operational availability or behavior.
In case of a critical mainframe infrastructure the golden rule claims “no BCPIii without strong intrusion detection (IDS),” otherwise you – irresponsibly – accept a significant operational risk. The requirement “strong” means that it’s an intrusion detection system that is not just evaluating SMF and syslog records or similar regular sources, but is also able to detect dynamic manipulations, the bypassing of the security system, and other fancy tricks in real-time. We apologize for this clear and frank statement and opinion, and also for pointing to SF-Sherlock within this context. But its unique IDS component exactly focuses on even these most dangerous and tricky attack methods; this in order to secure your mainframe platform against professional attacks. If you are curious about what such an attack looks like, the best way is to invite us to carry out a penetration test.