Chapter 28 Quiz: Mainframe Security for COBOL Developers

Chapter 28 Quiz: Mainframe Security for COBOL Developers

Section 1: Multiple Choice

1. What mechanism does z/OS use to enforce address space isolation?

a) Software-based memory protection using guard pages b) Hardware-enforced Dynamic Address Translation (DAT) with separate page tables per address space c) Virtual machine isolation provided by the z/VM hypervisor d) Linux-style namespace isolation ported to z/OS

Answer: b) Hardware-enforced Dynamic Address Translation (DAT) with separate page tables per address space

Explanation: z/OS uses the z/Architecture DAT hardware to enforce address space isolation. Each address space has its own set of page tables, and the hardware prevents any user-mode instruction from referencing another address space's memory. This is fundamentally stronger than software-based isolation because the boundary is enforced by the processor hardware, not by operating system code that could contain bugs. z/VM is a separate product (a hypervisor), and z/OS does not use it for address space isolation. Linux namespaces are a software construct unrelated to z/OS.

2. What is the role of the System Authorization Facility (SAF) in z/OS security?

a) SAF is the z/OS firewall that filters network packets b) SAF is the encryption engine that handles all cryptographic operations c) SAF is the security router that directs all resource access decisions to the installed External Security Manager d) SAF is the audit log that records all security events

Answer: c) SAF is the security router that directs all resource access decisions to the installed External Security Manager

Explanation: SAF is the central security checkpoint in z/OS. Every subsystem (CICS, DB2, MQ, JES2, dataset access methods) calls SAF when a security decision is needed. SAF routes the request to the installed ESM — typically RACF, but potentially ACF2 or Top Secret. This architecture ensures that security decisions are centralized in one database (RACF) and one policy enforcement point (SAF), rather than fragmented across subsystems. SAF does not perform encryption (that's ICSF/CPACF), does not filter network packets (that's the Communications Server), and does not record audit logs (that's SMF).

3. What does UACC(NONE) mean on a RACF dataset profile?

a) The dataset is not protected by RACF b) No user can access the dataset, including the dataset owner c) Users not explicitly permitted in the access list have no access to the dataset d) The dataset is encrypted and cannot be read without a key

Answer: c) Users not explicitly permitted in the access list have no access to the dataset

Explanation: UACC stands for Universal Access Authority — it defines the default access level for users who are not explicitly named in the profile's access list and are not members of a group named in the access list. UACC(NONE) implements a "default deny" posture: if you're not on the list, you don't get in. This is a fundamental requirement for PCI-DSS, HIPAA, and virtually every compliance framework. The dataset owner and users with the RACF SPECIAL attribute can still access the dataset through other mechanisms, but ordinary users must be explicitly permitted.

4. Why should the RACF RACLIST option be activated for frequently-checked resource classes like TCICSTRN?

a) RACLIST enables encryption of the resource profiles b) RACLIST loads profiles into storage for in-memory lookup, reducing profile check time from ~2ms to ~2 microseconds c) RACLIST enables generic profile support for the resource class d) RACLIST activates audit logging for the resource class

Answer: b) RACLIST loads profiles into storage for in-memory lookup, reducing profile check time from ~2ms to ~2 microseconds

Explanation: Without RACLIST, every RACF security check for a general resource class requires an I/O operation to the RACF database — approximately 2 milliseconds per check. With RACLIST active, profiles are loaded into memory and checked there — approximately 2 microseconds per check, a 1,000x improvement. For a CICS environment processing thousands of transactions per second, each requiring a TCICSTRN profile check, the performance difference is dramatic. RACLIST is not related to encryption, generic profile support (that's SETROPTS GENERIC), or audit logging (that's SETROPTS AUDIT).

5. In the DB2 security model, what is the relationship between RACF DSNR class profiles and DB2 GRANT/REVOKE authorization?

a) They are alternatives — you use either RACF or DB2 authorization, not both b) RACF DSNR controls whether a user can connect to DB2; DB2 GRANT/REVOKE controls what they can do once connected c) DB2 GRANT/REVOKE has been deprecated in favor of RACF-only authorization d) RACF DSNR controls table-level access; DB2 GRANT/REVOKE controls column-level access

Answer: b) RACF DSNR controls whether a user can connect to DB2; DB2 GRANT/REVOKE controls what they can do once connected

Explanation: DB2 security on z/OS is a two-layer model. First, the RACF DSNR class controls connection authorization — it determines whether a userid can connect to the DB2 subsystem at all and through which attachment type (batch, CICS, etc.). Second, once connected, DB2's own authorization mechanism (GRANT/REVOKE) controls what SQL operations the user can perform on which objects. Both layers are active simultaneously and both must permit access. A user who passes the RACF DSNR check but lacks a DB2 GRANT will receive a -551 SQLCODE (authorization failure). A user who has DB2 GRANTs but fails the RACF DSNR check will not even connect.

6. What is the primary advantage of z/OS dataset encryption using CPACF hardware?

a) It provides stronger encryption algorithms than software encryption b) It is transparent to applications and consumes no general-purpose CPU capacity c) It automatically encrypts network traffic in addition to stored data d) It eliminates the need for RACF dataset profiles

Answer: b) It is transparent to applications and consumes no general-purpose CPU capacity

Explanation: CPACF (CP Assist for Cryptographic Functions) is built into the z/Architecture processor chip and performs AES encryption/decryption without consuming general-purpose CPU cycles. This means encryption is effectively "free" from a CPU cost perspective. The encryption is also transparent to applications — COBOL programs use OPEN, READ, WRITE, and CLOSE normally; the encryption/decryption happens at the I/O layer below the access method. CPACF uses standard AES algorithms (same strength as software implementations), does not handle network encryption (that's AT-TLS using the same hardware), and does not replace RACF profiles (you still need both the dataset profile AND the CSFKEYS profile for encrypted data access).

7. Which of the following is a SQL injection vulnerability in COBOL?

a) Using host variables in a static SQL SELECT statement b) Using STRING to concatenate user input into a dynamic SQL PREPARE statement c) Using parameter markers (?) in a dynamic SQL PREPARE statement d) Using EXEC SQL EXECUTE IMMEDIATE with a hard-coded SQL string

Answer: b) Using STRING to concatenate user input into a dynamic SQL PREPARE statement

Explanation: SQL injection occurs when user-supplied input is incorporated into SQL syntax rather than treated as a data value. When you use STRING to concatenate user input into a SQL statement that is then PREPAREd, the user input becomes part of the SQL text — a malicious user can inject additional SQL clauses. Host variables (option a) and parameter markers (option c) are the correct prevention mechanisms — they tell DB2 to treat the input as a value, not as SQL syntax. EXECUTE IMMEDIATE with a hard-coded string (option d) contains no user input, so injection is not possible (though EXECUTE IMMEDIATE should still be used cautiously).

8. What is the purpose of AT-TLS (Application Transparent Transport Layer Security) on z/OS?

a) It encrypts data stored in datasets b) It provides TLS encryption at the TCP/IP stack level, transparent to applications c) It replaces RACF for network-based authentication d) It provides VPN tunnels between z/OS LPARs

Answer: b) It provides TLS encryption at the TCP/IP stack level, transparent to applications

Explanation: AT-TLS operates within the z/OS TCP/IP stack (Communications Server) and applies TLS encryption to network connections based on policy rules — matching on port numbers, IP addresses, or application identifiers. The critical feature is transparency: COBOL programs and CICS applications send and receive data using standard socket or CICS web service calls without any encryption-related code. The TCP/IP stack handles the TLS handshake, encryption, and decryption automatically. This means you can add network encryption to existing applications without modifying a single line of COBOL. AT-TLS does not encrypt stored data (that's dataset encryption), does not replace RACF, and is not a VPN technology.

9. Under PCI-DSS Requirement 3, how does z/OS dataset encryption contribute to protecting stored cardholder data?

a) It prevents authorized users from reading cardholder data b) It renders cardholder data unreadable on physical media, protected by RACF-controlled key access c) It replaces the need for network encryption d) It automatically masks cardholder data in CICS screens

Answer: b) It renders cardholder data unreadable on physical media, protected by RACF-controlled key access

Explanation: PCI-DSS Requirement 3 mandates that stored cardholder data be protected, with specific guidance that it should be rendered unreadable anywhere it is stored. z/OS dataset encryption encrypts data on the physical disk using AES-256. If someone steals the physical media (disk pack or backup tape), the data is unreadable without the encryption key. Access to the key is controlled by RACF CSFKEYS profiles — a separate authorization gate from the dataset profile itself. This creates a two-gate model: you need both dataset access (RACF dataset profile) AND key access (RACF CSFKEYS profile) to read the data. Dataset encryption does not affect authorized users (it's transparent), does not replace network encryption, and does not perform data masking.

10. Why does HIPAA's Safe Harbor provision make encryption a de facto requirement even though the HIPAA Security Rule lists it as "addressable"?

a) "Addressable" means optional, so encryption is not actually required b) Because encrypted ePHI that is breached does not trigger the 60-day breach notification requirement c) Because the Safe Harbor provision provides immunity from all HIPAA penalties d) Because HIPAA requires FIPS 140-2 validated encryption for all healthcare data

Answer: b) Because encrypted ePHI that is breached does not trigger the 60-day breach notification requirement

Explanation: Under HIPAA, a breach of "unsecured" (unencrypted) ePHI triggers mandatory notification to affected individuals, HHS, and potentially the media within 60 days. However, if the ePHI was encrypted according to NIST standards and the encryption key was not compromised, the data is considered "secured" and the breach notification requirement does not apply. This is the Safe Harbor provision. While HIPAA's Security Rule lists encryption as "addressable" (meaning you must document why you did or didn't implement it), the practical reality is that not encrypting ePHI creates existential risk — a single breach event triggers notification obligations that can cost millions. This is why Pinnacle Health encrypts all ePHI despite the "addressable" classification.

11. What is the correct approach to data masking in a CICS COBOL program?

a) Hard-code a list of authorized userids who can see unmasked data b) Use RACF FACILITY class checks to determine the user's masking level at runtime c) Always mask data regardless of user authorization d) Rely on DB2 column masks exclusively

Answer: b) Use RACF FACILITY class checks to determine the user's masking level at runtime

Explanation: The correct approach externalizes the masking decision to RACF. The COBOL program uses EXEC CICS QUERY SECURITY to check whether the current user has access to a FACILITY resource (e.g., CNB.PAN.FULLVIEW). If authorized, the program displays unmasked data; if not, it displays masked data. This approach is superior to hard-coding user lists (which requires code changes when users change), always masking (which prevents legitimate use), or relying solely on DB2 column masks (which don't apply to data already in COBOL working storage). Externalizing the decision to RACF means the security team can change masking rules without touching application code.

12. In CNB's security monitoring architecture, what triggers a Tier 1 (immediate response) alert?

a) A user fails to authenticate once b) A new RACF PERMIT command grants access to a development dataset c) A RACF userid with SPECIAL attribute is added outside the change window d) Normal successful access to production datasets

Answer: c) A RACF userid with SPECIAL attribute is added outside the change window

Explanation: Tier 1 alerts represent the highest severity — events that require immediate response because they indicate potential credential compromise, unauthorized privilege escalation, or active data exfiltration. Adding a userid with the SPECIAL attribute (which grants full RACF administrative authority) outside a change window is a critical indicator of unauthorized privilege escalation. A single failed authentication (option a) is normal and doesn't warrant immediate response. A PERMIT to a development dataset (option b) is a Tier 2 event. Normal successful access (option d) is Tier 3 (routine monitoring). The key principle: Tier 1 alerts should be rare (3-5 per day) and always actionable.

13. What is the purpose of RACF RESLEVEL in MQ security?

a) It controls the encryption level for MQ messages b) It determines how many security checks MQ performs for a given userid c) It sets the message priority level in MQ queues d) It controls the MQ channel compression level

Answer: b) It determines how many security checks MQ performs for a given userid

Explanation: RESLEVEL controls the number of RACF security checks MQ performs per operation. At RESLEVEL 0, MQ checks at both the queue manager level and the individual queue level — the most secure setting. At RESLEVEL 1, only one check (queue level). At RESLEVEL 2, no security checks — MQ trusts the userid completely. For application userids, RESLEVEL should always be 0 (full checking). RESLEVEL 1 or 2 should only be used for the MQ queue manager's own started task userid, which needs unrestricted access to perform its internal operations.

14. What SMF record type captures RACF access decisions?

a) SMF type 30 (job/step accounting) b) SMF type 80 (RACF processing) c) SMF type 102 (DB2 accounting) d) SMF type 110 (CICS transaction data)

Answer: b) SMF type 80 (RACF processing)

Explanation: SMF type 80 records capture every RACF security decision — both grants and denials. Each record includes the userid, resource name, resource class, access attempted, access granted/denied, reason code, timestamp, and job/started task name. These records are the foundation of security analytics on z/OS and are required for compliance with PCI-DSS Requirement 10, HIPAA audit controls, and federal NIST 800-53 audit requirements. SMF type 30 captures job accounting data, SMF type 102 captures DB2 accounting and performance data, and SMF type 110 captures CICS transaction performance and monitoring data.

15. Why must COBOL reference modification include bounds checking for security?

a) Because COBOL automatically extends the buffer if the reference exceeds its bounds b) Because out-of-bounds reference modification can read another CICS task's data from shared storage c) Because reference modification is not supported in Enterprise COBOL d) Because DB2 rejects any SQL statement that uses reference modification

Answer: b) Because out-of-bounds reference modification can read another CICS task's data from shared storage

Explanation: In a CICS environment, multiple tasks share storage regions. If a COBOL program uses reference modification (e.g., WS-BUFFER(WS-OFFSET:WS-LENGTH)) with user-supplied offset and length values that exceed the buffer boundaries, the program reads memory beyond its own working storage — potentially accessing another task's data. This is a buffer over-read vulnerability that can expose another user's sensitive information. COBOL does not automatically extend buffers or generate a runtime error for reference modification out of bounds (unlike array subscript checking with the SSRANGE compiler option). The developer must explicitly validate offset and length values before using them.

16. What is dual control in the context of z/OS encryption key management?

a) Using two different encryption algorithms for the same data b) Requiring two authorized individuals, each holding part of the key, to perform key management operations c) Encrypting data twice with two different keys d) Having a primary and backup copy of each encryption key

Answer: b) Requiring two authorized individuals, each holding part of the key, to perform key management operations

Explanation: Dual control (also called split knowledge) is a key management principle that prevents any single person from having complete knowledge of or access to an encryption key. For master key operations on z/OS (loading a new master key into the Crypto Express adapter), two security officers must each enter their portion of the key in separate ceremonies. Neither person alone can reconstruct the complete key. This satisfies PCI-DSS Requirement 3.5 (protect keys used to encrypt cardholder data), HIPAA key management requirements, and NIST 800-53 SC-12 (cryptographic key establishment and management). It is distinct from backup key copies (which is key availability, not key security) and from double encryption (which is an unrelated concept).

17. At Pinnacle Health, claims adjusters can see payment information but not diagnosis codes, while clinical reviewers can see diagnosis codes but not payment information. What z/OS mechanism implements this?

a) RACF dataset profiles with different access levels b) DB2 column-level GRANT statements assigning different column sets to different roles c) CICS program-level security restricting which programs each role can execute d) Data masking in the COBOL presentation layer

Answer: b) DB2 column-level GRANT statements assigning different column sets to different roles

Explanation: DB2 supports column-level authorization through GRANT statements that specify individual columns. Ahmad Rashidi's design at Pinnacle uses DB2 roles (PIN_ADJUSTER, PIN_CLINICAL, PIN_AUDIT) with GRANT SELECT on specific column lists. The claims adjuster role is granted SELECT on payment-related columns but not on DIAGNOSIS_CD or TREATMENT_NOTES. The clinical reviewer role is granted SELECT on clinical columns but not on BILLED_AMT or PAID_AMT. This implements HIPAA's "minimum necessary" standard at the database level. Dataset-level profiles (option a) are too coarse — they protect the entire file. CICS program-level security (option c) could work but requires separate programs per role. Data masking (option d) is a presentation technique, not an access control.

18. What is the HIPAA breach notification timeline for unsecured ePHI?

a) 24 hours from discovery b) 60 days from discovery c) 90 days from discovery d) No notification is required if fewer than 500 individuals are affected

Answer: b) 60 days from discovery

Explanation: HIPAA's Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured ePHI. If the breach affects 500 or more individuals, the entity must also notify HHS and prominent media outlets within the same 60-day window. Breaches affecting fewer than 500 individuals still require individual notification within 60 days, but HHS notification can be deferred to an annual log submission. The 60-day clock starts from the date the breach is discovered (or should have been discovered through reasonable diligence), not from the date it occurred. This is why encryption (which invokes the Safe Harbor provision) is so valuable — it stops the notification clock before it starts.

19. In the chapter's incident response framework, what is the first action for a Severity 1 incident (active data exfiltration)?

a) Investigate to determine scope b) Notify the compliance officer c) RACF ALTUSER REVOKE the compromised userid immediately d) Collect SMF records for forensic analysis

Answer: c) RACF ALTUSER REVOKE the compromised userid immediately

Explanation: For a Severity 1 incident — active data exfiltration — containment takes priority over investigation. The first action is to stop the exfiltration by revoking the compromised userid (ALTUSER userid REVOKE). This is a risk-based decision: the cost of revoking a legitimate userid (temporary access loss) is far lower than the cost of allowing continued data exfiltration. Investigation (option a), notification (option b), and forensics (option d) all follow in subsequent phases. The chapter's framework explicitly sequences containment (15-60 minutes) before investigation (1-24 hours) for Severity 1 incidents.

20. What is the chapter's threshold concept, and how does it change how architects approach security?

a) "Encrypt everything" — all data should be encrypted at all times b) "Security is an architecture decision, not a bolt-on" — security must be designed into every layer from the beginning c) "RACF is sufficient" — if RACF is properly configured, no other security controls are needed d) "Compliance equals security" — meeting PCI-DSS requirements means your system is secure

Answer: b) "Security is an architecture decision, not a bolt-on" — security must be designed into every layer from the beginning

Explanation: The threshold concept transforms understanding from "add RACF profiles after development" to "security decisions shape every layer of the architecture from day one." Before this transformation, developers treat security as someone else's responsibility — a late-stage activity. After this transformation, architects recognize that security decisions are embedded in the data model (which columns to encrypt), the API design (which endpoints require MFA), the RACF group hierarchy (which users access which resources), the batch architecture (which userids run which jobs), and the monitoring infrastructure (which events trigger which alerts). The chapter illustrates this through Kwame's four-month audit preparation experience — months of rework caused by not designing security into the architecture from the beginning.