IBM Destination Z - Group home

I Would Be Compliant, but I Don’t Have Time

By Destination Z posted Mon December 23, 2019 03:29 PM

We’re all busy. These days, people say they haven’t got time as a badge of honor to show how important they are. In fact, a study by the Oxford English Dictionary found that “time” was the most commonly-used noun in the English language.

“And besides, there are just so many regulations these days. We certainly do our best here to stay compliant, but no one is ever 100% compliant, are they?” That’s the kind of thinking I’m sure we’ve all heard being shared by our mainframe colleagues from other organizations. So that’s alright then, isn’t it?

We all know, in reality, that the answer is at least “probably not.” And if you deal with credit card transactions, the answer is “definitely not.” The reason is because the Payment Card Industry Data Security Standard (PCI DSS)—which sets the requirements for organizations and sellers to safely and securely accept, store, process and transmit cardholder data during credit card transactions to prevent fraud and data breaches—now requires file integrity checking for executables, configuration parameters and log files on a regular basis.

Since January 2018, the PCI requires a set of minimum controls that every secure system should have. And every organization needs to be able to prove that those controls are in place and used regularly. Let’s just unpick that a little. If your company handles credit card information, you need some way to check, every week, the around 50,000 modules that ship in just the APF libraries for a basic z/OS system. In addition, you need to be able to report automatically to your auditors that those checks have taken place.

FIM Software 
If you run Windows or Linux systems, you’re probably already familiar with File Integrity Monitoring (FIM) software as a way to rapidly detect unauthorized changes to your files. The concept behind FIM software is simple. Using a hashing algorithm, a snapshot is taken of an application or configuration member at a trusted point in time; for instance, once QA testing is completed. Later, another snapshot of the monitored components can be taken. By comparing the trusted snapshots, which are stored in an encrypted vault, with the running versions of code, any unauthorized alterations can be quickly identified.
That all sounds great, but what do you do if you carry out credit card-related activities on a mainframe? Currently, most mainframes are not running a FIM product. And that means they are no longer compliant with PCI DSS v3.2 Sections 10.5 and 11.5. That failure to adhere to the PCI standards could lead to penalties, including fines of up to $500,000 and possible suspension of access rights.

Won’t your other mainframe security system give you the necessary information about breaches? At best, the answer to that question is “possibly.” What you need to remember is that recent studies have reported the average time to detect a breach is an unacceptable 197 days or more, and a further 69 days are then required to control the breach. This provides plenty of time for attackers to find sensitive applications, look for vulnerabilities, elevate their privileges and access more powerful commands. Clearly, the IT industry needs mechanisms to detect intrusions, and any changes resulting from those intrusions, much more quickly.

Why Are FIM Products Important?
What’s needed is an intelligent FIM product that will run on mainframes. Even better, would be a FIM product that could check with authorization tools like ServiceNow or Remedy to see whether a detected file change is authorized. It would also be useful if, with multiple snapshots of trusted versions of code stored in the encrypted vault, the FIM product could differentiate between a prior version running in production or a never-before-seen alteration—a real indicator of malicious hacking. If the FIM software had a way of correlating its data with existing access control information from System Authorization Facility (SAF) products like RACF, ACF2 and Top Secret, any false alarms would be eliminated within seconds.
But what if there had been a breach? You’d need the FIM data to list all of the components affected (scope) as well as when the breach occurred (interval). And you need the “who, what, when, where and why” information to be available in a single 3270 and/or GUI view. That way, even less experienced staff would have the right information to make the right decisions and be ready to respond immediately.

And if you’re wondering whether you could afford such advanced software, remember that modern subscription models mean the financial risk is reduced, allowing organizations to streamline a lengthy acquisition process as a monthly cost that can be turned off at any time. In addition, it may be possible for these costs to be pushed to an organization’s compliance and audit groups, which may have existing budget allocations.
MainTegrity’s FIM+ 
So, what should you do now? I’ve found only one software vendor that provides modern mainframe FIM software—MainTegrity. Their product is called FIM+. I leave it to you to find out whether you think it’s inexpensive to own, easy to implement, and protects your mainframe against malicious hackers and internal errors.
Somehow, that excuse of not having time and being too busy with higher priority tasks doesn’t really work. Especially as one of your senior executives, perhaps even the CEO, will have signed the form claiming that your organization is PCI compliant and will face any consequences when it’s found that the company isn’t compliant. And your CEO probably consulted you before they signed the form—which could well put your career in jeopardy.