Security Threats Require Constant Vigilance Even on the Mainframe
We’re all familiar with OSs like Windows being continually updated to overcome vulnerabilities in them and software running on them that can be used by unscrupulous people to take control. And we think that mainframes are largely invulnerable to that kind of attack, but are they?
There’s a lot of payback in hacking PCs because there are lots of them! Once you’ve found a way into one, you can probably use the same route to get into lots of others—and pretty soon you’ve got an army of zombie machines under your control. With mainframes, there are far fewer of them, and the software on them should make them harder to hack, but the consequence of hacking a bank or insurance company could make it financially worth the effort!
z/OS technology provides a range of security functions including data encryption, encryption key management, digital certificates, password synchronization, and centralized authentication and auditing. The Common Criteria security evaluation is an international standard whose evaluation assurance levels (EALs) range from 1 to 7—the higher the number, the more secure the product. The EAL doesn’t measure the security of the system itself, it simply states at what level the system was tested. Resource Access Control Facility (RACF), for example, is at EAL 5.
Every computer system, if not properly secured, can be vulnerable to security breaches.
On the other side of the fence, IBM has announced an integrated security intelligence solution to help organizations identify key vulnerabilities in real time, while reducing total cost of security operations. IBM QRadar Vulnerability Manager (QVM) provides a prioritized view across an entire network, helping to strengthen and fortify its defences. QVM combs through security holes to help close them to potential exploits, except those hidden behind firewalls, associated with inactive applications, or otherwise unreachable from external attacks.
IBM has also announced a new version of its IBM Security zSecure Suite with QRadar Security Intelligence Platform integration. This provides organizations with enterprise-wide visibility of mainframe security events, supported with automated real-time threat alerts and customized compliance reporting.
It would seem that most attacks involving mainframes don’t target the mainframe itself, but devices connected to the network that links to the mainframe. Or else the “hack” involves data loss from memory sticks or CDs containing information from the mainframe. But even that most vulnerable piece of technology—the human being—has RACF and other security software to overcome. Just because you have someone else’s user ID and password doesn’t mean you can access programs or data sets that person doesn’t have authorization to use.
So what can we conclude from all this? Compared to other platforms, the mainframe is immensely secure—and just getting onto a mainframe is no guarantee that you can do anything (such as changing the payroll program or transferring money). There are very few reports of mainframe hacks, indicating either that mainframes are incredibly secure or very few hackers have attempted to access them. With service-oriented architecture and browser access from everywhere over the Internet, there’s far more exposure of mainframe data, which could be copied and lost from the user end rather than the mainframe end.
What we don’t know at the moment is just whether there are any zero-day vulnerabilities on a mainframe. A zero-day vulnerability is a hole in the software that is unknown to the vendor. This security hole can be exploited by hackers in what’s called a zero-day attack, and that takes place before the vendor knows about the hole and fixes it. If one did exist, and hackers were to discover it, we don’t know whether RACF and the other security software would be able to prevent exploitation of the vulnerability. One thing is clear, however—banks, insurance companies and other mainframe users can never be complacent about security.
Trevor Eddolls is CEO at iTech-Ed Ltd., an IT consultancy. For many years, he was the editorial director for Xephon’s Update publications and is now contributing editor to the Arcati Mainframe Yearbook. Eddolls has written three specialist IT books, and has had numerous technical articles published. He currently chairs the Virtual IMS and Virtual CICS user groups.