“The only thing we have to fear is fear itself”
You probably recognize the quote. It’s from U.S. President Franklin D. Roosevelt in 1933, talking about a “nameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance.” We’re in an analogous situation today in the IBM Z® world. Yes, it may be a difficult and contentious subject, and some people clearly don’t want to talk about it, but it shouldn’t be taboo.
We need to talk about the possibility of your mainframe being hacked.
Not talking about it won’t make the problem go away. In fact, ignoring the issue has the potential to make things even worse. Somebody, half-jokingly, once called me the Big Bad Wolf. That got me thinking: don’t build your mainframe security out of straw or wood, build it from brick. Otherwise, Mr. Hacker may huff and puff and blow your mainframe down. The real problem is that most mainframe “houses” that I see are built of straw and liable to burn down at any minute. A few are wood, but still easy to knock down. The brick ones are rare.
The reality is that mainframes hold the majority of large enterprises’ corporate data and are high-value targets for bad actors. The elephant in the room is that it doesn’t require any mainframe knowledge to breach a mainframe and steal your data. Take, for example, a real-life story about how a non-mainframe penetration tester exfiltrated all the production Db2 data off of a mainframe. Using standard Linux/Unix tools like ssh and grep, plus ODBC and a little ingenuity, somebody with no mainframe experience drained a system of all of its sensitive client data. If you are a competent hacker or penetration tester, its trivial.
Mainframe security isn’t actually a mainframe security issue at all: it’s an enterprise security issue. Which means it’s really a board-level issue that needs to be taken seriously. We need to educate our C-level executives about the real threat and possibility of a mainframe breach. I am 100 percent convinced that the so-called “bad actors” are looking at mainframe technology across the globe, trying to identify vulnerabilities that could be exploited. To them, the mainframe is “just another computer,” hopefully not yours! Don’t let the false sense of security that “No one has the skills to do this” be the only security you have. Extend your enterprise house of security to the mainframe — brick by brick.
What is different about the mainframe is how dependent your business is on its availability. I often ask, imagine if we switched off all the mainframes across the globe, what would happen? Now imagine a hacker paralyzing your mainframe — many businesses would struggle to function without it, even for a few minutes. This translates to large financial losses, something your C-level execs will care about.
And I hear you say…and?! Well, that’s the big question…what to do? We need to get on the front foot, and treat the mainframe like any other server in the enterprise from a security perspective. We must take mainframe security seriously, which requires investment and tools:
- Make the mainframe part of your enterprise security planning
- Talk about the potential and risks of a mainframe breach/hack
- Do real-time alerting and integrate the mainframe into your SIEM solution, if you have one; if you don’t have one, you need one
- Do regular penetration tests and assessments: things change, these are not one-off exercises
- Build a Red Team (https://en.wikipedia.org/wiki/Red_team) that includes mainframe skills
There are lots of things we can do such as Multi-Factor Authentication and Defence Manager, which is part of IBM Communications Server product, but they all take time and investment.
I can’t promise we’ll all live happily ever after. But if we take the issue seriously and talk about it like adults, when the real Big Bad Wolves come knocking, we’ll hopefully be living in houses built of brick and have quite a few tricks up our sleeves.