The Mainframe Security Threat, Inside and Out

It’s not easy to hack the mainframe. But, it is possible.

Naturally, it’s easier for company insiders, who already have privileged access to key mainframe information, to wreak havoc. In a recent SHARE presentation, Charles Mills, Director of Advanced Projects for SIEM solutions provider CorreLog, Inc., gave the example of John Skermer, an IMS programming manager at Barclays Bank who was convicted of diverting more than €2.1 million GBP (about $3 million USD at the time) from the company to his personal accounts.

It’s also possible for external attacks on the mainframe. Mills shared the infamous story of hacker and The Pirate Bay co-founder Gottfrid Svartholm who, while hacking into the account of a Sweden-based copyright lawyer for the Motion Pictures Association of America, managed to find his way into the z/OS mainframe at Logica, a Swedish IT firm. Svartholm was able to create more than 20 RACF SPECIAL user IDs while in the system, creating a new ID each time Logica managed to block an old one. Eventually, the authorities caught up to him and he spent more than three years in prison.

Still, it’s not easy for external hackers to get into the mainframe. They need access to privileged information, like IDs and terminal or IP addresses. The challenge is that some of that information is being quietly exposed, and hackers are keeping an eye out for it.

Mainframe Data Disclosures

In a recent SHARE interview series, mainframe security expert Phil Young explained how a series of mainframe data disclosures help hackers become more familiar with the ins and outs of mainframe architecture and security.

Beyond disclosures that are intentional for the purpose of informing the public, others are accidental and exposed over time, like overly informative error messages, public email lists that reveal terminal and/or IP addresses, or exceedingly descriptive technical questions in forums.

Those sources are breadcrumbs for the diligent hacker, who can piece together stolen user IDs and addresses to covertly explore known vulnerabilities in a corporation’s mainframe.

Mainframe Intrusion Tools

Security experts make use of tools to conduct mainframe intrusion detection so they can improve corporate security. The problem is, hackers can easily access these same tools through public sites like Github.

Mills described one publicly available tool that lists APF-authorized libraries and returns the access rights of the current user for each one. The tool offers a way for a hacker to escalate the current user’s privileges to RACF SPECIAL access, giving that hacker the freedom to covertly infiltrate the mainframe.

Other tools also allow hackers to enumerate open ports and test user IDs, trying out different common passwords until they find one that gets them into the system.

Fighting Back with Network Tools

It is important to acknowledge these threats because, as Mills pointed out, breaches of all shapes and sizes have become more expensive. Even a “non-mega” data breach (in other words, one that doesn’t make the news) costs corporations an average of $4 million, according to IBM.

Mills suggests mainframers look to the network side of the business to find solutions that can help them secure their mainframe. Security information and event management (SIEM) tools offer benefits like real-time alerts, powerful querying, and cross-platform correlation of suspicious events to help IT departments monitor disparate threats. Technology solutions can help mainframe professionals connect SIEMs and other distributed network security tools – including managed security service providers (MSSPs) and database activity monitors (DAMs) – to their mainframe.

To learn more about these tools, read a recap of our interview with Mills earlier this year, or watch a video of his full presentation at SHARE Providence.

Recent Stories
In Memoriam: Patricia Egen

Re-Framing Moore’s Law

Modernizing DevOps and Mainframe Together