Why CSOs should take mainframe security more seriously

Do companies take mainframe security as seriously as the rest of their IT infrastructure?

Though they are old and unsexy, mainframes still run the world. The vast majority of Fortune 500 companies plus banks, insurers, retailers, hotels, airlines, healthcare institutions and governments use mainframes to process massive numbers of transactions daily. Without them, much of the world as we know it would probably crawl to a standstill.

But, considering the critical nature of these systems, do companies take mainframe security as seriously as the rest of their IT infrastructure?

The myth of ‘unhackable’ mainframes needs to be put to bed, and CSOs need to secure them the same as any other computer.


The myths of mainframe security

The enduring myth of the mainframe is that it’s completely secure. In movies it’s a byword for hacking the unhackable. The encryption features of IBM’s z14 saw the mainframe hailed as more secure than ever.  But while most security experts will acknowledge it’s more secure than your average platform, nothing is completely impenetrable.

“The majority of organizations still believe the operating system cannot be breached because of the architecture and what IBM continues to preach,” says Ray Overby, founder of mainframe security consultancy Key Resources.

The reality is that while the architecture and access controls of the likes of z/OS means mainframes are often more secure than your average computer, but no code is invulnerable; Key Resources reports that it found 30 z/OS vulnerabilities in 2017, and over 100 more since 2013. And any third-party software running on a mainframe could easily contain their own weaknesses. A recent example was a vulnerability in the mainframe plugin for Jenkins, which failed to encrypt password credentials.

“Are we to believe to these kinds of things don’t exist on the mainframe platform? No,” said Chad Rikansrud, RSM Partners Director and mainframe hacker, during a Share association talk earlier this year. “But do we hear about it? No.”

“The lack of discussion feeds this false sense of security, and it’s propagated by a void of information.”

Successful attacks do happen, however. One of the most public hacks of a mainframe saw Pirate Bay co-founder Gottfrid Svartholm Warg attack the Swedish Nordea bank.

Isolation has long been one of the main security advantages of a mainframe; often only those with physical access could access the mission-critical data held within. But security through obscurity is not a proper security strategy. The Internet Mainframes project regularly scans Shodan and posts pictures of log-in pages for systems that have no need to be connected to the web.

“In the past, the lack of access has been a huge barrier for hackers, with mainframes traditionally only accessible via directly connected terminals,” says David Warburton, Senior Threat Research Evangelist EMEA, F5 Networks. “However, increasing interconnectedness means that a desktop computer vulnerability could allow attackers to pivot and attack a mainframe system indirectly.”

“Following recent vulnerabilities surrounding protocols (Heartbleed) and hardware (SPECTRE and Meltdown), it’s clear you can’t assume something is secure simply because it has been in service for a long time.”


Why mainframe security has fallen behind

While the myth of the unhackable mainframe has propagated, a lack of talent, tools, and interest has hampered mainframe security.

The lack of mainframe talent is a skills shortage within an industry already blighted with a lack of talent. People with security know-how in the space is an even smaller field.

“There is a huge demand for expert knowledge and experience in mainframe security controls for each mainframe, as each has its own variations of how the system has been setup and is run on a day-to-day basis,” says Kevin Butler, Security Solutions Consultant, CA Technologies.

As well as very few mainframe-focused security tools, there is little innovation in the mainframe, especially when it comes to security offerings. Older companies such as CA, BMC, and Imperva still have mainframe offerings, while new startups only move into the space very occasionally. As a rare example, Illusive Networks – founded in 2014 – recently extended its honeypot deception technology to include the mainframe.

Some researchers such as Phillip Young, Ayoub Elaassal, and others have released mainframe auditing and penetration testing tools on GitHub to help security researchers with access to mainframes test the secret of their systems.

As well as a lack of tools it is extremely hard to get hold of the software. Unless you have access to a mainframe it’s almost impossible to probe and research these systems, meaning vulnerabilities go undocumented. RSM Partners’ Rikansrud has called for the likes of IBM to make z/OS available to security researchers even if they don’t have access to an actual mainframe in order to better facilitate testing and research.

As a result of this lack of access, there seems to be little appetite for hunting for mainframe bugs. When asked by IDG, bug bounty sites Hackerone, Bugcrowd and Synack all reported little interest in mainframes from companies that have launched bug bounty schemes or the security researchers active on the platforms.

“IBM do not want any publicity around mainframe hacks. They threaten to sue anyone who publishes anything because integrity vulnerabilities are considered proprietary and it’s so stated in their software contracts,” says Key Resources’ Overby.


What kind of threats pose the biggest risk to mainframes?

Key Resources’ Overby says that the biggest risk to mainframes are still local ones; security configuration errors, excessive access and privileges etc. “We have done audits where we flagged 10,000 excessive access rulesets or profiles.  Once someone has access it is never removed; even when they are terminated. Most organizations don’t have enough staff to keep their security databases up to date.”

He adds that the most serious vulnerabilities Key Resources finds are ones that represent a serious compromise of the operating systems integrity, reliability, and the installation’s security policies and allows attackers to inject non-authorized routines to the vulnerable code.

Though most of the security researchers admit that mainframe vulnerabilities are not as common or readily available as those for commercial off-the-shelf hardware, this is more down to the difficulty in accessing such systems, rather than a lack of interest.

“Metasploit, the open source exploit development project, has seen its share of mainframe exploitation tooling over the years,” says Jonathan Cran, head of research at Kenna Security. “If they're able to obtain a shell on your network and there's a mainframe on the network that isn't segmented, it can be a pretty appealing target, even in 2018. Even SNMP can be useful to an attacker.”

Another issue is a lack of visibility. According to a 2017 survey over 400 CIOs globally by Compuware, 64% of organizations said they use the mainframe as a repository for their most sensitive data, yet 84% admitted it was a “blind spot” with regards to who accesses these systems and how the data is used.


How to improve mainframe security

So what should organizations do to ensure their mainframes are secure? In short, treat them the same as any other IT system and secure them in the same way. Scan them for vulnerabilities, perform pen tests, monitor and log properly, ensure anything and anyone accessing the data has the right credentials.

  • “Apply the same policies and practices around vulnerability management on the mainframe as they do on distributed systems.” Ray Overby, Key Resources
  • “Strong authentication methods (such as certificates and multi-factor authentication) must be used alongside accurate monitoring to detect and alert IT teams to abnormal user behavior.” David Warburton, Senior Threat Research Evangelist EMEA, F5 Networks
  • “Protect privileged user and service accounts; use brokered access and session recording with audit log reviews. Organizations should also ensure that all services and applications exposing access points are applying access control and validation methods at API and web gateways.” Kevin Butler, Security Solutions Consultant, CA Technologies


Also read:

IBM launches new mainframe with focus on security

The mainframe is not dead yet

Last of the mainframers: Big Iron's Big Crisis

Q&A: Mainframe skills just as important as AI talent

The future of mainframes in the enterprise