Over decades, the mainframe has earned a reputation as an impenetrable cybersecurity fortress. But, of course, the mainframe isn’t Fort Knox, and as the mission-critical resource for many corporations and government agencies, it’s a prime target for internal threats and external players hoping to get hold of sensitive information.
To break in, these bad actors can try to exploit vulnerabilities in a system’s security configuration or its operating system layer code. Ray Overby, co-founder and president of mainframe information security firm Key Resources, Inc. (KRI), explained that code-based vulnerabilities are a particularly overlooked aspect of mainframe security.
“No matter how diligent you are on the configuration side, a single code-based vulnerability would compromise that effort,” Ray said. “If you want to do a complete job on your security analysis, you have to look at both sides.”
Configuration vs. code-based vulnerabilities
Configuration-based vulnerabilities result, simply, from improperly configured systems – for example, the presence of an insufficiently protected APF-authorized library.
But the deep-seated nature of code-based vulnerabilities can cause bigger headaches. These vulnerabilities are often harder to find, and can cause more damage at the deepest levels of the IT estate, explained Cynthia Overby, co-founder and vice president of operations at KRI.
Many products on the market scan for code vulnerabilities at the application level, but not the larger operating system.
“If exploited, application vulnerabilities will allow access only to the data that a single application owns. But you have to take it a step higher,” Cynthia explained. “You also have to scan for operating system vulnerabilities, where somebody has written code that doesn't follow the IBM statement of integrity, or they used poor coding techniques.”
OS-level vulnerabilities create much bigger risks. If a hacker were to exploit one, he or she would have access to all of the data, applications, and users on the entire mainframe. That could mean hundreds of applications and thousands of users, all from one single code flaw, said Cynthia.
Worse still, OS-level access would allow a hacker to completely cover his or her tracks by disabling common system logging or security controls, Ray explained.
“Once they’ve pierced the veil of integrity, they could do whatever they want,” he said. “If they just wanted to crash the entire system to make their business competitor look bad, they could do that too.”
Where do code-based vulnerabilities come from?
Code-based vulnerabilities are more common than you might think. They can crop up any time a change is made to a mainframe operating system, such as an OS upgrade, standard maintenance, or the introduction of a new product Vendors try to test for code gaps in every product release, but it’s nearly impossible to simulate all client environments and situations.
Vulnerabilities also occur due to poor coding techniques that don’t follow the IBM System Integrity statement. According to IBM, that statement represents its commitment to design and development best practices “intended to prevent unauthorized application programs, subsystems, and users from bypassing z/OS security.” Coding techniques that violate the statement of integrity could open up a hole in an authorized program, and a pathway for users to gain access and control to key z/OS system processes.
“My message to developers is, when you're writing OS-level code, not only does it have to work as designed, but it can have no unintended consequences,” Ray said. “OS-level programs touch so much more than applications do, so you need to worry about the broader implications of bad code.”
Solving code-based vulnerabilities
Awareness is the first step to plugging code gaps. Mainframe professionals need to recognize that application scanning alone won’t identify every system flaw. And with just one open door, hackers can lean on tried-and-true techniques to work their way up the chain, acquiring user IDs, passwords and finally, full mainframe access.
Most importantly, companies simply need to open their eyes to these common risks.
“Hackers are definitely trying to get into mainframes because they know that's where the big data is, the actual financials,” Ray said. “The problems are there. If you want to ignore them, you're putting your company at risk.”
Security in the Enterprise is among the many topics that will be on-tap for SHARE Providence 2017, August 6-11. Find out more and register for the event at http://event.share.org/home.