Integrity Vulnerabilities on the Mainframe Present Great Risk

How well do you think your mainframe is secured? Better yet, have you ever had it tested? Mark Wilson, Technical Director at RSM Partners, and Ray Overby, president and CEO of Key Resources, Inc, posed these questions to the audience of a recent SHARE presentation

They explained that the foundation of all mainframe security is integrity. Without integrity, there is no security. You need to know whether you have any vulnerabilities on your mainframe. But Wilson and Overby weren’t talking about application code. They were talking about code-based vulnerabilities: the integrity of the infrastructure – z/OS, CICS, IMS, DB2, and ISV’s who supply you with system-type code. 

The issue then is, how many businesses are actively checking their mainframes for integrity code-based vulnerabilities? 

What’s the risk?

According to Wilson, you need to make sure that anyone who writes code that runs on your mainframe faithfully follows all the rules in the IBM System Integrity Statement. According to IBM, that statement represents its commitment to design and development best practices “intended to prevent unauthorized application programs, subsystems, and users from bypassing z/OS security.” 

If you get it wrong, just one instance of an integrity vulnerability could spell disaster for you and your organization. Suppose you have a piece of code that’s either been supplied by a vendor/ISV, or written by one of your in-house technical teams. What if that code has a vulnerability that the developer isn’t aware of? 

When a bad actor comes along and exploits that code defect, there are a number of things they can now do. First off, they could elevate their privileges to supervisor state key zero, and at that point, there are a lot of hostile acts they can perform. They can steal all your data, destroy all your data, or issue any instruction they want to that mainframe. As Wilson says, the bad actor that reaches supervisor state key zero is really only limited by their coding skills, their imagination, and what ideas they find on the internet. 

They could also bypass your CPU management system controls, bypass or disable the logging and monitoring controls you may have deployed (this can even be done in stealth mode), or encrypt all your mainframe data. 

What do we need to do?

Having these integrity vulnerabilities is a major issue, according to the presenters. But, it’s one that you can manage. Wilson and Overby offered some tips to get you on the path to a more secure mainframe. 

To start off, if you aren’t already, it’s time to start scanning both your vendor- and in-house-written system software for vulnerabilities. 

Second, remember that scanning for vulnerabilities cannot be a one-time thing. This needs to be part of your mainframe maintenance cycle and your change management process. Does that mean you need to scan all of your software when you apply a couple of PTFs? According to Wilson, that’s not always necessary. But, he advises that when you do a z/OS upgrade, you should absolutely be scanning for vulnerabilities. Here’s where it gets complicated: Any fix you install could solve one problem, while also creating another. That’s why it’s so important to start thinking about when and where you scan. 

Scanning needs to be done every time you upgrade z/OS or any major subsystem—CICS, Db2, et al., and every time you apply any serious level of maintenance, such as an RSU. 

Ask your vendors if they’ve had their code tested. Make sure they know that it’s actually secure. Take a moment to go back and check your own code. Wilson acknowledged that when he went back and checked old code he’d worked on, he found areas that needed a few tweaks. If you’ve written anything yourself, it’s worth taking another look at it. 

And finally, don’t forget to take this as seriously as the risks demand. The mainframe holds up to 80 percent of the world’s corporate data, which makes it a prime target for bad actors. It’s in our best interest to do everything we can to protect the mainframe proactively. 

 

Check out the SHARE Content Center for more articles, webcasts and presentations touching on important issues in mainframe, including technology, training and industry trends.

 

Recent Stories
SHARE Phoenix: Women in IT Initiative Makes a Splash

SHARE: GAO’s Mainframe Risk Claims Debunked

Lost in Translation