Despite the mainframe’s reputation for being a secure platform, the mainframe isn’t exactly Fort Knox.
In a keynote session at SHARE Sacramento, renowned mainframe hackers Phil Young and Chad Rikansrud explained that we need to collectively change our mindset when it comes to mainframe security. The industry needs to think of mainframes much in the way we’d think of any other computer when it comes to threat vulnerability.
The Security Risks
The mainframe can, indeed, be hacked—and the effects would be catastrophic, according to Young and Rikansrud. Mainframes store an incredible volume of data, and it’s often the kind of data that would be a gold mine for hackers. Organizations rely on the mainframe to manage and protect business-critical information, as well as customers’ personally identifiable information.
Unfortunately, that makes mainframes a ripe target for ransomware attacks, among other types of cyberattacks, the pair argued. Breaches are also frequently precipitated by hacking, malware, stolen or weak passwords and privilege misuse.
The looming mainframe skills gap is also a major concern. As a major contingent of the mainframe workforce heads for retirement, the mainframe community is facing questions like: Who will choose mainframe as a career, and why? Who will continue to look into security issues for the mainframe? It is increasingly important that mainframe professionals focus on recruitment and mainframe education to mitigate the effects—security and otherwise—of the oncoming skills gap.
No One Is Talking About Mainframe Vulnerabilities
Part of the problem, Young argued, is that the mainframe industry does not benefit from the same sort of open disclosure and discussion about security vulnerabilities that is found in open source or distributed environments. There is no commonly shared or public database of reported mainframe vulnerabilities—though Young publishes what he finds to the Common Vulnerabilities and Exposures database—and vendors typically keep details about patches close to the vest.
This culture of silence surrounding threats enables an inflated sense of security on mainframes, said Young and Rikansrud. For example, the duo said that mainframers aren’t patching as rigorously as they would on open systems, even as there are known underground markets for vulnerabilities.
What Can We Do?
There are many steps mainframe professionals can take to ensure that the mainframe is as secure as possible. First and foremost, Young and Rikansrud emphasized that enterprises need to start treating the mainframe just like any other computer when it comes to security. But, they’re going to need all the help they can get to do that.
In many companies, this starts with getting the chief information security officer (CISO) involved, because the CISO is often responsible for the mainframe. Since mainframe vulnerabilities aren’t widely publicized, however, CISOs tend to think there is nothing to worry about. Or, in many cases, CISOs aren’t even aware that they own the security of the data on the mainframe. They may be relying on system programmers to ensure mainframe security. If something were to go wrong, though, everyone will be to blame. The best approach involves everyone working together to secure the mainframe and avoid any potential problems.
Businesses can also take more proactive steps, starting with establishing a close partnership between the InfoSec team and the mainframe team. InfoSec team members should have access to security portals, so they are not only able to scan for vulnerabilities, but also perform essential security functions like penetration testing and security patching. These functions aren’t perfect—enterprise solutions for vulnerability testing tend to only catch the low-hanging fruit—but it is a step in the right direction.
The bottom line when it comes to mainframe security? Young and Rikansrud advocate for proactive changes that will better secure the mainframe, starting with stronger partnerships between business and security teams, and wider acknowledgement of the threats to mainframe systems.
For more on mainframe security and other mainframe topics, check out the SHARE Content Center.