Evangelizing Mainframe
Print Email

Monitor Root-Access Users for Mainframe Security

We’ve always been proud (and perhaps a bit arrogant) about how our favorite platform—the mainframe—is secure. This capability is why the platform has survived and typically runs the transactions we care most about. Payment processing systems, airlines, banks—all select the mainframe for its reputation for impregnability.

But how secure is it? Are we living in the past? In July, Ayoub Elaassal, a security auditor at Wavestone, performed an audit on a mainframe and found a vulnerability very quickly. As that mainframe was set up, he discovered that authorized program facilities could be updated by any of the mainframe’s users. He quickly wrote some scripts that made it possible to give the user root level access; payloads in this directory are considered trusted. Once in, things could be done, including changing memory, revoke users and shut down the processor. “With root,” Elaassal says in an article about his actions, “You could erase everything.”

Once, very few employees had mainframe access, but now, in many cases, a large number of client-facing employees have access. The teller at your local bank is probably logging onto the mainframe. The possibilities to do damage are endless. For this problem, the solution is to recognize any change to user access immediately, especially when root access is assigned. The number who should have this access must be very limited. While the mainframe is the most securable platform, it’s important to remember that setup how you set it up is critical
.
Mainframe security enthusiast Phil Young notes in a Tripwire article, “Since security implementation on z/OS, independent of the tool, is the realm of either the sysprog—with little time to deal with it on a daily basis—or the security staff—where dedicated z/OS specialists are few and far between—this can and does lead to potential gaps in coverage.”

For many years, no one even really tried to hack the mainframe. There were so many easier options—Linux, UNIX and Windows. Both Young and fellow mainframe seucurity enthusiast Chad Rikansrud have given talks on the subject, including at BSidesVL, DefCon and DerbyCon.

Rikansrud notes that oddly, one thing in our favor is that there are fewer people who really know the mainframe and understand security at a deeper level, which means fewer people are actually capable of hacking the mainframe. It’s a complicated system, as we all have discovered, and unlike other systems, it uses EBCDIC. Online support isn’t there; most mainframers don’t support helping people to hack their favorite platform. Finally, there aren’t any penetration tools—yet.

So, for now, we’re in good shape, as long as we monitor root-access users. But what about data? That’s the subject of upcoming blogs, because anything that leaves the mainframe, its applications and the data it manages more open makes it far more vulnerable.

Denise P. Kalm is chief innovator of Kalm Kreative Inc. and consultant to CM First Group.

Posted: 1/9/2018 6:00:07 AM by Denise P. Kalm

Print Email

Join Now!