25th February 2019: In a previous blog, I talked about 'The problem with passwords' and told the story about how US 'Minuteman' nuclear missiles had their launch codes set to the almost unbreakable combination of... erm... eight zeroes, to enable easy launch. The serious question is, how can you balance ease-of-access with today's security demands in light of the cyber threat landscape?
In RSM Partners' recent security-themed executive paper, I make the case for using Multi-Factor Authentication (MFA) as a highly effective tool in your mainframe security implementation, for identity and access management - not least because it's estimated that some 81% of breaches can be attributed to credential reuse aka misuse.
MFA is designed to create a high degree of friction for malicious cyber criminals while presenting minimal delays and disruption to your legitimate users.
Two-factor authentication has become the norm in the 'civilian' (non-mainframe) world. For example, whenever I log-on to the HM Revenue & Customs website, as I sometimes need to, it texts a numeric code to my mobile phone for me to enter when asked. Just to make sure it's me.
(By the way, 'MFA' is not to be confused with giant 1970s and 80s furniture retailer 'MFI', a brand I remember well from my youth. If you believe the stories, at one point, one in three Sunday lunches in the UK were cooked in a kitchen sold by MFI, while 60% of British children were conceived in an MFI bedroom. But I digress.)
The point is, including MFA as part of your wider security strategy is an increasingly smart move as mainframes become more open and connected to the wider world, and as regulations like GDPR demand stricter compliance for data protection. PCI DSS actually requires MFA to be implemented.
MFA works by inspecting multiple identifying elements associated with a user account, raising the authentication assurance level a system requires from a specific user.
Do you remember the 1990s submarine film CRIMSON TIDE, when newbie executive officer Denzel Washington squares off against grizzled captain Gene Hackman? It's set during a time of heightened nuclear tension (can you imagine such a thing?) and a message to confirm or cancel the launch of ten nuclear missiles is cut off, and the radio damaged. Denzel wants to get proper authentication and the order confirmed, before they kick-off World War III. Gene disagrees. Submarine shenanigans ensue.
I think Denzel has a point.
Anyway, back in the real world, for us, true MFA arrived with IBM Multi-Factor Authentication for z/OS in late 2017, expanding the options available "for creating a layered defence."
So why is it so important to have this additional level of authentication assurance (apart from the risk of starting World War III from a nuclear submarine)? Well, as you hardly need me to tell you, the implications of stolen credentials without something like MFA can be serious.
If the credentials belong to a Business User, a cyber criminal may access your applications and data. If the credentials come from an IT Technician working in Development, a bad actor may access source code, your IP, and possibly your Development and Production environments. A Systems Programmer or Systems Administrator? A cyber attack may look to change system configuration and security controls.
And all these scenarios are still possible even if you already have a 'perfect' mainframe security implementation. It's a worry.
Even more worrying, if you don't have a perfect security set-up, it could be possible for a cyber criminal to elevate the credentials of a DBA to that of a Systems Programmer. How about using the credentials of a Business User to logon to TSO and launching one of the many possible privilege escalation attacks?
Multiple risks are of course associated with any breach, no matter how it's perpetrated. But we're far from helpless.
As I've written many times before, while a mainframe system may not be secure right now, it is the most securable commercial computing platform around - and all the tools you might need are out there.
These include products such as RACF, ACF2 or Top Secret, network segmentation, privileged user management, e.g. RSM Breakglass, Real-time Threat Detection, Passtickets, Client/Server certificates, incident response - and, of course, MFA. (Not an MFI kitchen or bedroom.)
If you want to learn about MFA in a little more detail, you can download our recent security executive paper.
And remember: if it's good enough for Denzel, it's good enough for us. Look out for that malicious cyber criminal lurking in the background: don't SHARE your details, and if 'Phoenix' your credentials, you could be in serious trouble. That's my none-too-subtle plug for SHARE Phoenix 2019 in March.
If you're around, please do come along and say hello.
My four sessions are as follows: 'Mainframe Pentesting 101' on Tuesday 12th March at 10am, 'Compliance Warriors' on Wednesday 13th March at 8.30am, 'How a Non-mainframer Hacked a Mainframe' on Thursday 14th March at 8.30am, and 'Leveraging Industry Tools for Vulnerability & Penetration Testing', also on Thursday 14th but at 4.30pm. Hope to see you there.
An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.
For more information on RSM Partners' mainframe security services click here
For more information on SHARE and the agenda visit SHARE
Alternatively, you can contact us direct at email@example.com