NewsMainframe Security: Stop me if you have heard this


    Mainframe Security: Stop me if you have heard this one before

    27th March 2019: I heard a joke a few years ago, the one about the outgoing chief information security officer and the three envelopes. You may know it. The CISO meets her replacement and gives them three envelopes numbered 1, 2 and 3 and this advice: "When you have a security breach, open an envelope in turn."

    Some months later, there is indeed a breach. The board asks the CISO to come and explain. He remembers the envelopes, opens number 1 and a card inside reads 'Blame your predecessor'. Which he does and all is well. A few months later, there's another breach. On his way into the boardroom, he opens envelope 2 and this card reads 'Blame your team'. A few months pass until a third breach. Heading to see the board and feeling confident, he opens envelope 3 and the card inside reads 'Prepare three envelopes'.

    Okay, maybe I'll stick with the day job and leave the stand-up comedy to others. Although as anyone who's seen one of my presentations can testify, there's usually something to laugh at.

    That joke came back to me recently when I was chatting with the CISO from one of the world's biggest banks. Naturally, the topic of conversation quickly turned to mainframe security. And no, I didn't tell the joke.

    Instead, I'd politely suggested that the IBM mainframes in the bank needed to be seen and treated just like any other computer in the organization. With input/output, networking, files, programs, CPUs and memory, they may operate differently from the x86s that you have, running Windows and Linux but from a security perspective they need to be treated the same.

    However, I said, you need to ask yourself how much time and money your enterprise spends on ensuring the security of this particular platform versus the various other non-mainframe operating systems, applications and networks? What if I was to tell you, categorically, that every single type of configuration vulnerability, code bug and architectural flaw has some direct or near-direct parallel on your mainframe platform?

    Moreover, given the woeful neglect in research and the fast-waning global knowledge base, as mainframe experts retire, the security posture on your mainframe is highly likely to be much worse than any other platform on your network.

    Our team spends a great deal of consulting time on penetration testing these platforms around the world. We regularly identify significant vulnerabilities. A recent case involved one of the largest banks in central Europe: we found 96 different vulnerabilities 42 High Criticality, 47 Medium, 7 Low. If that was a Trip Advisor score, you possibly wouldn't want to eat or stay there.. Those vulnerabilities can easily be exploited and would actually have been considered trivial 20 years ago in the non-mainframe world-and have long since been remediated everywhere else.

    This is where RSM's zDetect solution comes in. At the risk of hyperbole who? me? we think it stands alone and is properly unique. Why? Because we've built into it our unrivalled knowledge base of mainframe security threats that, crucially, is constantly evolving and updated based on the many ongoing assessments and pen testing projects we're carrying out around the globe. Right now, in fact.

    Even on first launch, I told the CISO, you can see all the trivial but potentially catastrophic security issues on your mainframe. And that's not all: zDetect provides valuable real-time compliance monitoring and threat alerts so the bank's security operations centre can act quickly and knowledgably on security incidents that might involve the mainframe. The software does this by communicating in easy-to-understand messages, using common security terms rather than confusing mainframe jargon.

    So, I concluded, there is absolutely no reason why your mainframe platform should be such an easy target for the bad actors. And, potentially, no need for those three envelopes, at least as far as your mainframes are concerned.

    By the way, if you're a CISO or work for one and want to read an amusing spin on the role and the different types of CISO, you might take a peek at this recent IBM security intelligence blog. It aligns the role with Star Wars characters to ask the question, is your CISO a Jedi Warrior, a Fighter Pilot, Chewbacca, or the Ultimate Defender of the Galaxy.

    An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.

    For more information email: info@rsmpartners.com