4th February 2019: At the end of last year, I read an Esquire article titled 'The Top 25 Passwords in 2018 are an embarrassment to humankind'. A little harsh, I thought - until I actually read the article. The number one password used was '123456'. The number two password was, erm, 'password'. Number three was '123456789'. I could go on, but I think you get the point.
I've touched on this in previous blogs but thought I'd return to the subject in a little more detail. It's also covered in RSM's latest security-themed executive paper - and I think it's an important enough topic to discuss across as many channels as possible.
We all know that mainframe systems are both reliable and scalable. But a big problem is that their security is so often taken for granted - and that password insecurity is rife.
This should be of serious concern given that mainframes hold 80% of the world's business data. They host critical core IT for 92 of the world's top 100 banks, 18 of the world's 25 top retailers, 23 of the 25 top airlines, all the world's top 10 insurers, and 71% of Fortune 500 companies. Mainframes host more transactions daily than Google (1.3m/second CICS versus 68,542/second Google) - including 55% of all enterprise transactions. They are part of our critical global infrastructure.
So why are mainframe passwords still being 'stored' on Post-it notes, and written to text files using tools like Notepad? I've seen them written on whiteboards in offices. At the same time, the standard security posture for many organizations is "everyone has read access to everything". So you can see the problem.
Passwords are easily shared, easily stolen and easily guessed. We all know the popular choices: pet, children and partner names. Or simple consecutive numbers, apparently.
Here's a strange-but-true password story.
For quite some time during the Cold War, US 'Minuteman' nuclear missiles needed an eight-digit code to be launched. That code was simply 00000000. This was set intentionally, to enable a quick launch. How this came about is quite interesting. JFK signed a security memorandum in 1962 supposed to ensure that missiles could only be launched using the right code and with the right authority after concerns had been raised. 20 years after this order, half the missiles based in Europe were still, in fact, being protected by basic mechanical locks. In US silos, however, from the late 1960s Strategic Air Command had set the launch codes on all 50 missiles to 00000000 to enable fast and easy deployment.
Dodgy passwords clearly have a long and illustrious history.
Anyway, back to the mainframe. The maximum password length is eight characters. Up to 100-character passphrases are available but few people use them. There have of course been efforts to tighten up password security, adding mixed case and additional characters, and the ability to challenge and force users to create more complex and so stronger passwords.
But there's the rub: if passwords get too complex and tricky to remember, we drive behaviors in our user communities that lead to those sticky notes and whiteboards. Some folk use password vaults but it's certainly not everyone.
One of the biggest threats is password reuse; combine this with the problems outlined above and you end up with convenient attack points.
At the end of the day, to the bad actors, the mainframe is "just another server" to be attacked and hacked. And arguably the biggest threats come from inside.
The bad actors are more likely to target individuals and attempt to steal system logins and credentials. My point is, if you're still authenticating users with passwords alone then moving to multi-factor authentication (MFA) is probably long overdue.
Indeed, a recent Verizon Data Breach Investigations Report (DBIR) suggested this problem is growing. The percentage of hacking-related breaches involving the misuse of stolen or weak credentials reached 81%, effectively putting it front and center in terms of the tactics being leveraged by attackers. (Incidentally, the 2018 report described 53,000 incidents and 2,216 confirmed data breaches.)
The upshot is that the mainframe side of operations often has the weakest password policies and algorithms in the entire enterprise. The possible attack scenarios and implications of stolen credentials don't make for easy reading - as you'll discover if you download our recent security executive paper.
The question is, are we making it difficult enough for potential hackers to get in? The answer is "almost certainly not". And if we could be doing more, shouldn't we?
By the way, number 23 on the list of popular passwords for 2018 mentioned in the Esquire article was 'donald' - although when it comes to hacking, it's no longer possible to 'duck' the issue. (I'm assuming that's the Donald being referred to. And thank goodness the nuclear launch codes are safe these days.)
An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.
For more information on RSM Partners' mainframe security services click here