Or: We need to talk about mainframe hacking
There’s an elephant in the room says Mark Wilson. It’s mainframe-sized, at serious risk of being hacked, and its name is Z.
“The only thing we have to fear is fear itself.” That was US president Franklin D. Roosevelt at his inauguration in 1933. FDR was talking about that “nameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance.” Now, without being too melodramatic (stop laughing at the back!) we’re in an analogous situation in the Z world today in relation to hacking and cyber security. Yes, I know it’s a difficult and contentious subject. Yes, I know some folk are uncomfortable discussing it. But should it really be taboo? Do people maybe think that talking about it might actually cause it to happen, like a mainframe version of the early Nineties horror film Candyman. If you dared to speak his name five times into a mirror, he’d appear behind you and despatch you with his trademark hook. But I digress. Let’s do this together. So, take a deep breath:
We need to talk about mainframe hacking.
Not talking about it doesn’t help, and certainly doesn’t deal with the issue. I have a current presentation on the subject. For some audiences, the title slide reads “The subject we aren’t allowed to discuss”. For others, it’s “How a non-mainframer hacked a mainframe (and retired happily ever after)”. Somebody actually called me the Big Bad Wolf once, which immediately got me thinking: don’t build your mainframe security out of straw or wood. Build it from brick. Otherwise, Mr Hacker will huff and puff and blow your mainframe security down. It seems obvious but the problem is, most if not all mainframe “houses” that my team and I see are built of straw, and are liable to fall or get burned down at any minute. A few are made of wood, sure, but are still fairly easy to knock down. We’ve yet to come across one made of brick. So, are you sitting comfortably? Then we’ll begin.
This story is called ‘Once upon a hack’
Once upon a time, there was a global bank in a high castle, with thick stone walls, that believed all its treasure was secure in its vaults, forever and ever. The kings and queens slept soundly in their beds each night, refusing to believe there were any rampaging hordes in their realm, and all was safe. The handsome prince or princess – the CISO – believed that it was all under control, and told them so. Until… until… until Mark Wilson appeared at their drawbridge in his Big Bad Wolf costume and proved them all 100 percent wrong.
You see, it doesn’t actually require any mainframe knowledge for somebody to breach your mainframe and steal your data. Trust me: it doesn’t. During my presentation, I tell the real-life tale of how a non-mainframe pentester was able to exfiltrate all the Production Db2 data off a mainframe. That’s right: using standard Linux/Unix tools like ssh, grep, ODBC and a little ingenuity, somebody with no mainframe experience drained a system of all of its client – highly sensitive – data. It really is very simple if you know what you’re doing. If you want to find out how the pentester did it, you’ll have to catch one of my talks. But I’m sure I’ll also write it up in a blog at some point. And what’s really frightening is what can happen to the stolen data after it has slipped through your fingers (see my previous ramblings on the dark net and cryptomarkets).
The point I try to make, and why we shouldn’t be scared to talk about the subject, is that mainframe security is not a mainframe security issue at all: it’s an Enterprise Security Issue. If mainframes truly hold your core data and run the majority of your critical applications, it’s actually a board-level issue.
And the funny thing is, in many ways, the solutions needn’t be that complicated. What we’ve done at RSM, for instance, is take all the worries and threats and technology vulnerabilities, work out the best ways to deal with them now and in the future, then pop all that know-how into a magic pot of gold at the end of the rainbow. Okay, I’ll stop with the over-extended fairy tale metaphors. What I mean is that, in our case, we’ve sort of “weaponised” our in-house security capabilities, pulling them together into a single solution: actual and potential security threats, advanced security algorithms, intelligent analysis in real-time to detect suspicious activity, alerts, Security Information and Event Management (SIEM), and so on. And that’s just part of the story…
So you see, it turns out that it’s good to talk about mainframe hacking after all. I can’t promise we’ll all live happily ever after. But if you take the issue seriously and start talking about it, when the real Big Bad Wolves come knocking at your door, as they surely will, you’ll be living in a house made of brick – and have quite a few tricks up your sleeve. The End.