Sunday, 13 March 2022

The real priority for mainframers


I recently had a meeting with a fairly senior executive from a company, and our conversation turned to priorities. I asked exactly what the company saw as its priority for 2022-23. Not a surprising question, I didn’t think. The exec took a second or two to marshal their thoughts and explained that for this year they were going to focus on their supply chain and their processing, in order to maximize the profit from the business going forward. That sounded good. I asked them what else they were prioritizing, and they again thought for a moment and concluded that was pretty much it.

I asked them about staff wellbeing because that is something many companies are finding to be an issue. Some staff love being back in the office with the usual office banter, free heating, and supplies of hot drinks. Others love working from home and avoiding the commute, finding somewhere to park, and constant interruption when trying to work. And, seemingly, a lot of staff are changing jobs to get the work/life balance they feel is right for them. Others have found, after two years of Covid uncertainty, that mental health challenges that were kept in check before the outbreak are now causing them concern. I asked what steps they were taking about this and was told that they thought HR had this under control. Mmmh!

I next asked about equality and diversity. What steps were they taking to ensure there was no pay gap between men and women? Was there a glass ceiling holding back the promotion of women? Did their organization reflect the ethnic ratios that existed in the areas where they had offices? Was there a pay gap or glass ceiling affecting those members of the community? The exec thought that they did and that, again, HR had it under control. Mmmh!

So, then I asked what their corporate policy was on ransomware. What did they have in place to prevent phishing attacks? Had they moved to zero trust? Did they have any kind of insurance against hacking? Here the exec felt on safer ground, as they smiled and said that they did most of their computing on a mainframe, so they were safe. And they were migrating the Windows servers to the cloud. So, again they were going to be completely safe. Oh dear!

I mentioned mainframe sites that we know have been hacked: Luxottica, Logica, Swedish Nordea bank, the US Office of Personnel Management (OPM). I mentioned high-profile cyber-attacks from last year, including Colonial Pipeline and Kaseya. I talked briefly why many companies wouldn’t want to reveal that they had been hacked. And I talked about the need to always update software to ensure that the latest known flaws were patched at their site – and prevent bad actors getting in that way.

I briefly talked about some easy ways to hack a mainframe, eg using CICSpwn, which is on GitHub; brute force attacks; JES/FTP attacks; TN3270 emulation attacks, using NJE; NMAP scripts; or ENUM scripts. I asked what training users had about identifying and avoiding phishing attacks? I mentioned key loggers embedded in attachments and interesting sounding counterfeit websites automatically sending malware. I also mentioned that there were plenty of userids and passwords for lots of companies available on the dark web. By now, the exec was busily writing things down and his face was looking a bit grim.

I asked who he thought hackers were, and he replied that they were just kids trying to see what they could do on their computers. I informed him that those days were gone and these days there were organized hacking gangs and there were nation-state hackers. It was all very organized. And, I told him, Ransomware as a Service (RaaS) was now possible to get hold of. So, any disgruntled ex-employee could get a nice payday from their former employer.

Then I asked about how trustworthy all their employees who used the mainframe were. I got a “well yes, probably – um, I don’t really know” response. The truth is that mainframe sites need to assume that the bad guys are already inside their networks. And that’s why moving to zero trust is so important. This ensures that the right person is accessing the right files from the right place. So, if a systems programmer often works at 2 in the morning, then everything is OK – unless today your sysprog is working from Outer Mongolia or somewhere else unusual.

And how much does a ransomware attack cost? According to IBM’s “Cost of a Data Breach Report” 2021, the average cost of a breach increased from $3.86 million to $4.24 million. For US-based companies, the average was $9.05 million per incident. In the healthcare sector, the average cost of a breach was the highest at $9.23 million per incident. For companies that experience a mega breach – that’s between 50 million and 65 million records stolen, the average cost is $401 million! By now, the executive I was talking to was beginning to turn green.

The other thing, I continued, is just how long a company is hacked before the ransomware demand appears. IBM’s report says 212 days. And, worryingly, it takes on average another 75 days to contain it. That means you could have been breached over six months ago.

The hackers get in, and they raise their security level so they can do what they want. They then find all the good stuff – there’s no rush – and they take a copy of it. They corrupt the backups so you can’t recover the data, and then they encrypt the data. Then they give you the ransom demand – usually with a warning not to tell anyone, particularly not security specialists. They get money from your company when you pay the ransom. And they get money from the dark web when they sell your data.

And that’s why mainframe sites need something like File Integrity Monitoring software (eg FIM+ from MainTegrity) to alert sites when unexpected changes are made to applications or data or even backups. The FIM+ product can alert you to who made the change and when. And it can tell you exactly what was changed. More than that, it can tell you exactly which backup (which it has verified) to recover from.

I wasn’t trying to make a sale, that’s not my role. I was trying to alert the executive to exactly how vulnerable his company was to a ransomware attack and steps needed to be taken to ensure that they were still in business in order to carry out the other things on their priority list.

No comments: