Sunday 4 December 2022

Mainframe security in 2023

It requires effort to keep your network and your mainframe safe. Every year, the bad actors get better at what they do, and every year your IT team also needs to improve the techniques it uses. Your recovery team also needs to practice recovery in order to make sure that recovery can be carried out quickly and surgically in an atmosphere of panic with senior management running around trying to get answers and estimates of how long the recovery will take. Long gone are the days of security by obscurity – the mainframe now runs software that is very familiar to users (and hackers) of distributed systems.

The other things to remember is that hackers are no longer enthusiastic teenagers looking to increase their knowledge. We’re talking now about criminal gangs and nation states, who are using hacking as a way of making money or bringing down the economy of a foreign country. On top of that, it is now possible to rent Ransomware as a Service. If you’re not happy with an organization, you can rent the software to launch a ransomware attack.

The great thing about the September-October period each year is that many companies, including IBM, bring out reports on data breaches etc, and almost all of them highlight the fact that breaches are increasing, and the amount paid in ransoms is increasing.

The first line of defence for most organizations is still the password. And the top five passwords in use are: 123456, 123456789. Qwerty. Password, and 12345 – according to Lookout, a mobile security firm. Clearly, making sure your employees are using more secure passwords is the first step.

Phishing attacks are still the most successful way of getting information from an organization. Even if an employee suspects that an email looks too good to be true, a vishing attack (someone phones them shortly after they have seen the email) can increase the success of phishing attacks. Staff are more likely to fill in the form at the fake Apple, Google, Tesla, or whoever site and give away their security details. Or they are more likely to download that PDF from the headhunters offering them a much better paid job – and at the same time inadvertently install a key logger.

Once hackers get onto your mainframe, they want to install backdoors – so they can get back on again whenever they wish – and they leave time bombs of malware that will go off if they don’t receive a code from the bad actors. How do you know if malware has been left on your mainframe? How do you know whether your infrastructure has been modified by unauthorized individuals?

And that brings us on to disgruntled employees. It seems that somewhere around 10% of attacks are coming from trusted employees who are not happy and decide to get their own back on their company. Do you have anything in place to identify when people are accessing files that they don’t usually need to access in the course of their work? This is usually the first sign that they are planning or beginning to commit an attack.

Mainframe ‘modernization’ is the term often used to describe the migration of some mainframe workloads to the cloud or the creation of new workloads that make use of techniques, like data analysis that the cloud can do better than the mainframe. Unfortunately, hackers are usually very familiar with Linux and Windows, which is what most cloud systems run on. And that makes it easier for them to gain access to the mainframe from the cloud – particularly with so many proof-of-concept cloud projects that don’t quite follow all the security rules decided on for live systems.

Data poisoning is a new issue affecting companies using Artificial Intelligence in their business. Data poisoning is where a hacker injects corrupted data into an AI system. Any future queries will give erroneous and skewed results, which will be trusted by corporate decision makers. It’s important to continuously monitor AI results to identify any significant changes in new results compared to earlier results.

Internet of Things (IoT) devices are a growing risk. These are devices that have some (usually small) level of intelligence built into them. They may be sensors that are reporting back daytime temperatures or water quality. However, they rarely have very sophisticated security, and most are installed using the default password. Hackers can access the remote IoT device and send messages to the network and then on to the mainframe. It is important for organizations to raise the security levels of all IoT devices in use.

Many people think of their mainframe as an isolated silo of computing. This is rarely the truth these days. Mainframes are often connected to mobile devices, the Web, and the cloud. In addition, companies are often connected to other companies – suppliers and customers. If another organization can access your mainframe, then the hackers can get in that way. Your supplier’s site may not be as secure as yours and you are offering the bad actors a half-open door into your mainframe and your data. Supply-chain security is vital.

It cannot be stressed enough how important it is to stay aware of all new potential threats to the cybersecurity of your mainframe. It’s important to see the bigger picture to identify any new areas where security may not be as tight as you hope. It’s important to ensure recovery procedures are actually practiced so that they can be performed as quickly and efficiently as possible if that time ever comes. And it is important to have the right software in place to identify any changes to infrastructure as soon as they happen, or any changes in behaviour of individual accounts, because these are early warning signs of an impending attack. And make sure all your security software is up-to-date, and all your staff are trained to recognize phishing (or similar) attacks.

No comments: