Many people think that SMF records will tell you everything that has happened at a site. And, if you link it to some kind of alerting software, it will act as the cornerstone of your mainframe’s security. And that, as they sleep snuggly in their beds at night, is their mainframe security done and dusted.
Many people
think that all the people who work for their organization and access their
mainframes are intelligent and trustworthy, and are not really worth worrying
about when their main focus should be on gangs trying to extort money or
hostile nation states trying destroy their country’s competitors, or just
damage the infrastructure of any country they view as hostile to them. That’s
where an organization’s main security focus should be, surely?
Let’s start by
deciding what an insider threat actually is. Let’s start with people who are
employed by an organization. They have a valid userid and password and have a
legitimate right to be accessing the mainframe. Now, every so often, humans
will make mistakes. Some are small – and some can be quite major. It may be the
case that your trusted insider accidentally deletes files or makes some other
changes to the mainframe. Provided that person owns up straightaway, the IT
team can usually solve the problem fairly promptly. Files can be restored from
backups before other batch jobs that use those files are scheduled to run. And
chaos can be averted.
Other insiders
may be more malicious. They may have not got the internal promotion they were
expecting or the pay rise that they needed. Other members of staff may have
problems outside of the office, for example an increasing drug habit or an
increasing use of alcohol. They may be running up gambling debts as they try to
win back the money they have lost. Both groups are a problem. The disgruntled
insiders may well deliberately cause damage to data or applications. They may
have the authority to make other changes. And the second group of addicted
users may well be manipulated by organized crime to infect the mainframe with
some kind of malware that the bad actors associated with those criminals can
use to launch a ransomware attack.
These days, the
disgruntled employs can access Ransomware as a Service (RaaS) applications and
launch an attack on the mainframe – hoping that the money they get from the
ransom will compensate them for the money the company didn’t give them. It will
also have to be enough to support their lifestyle once they go on the run.
Criminal gangs
are also on the look out for credentials that can get them into the mainframe.
Disgruntled staff or employees who need money to fund their habits will be
approached and offered money for their userids and passwords. Using these, the
bad actors can do what they want on the mainframe, safe in the knowledge that
most tools processing SMF records won’t identify unusual
activity by those accounts.
There’s another group of
employees that might be targeted by criminal gangs, and those are people who
need money. It may be that an ageing relative needs to go into a home and they
need money to pay for that relative’s care. It may be that a family member
needs an operation that needs to be paid for. Or a family member may need an
expensive medication that they will have to pay for. These people may be
vulnerable to exploitation by criminal gangs.
Of course, ordinary members
of staff may be tricked by the use of an AI simulating the voice of their
manager, who asks to ‘borrow’ the employee’s userid and password to do some
work over the weekend.
Typically, security tools
won’t send alerts if valid userids and passwords are used. And if the settings
are changed so that an alert is sent, you get the situation where staff get so
many false positives that they tend to ignore the messages.
Let’s see what
the Cost of a Data Breach Report 2024 from IBM had to say about insider
threats. The report says that the global average cost of a data breach in 2024
is US$4.88m, and the USA has the highest average data breach cost at US$9.36m. Compared to other vectors, malicious insider attacks
resulted in the highest costs, averaging US$4.99 million. It goes on to say
that among other expensive attack vectors were business email compromise, phishing,
social engineering, and stolen or compromised credentials.
Using compromised
credentials benefited attackers in 16% of breaches. Compromised credential
attacks can also be costly for organizations, accounting for an average US$4.81
million per breach. Phishing came in a close second, at 15% of attack vectors,
but in the end cost more, at US$4.88 million. Malicious insider attacks were
only 7% of all breach pathways.
The report also found that the average time to identify and contain a
breach fell to 258 days, however, whether
credentials were stolen or used by malicious insiders, attack identification
and containment time increased to an average combined time of 292 and 287 days
respectively.
So, while
insider threats aren’t the biggest threat to your mainframe, they are still a
significant threat in the amount of money they can cost your organization as
well as the amount of time it will take to recover from the attack. SMF is
great, but security tools don’t usually send alerts when there is unusual
activity by the accounts used by employees. So, these activities aren’t
identified straight away and won’t be halted. Obviously, file integrity
monitoring software would solve that problem before it became a serious
problem. It would be able to identify an unusual activity and immediately suspend
the job or user, and then send an alert. If it were a real systems programmer
working at 2 in the morning from, say, Outer Mongolia, then, once this is
confirmed, the job can be allowed to continue. But if you don’t have that type
of software installed, guess what’s going to be filling your time for the next
258 days!
What I’m
suggesting is that insider threats are a real issue, and SMF on its own isn’t
enough.