Sunday, 2 May 2021

Tell me about Kyndryl

IBM has finally come up with a name for its spin-off company. And that name is Kyndryl. Like many people, I assume you may be wondering how they came up with the name. Wasn’t NewCo good enough? I don’t know how much they spent on the name, but it works this way. The ‘Kyn’ part of the name is, apparently, taken from the word kinship and references the idea that relationships with people are at the centre of the strategy. The ‘Dryl’ part comes from tendril, and references new growth. And the thinking behind that is that together with customers and partners, the company helps advance human progress. So, now you know.

Martin Schroeter, the CEO of Kyndryl, says: “Kyndryl evokes the spirit of true partnership and growth. Customers around the world will come to know Kyndryl as a brand that runs the vital systems at the heart of progress, and an independent company with the best global talent in the industry.”

You’ll remember that IBM decided to separate its Managed Infrastructure Services business into the separate company, which it originally called NewCo. And this new company, Kyndryl, is expected to be completely separate from IBM by the end of this year.

As well as Martin Schroeter, other members of staff have been announced including Elly Keinan as Group President, Maria Bartolome Winans as Chief Marketing Officer, Una Pulizzi as global head of corporate affairs, and Edward Sebold as General Counsel. They are hoping to make Kyndryl a global leader in the management and modernization of IT infrastructure. The company will be headquartered in New York City.

The new company also released its corporate logo, which some people on social media have suggested used a font and a colour that is reminiscent of Amdahl’s old logo.

The other big question mark hanging over the company is how successful it can be. Clearly, some people are suggesting, if IBM thought that it would makes lots of money in the foreseeable future, they wouldn’t have spun it off – they would have kept it in house as a revenue centre.

From IBM’s point of view, it looks like their thinking is to focus more on cloud services and away from its older focus on enterprise hardware. They want to be known for leadership in hybrid cloud applications and artificial intelligence.

It’s anticipated that Kyndryl will have 90,000 employees, 4,600 big enterprise clients in 115 countries, a backlog of $60 billion in business “and more than twice the scale of its nearest competitor” in the area of infrastructure services. Also, the managed infrastructure services unit is a $19 billion business in terms of annual revenues. So, clearly the company has plenty to keep it going, at least over the next few years.

So, what exactly are managed infrastructure services? Basically, they are a range of managed services based around mainframes and digital transformation related to it. As well as things like testing and assembly, there’s also product engineering and lab services, and there are other bits and pieces that make up the portfolio. It doesn’t include IBM’s server business.

What else will Kyndryl do? Because it’s independent, it’s expects to form alliances with a wide range of partners and build its business that way. The company is suggesting that it will design, run, and manage the most modern, efficient, and reliable technology infrastructure for the world’s most important businesses and organizations, with the industry’s most experienced services experts.

Kyndryl may have chosen an unusual name as a way of drawing the attention of people to it. Like all good advertising, a memorable brand name encourages people to buy their products and ser-vices. The company seems to have a large customer base on launch, which means it should be successful in the immediate future. And the idea of forming alliances with other companies means that it can do things IBM, perhaps, couldn’t. And so that also augers well for its future.

Sunday, 25 April 2021

A mainframe ransomware attack – how to defend against it


Last week, we were discussing ransomware attacks on distributed systems and what could be done about them, and we ended with the sentences: “Often employees use the same password that’s stored in Active Directory to access the mainframe. So, watch out for hackers getting into that as well.” So, what can be done to protect your mainframe?

The scenario last time was that someone had got to your data and had read your list of Windows userids and passwords from Active Directory. If just one of those were the same as the login for the mainframe, then mainframe security was compromised – assuming you used userids and passwords to access the mainframe. But that’s not the only way to hack a mainframe.

Getting in

If you use CICS at your site, there are now automated tools that can be used to identify potential misconfigurations and bypass authentication. CICSpwn is one such tool that can retrieve the security settings running on the underlying z/OS operating system, read available files, enumerate system naming conventions, and even remotely execute code. And it’s available on GitHub for pen-testing. Alternatively, hackers, using the customer front end, can perform a brute force attack.

Another mainframe attack method is to use a TN3270 emulation software. They can then try password spraying, in which a single password is tried against every user on the system. This works better than trying a million passwords against one userid because repeated attempts will lead to that userid being locked out.

FTP attacks are used because FTP can submit commands from JCL. A systems programmer might be caught in a phishing attack and a keylogger put on their machine to capture their login and password. The hacker can then access the mainframe, issue commands, and anything else they want.

With NJE, one trusted mainframe can send a job to another mainframe its connected to. It’s possible to use NJE to spoof a mainframe or submit a job and gain access to that mainframe.

Clearly, the attack surface for a mainframe is quite big. One way of seeing whether a site is actually vulnerable is to use pen-testers. These are ‘good’ guys who try to penetrate your mainframe – and then tell you what they found. They will probably suggest ways to protect the mainframe as well.

The other, obvious, issue that mainframes are now running software that is commonly found on distributed systems, eg Java. It’s not unthinkable that any of the known vulnerabilities with the software will also exist on the mainframe – allowing hackers to gain access that way.

Unfortunately, it’s not just outsiders who can be attacking your mainframe – there can also be a problem with insiders too. Now, the majority of insiders won’t have any evil intention towards the data on the mainframe, and so the assumption is made that no-one has any bad intentions. This, quite often, isn’t the case. It may be that a trainee systems programmer can’t quite read his writing and makes an unfortunate change somewhere on the system, which may corrupt data or may lower the level of security that was being applied. The result was bad, but the intention was good.

But what about another employee who has run up serious gambling debts or has run out of money to pay for his drug habit. How hard would it be for criminals to target this person and ask them, just once, to make some change on the mainframe in exchange for all his current debts to be forgotten. Of course, he’s going to do it. He needs to get out from under his debts, and the chances of anyone spotting what he did, he thinks, is very unlikely.

Once they’re in

Once the hackers are inside the mainframe, their aims are the same as for a distributed system. They will try to increase their security level. They will look to see where data is stored. And the software on the mainframe will be dialling home for instructions. Once they have accomplished their goals, they will start exfiltrating (copying) the data, so that they can sell it on the dark web. They will corrupt the backups to stop the data being restored once it has been encrypted. They will encrypt the data. And they will leave a ransomware demand.

If you’re any kind of financial institution or large company, then losing your mainframe means that people will immediately notice that your service is no longer available. And, added to the cost of recovery or the ransom, will be the cost to your company’s reputation. Something that the company might never recover from.

What can be done?

The solution is simple – some piece of software that can identify changes being made and alert the security team as soon as they spot it. Some mainframers will heave a sigh of relief at this stage because everything on a mainframe is recorded in SMF records. But, have you ever tried to readd through yesterday’s SMF records to find what and when something happened?

File Integrity Monitoring (FIM) software, which is quite common on distributed systems and is available for mainframes, can take a snapshot of an application or configuration file and later (weekly, hourly, or whatever time interval is required) compares that snapshot with the current state of the application or configuration file. If they are different, an alert can be sent to appropriate staff. The first snapshot has to be carried out when the files are assumed to have been unhacked – perhaps straight after QA testing. The snapshot uses a hashing algorithm, and the results are stored in a virtual vault – so that hackers can’t modify those as well as the files under attack.

FIM tools allow regular scans to be carried out. This, as mentioned above, might be weekly, daily, or even hourly for some very sensitive files. In addition, scans can be carried out on an ad hoc basis. This will detect any changes that have been made to files, particularly where required for PCI compliance.

Using a FIM tool means that the breach can be detected and reported the next time a scan on the affected file is run. The alert, highlighting what’s been changed, can be sent as an email to a responsible person or to a SIEM (Security Information and Event Management) console, or both. The organization affected can then take the appropriate steps to deal with the breach – and this will be so much sooner than without having the FIM software installed.

In addition, some FIM products can gather the required forensic information, including file accesses, userids, event times, and scope of attack. They can then promptly initiate policy-managed actions such as quarantine or userid suspension. Because FIM tools know when each component was last correct, it can then initiate the appropriate actions to restore and verify that all systems are in their approved state.

What about those backups? Some FIM tools can regularly check those and notify appropriate staff as soon as any changes are detected.

Bottom line

Protecting the attack surface and regular pen-testing is vitally important to keep out bad actors, but something else is required to defend the mainframe against any that get through and any acts carried out by trusted members of staff. That something else is the use of FIM software, which can alert security staff as soon as changes are detected, and before the ransomware attack gets fully underway.

Sunday, 18 April 2021

A ransomware attack – how it works and how to defend against it

For many organizations, and individuals, the first sign of a ransomware attack is when a message appears on their computer screen telling them that their data has been encrypted and it will only be unencrypted if a payment, usually in bitcoins, is made to the hackers.

The organization is usually unaware of what else the hackers have been doing on their system including taking a copy of the data before they encrypt it and leave their message.

For many organizations, there is little choice about what to do. They can lose their data or they can pay up. But that last option always comes with issues because the hackers are criminals – so, even if they do take the money, what are the chances that they’ll actually bother unencrypting the data? And the data they’ve stolen? Won’t they still sell that information on the dark web?

There was a time when organizations could simply go to their extensive backups, and restore their data from those. They may lose some of their most recent data – updates that were made between the time the backup was taken and the attack to took place – but it’s probably worth it. Hackers were quick to spot that loophole in their plan and now corrupt backups before encrypting the data and informing the organization.

Many people used to believe that hackers were opportunists insofar as they would gain access to a corporate network and encrypt the data in a matter of hours. Nowadays, sophisticated hackers – often criminal gangs rather than individuals – will spend time maximizing the amount of information they can get their hands on and the damage they can do.

The steps in a cyberattack

So, let’s take a look at the stages in a modern cyberattack. And then we’ll look at some signs that such a ransomware attack is underway.

Step one is to get someone in an organization to download your software. An innocent-looking email arrives explaining that the recipient has a tax refund due to them. For security reasons, they simply need to click on the link to find the details. Or they are asked to help with the Black Lives Matter campaign – just click on the link to find out more. Or any number of other subjects get unaware employees to click on the link. Sometimes, the malicious code is buried in an innocent-looking attachment. It still has the same result.

Step two is the infection stage. The malware is downloaded and it executes.

Step three is for the malware to dial home to ensure it can talk to the hackers who set it up. It also starts to make changes to the network and increases its security level to those of an admin.

Step four is to scan for data – whether that’s on a local computer, server, or the cloud. This can take some time to complete.

Step five is to corrupt backups. Step six is to upload data to the hackers. This would usually be personally identifiable information such as names and addresses, passwords, social security numbers, credit card numbers, etc. These two steps may occur at the same time.

Step seven is to encrypt your data. And step eight is to send a message saying that a ransomware attack has taken place and you need to pay the ransom.


The first way to prevent ransomware attacks is to ensure that all staff are trained to recognize phishing emails and not click on dubious links or attachments. And then run your own phishing attack on random employees to see how well the message is getting across as a way of raising the awareness of everyone.

Most sites prevent employees from plugging in memory sticks, which might contain malware on them.

Software that prevents staff accessing websites that are known to contain malware can help. Also helpful is software that filters spam emails or other suspicious emails. It’s also possible to stop files that are attached to emails with certain extensions reaching users. If the email isn’t in a user’s inbox, they can’t click on links or attachments and download the malware. Unfortunately, these approaches are never 100 percent efficient.

Keep all your software up to date so that it is not vulnerable to any known security issues. The same applies to hardware. The firmware in laptops can be the target for attacks, so it is important to install any security updates across the PC fleet as quickly as possible.

The good news is that ransomware attacks do leave footprints that can be identified. Although they aren’t conclusive that a ransomware attack is taking place, they are a sign that it might be. One sign might be that there’s a lot of unusual activity on some files. For example, there may be lots of failed file renames resulting from attempts by the malware to access those particular files. There may be unusual activity at unusual times of the day, which is caused by the ransomware encrypting files. Another sign of a hack, that might not be obvious at first, is to see that an admin has been logging on to servers during the night at much the same time for a few nights in a row. While logged in, they’ve been moving between servers using a remote desktop protocol (RDP). Or, you may find that people are reporting their inability to access certain files, which, again, may be caused by the ransomware encrypting or moving the file. And there may be unusual network activity as the malware communicates with the hackers – perhaps sending data to them.

Identify attacks taking place

So, what can be done to identify these signs of an attack? The answer is to continually monitor your system. Try to set up a baseline for what happens on your system so that it becomes easier to identify abnormal activity. Scan for unusual file activity – looking for changes. Log all incoming and outgoing traffic – to see whether the ransomware is dialling home. And always investigate anything out of the ordinary.

There is also the problem that software tools used by the IT security team can be used by hackers. Once a hacker has admin rights, they can use legitimate tools on your system, such as PC Hunter or Process Hacker to disable security software. And if you’re not expecting these kinds of tool to be where you find them, then it can be a sign of a hack in progress.

The presence of network scanning software (eg AngryIP) can also be a sign of an attack taking place. Once the hackers have access to one computer, they will try to gain a full view of the corporate network in order to access all the valuable data (or as much as possible). If no-one in IT knows anything about the scanner software, then it is a clear sign an attack is underway.

Use an intrusion detection system (IDS). This is designed to continually monitor a network for policy violations or any activity that might be considered malicious, and report what it has found. Some can respond to any intrusions. These are usually called intrusion prevention systems (IPS). Whatever you use, keep it up to date. And make sure that it can detect the common exploit kits (EK) used to get ransomware onto a network.

Some sites create a honey trap, an area that appears to be full of rich data pickings to entice the would-be hackers to investigate it further. By monitoring for any activity on that disk, it’s possible to quickly identify that an attack is in progress. Because hackers usually work through the drives in alphabetical order, it makes sense to give it the letter E: or G:.

What else?

Lastly, consider buying cyber insurance to help pay for recovering your system after a successful attack. I’m not sure whether the insurance covers the damage to your reputation!

Often employees use the same password that’s stored in Active Directory to access the mainframe. So, watch out for hackers getting into that as well.

Find out more about iTech-Ed here.