How to Defend Your Mainframe From Various Hacking Techniques and Insider Threats
Many people think that their mainframe is totally secure. After all, why wouldn’t it be? For a start, they’re running an external security manager (ESM) that limits what people can do and what they can access. There’s the system authorization facility (SAF), a z/OS interface providing infrastructure-security administration tools that help prevent unauthorized access to files. If you use a z14 or z15 mainframe it has pervasive encryption, which means that files are encrypted at rest and in flight. Multi-factor authentication (MFA) can be used to make it harder for unauthorized people to access the mainframe. Some sites use QRadar as their SIEM for detecting advanced threats, insider threats, securing cloud environments, incident response, etc. And, of course, everything is recorded by system management facility (SMF) and will show up in the log file.
Add to that the fact that mainframes are so arcane that hackers just don’t get how they work, then it seems completely right that there is nothing to worry about in terms of mainframe hacks.
But if that truly were the case, why have mainframes been hacked? In 2008, Luxottica, the parent company of LensCrafters, suffered a mainframe breach exposing nearly 60,000 employees’ records from its US headquarters. In 2013 the mainframes of Logica and the Swedish Nordea Bank were hacked. And there have been other, more recent, attacks – most of which were never made public.
So, how could a mainframe be hacked—especially with all of that security already available to prevent any unauthorised access? Worryingly, it seems that there are a number of ways.
Mainframe Hacking Techniques
For sites that use CICS, automated tools are available that can be used to identify potential misconfigurations and use those to bypass authentication. CICSpwn is available for download from GitHub. It can be used for penetration testing. It retrieves the security settings running on the underlying z/OS, reads available files, enumerates system naming conventions and even remotely executes code. While a pen-tester can use this information to prevent attacks, bad actors can use it to actually gain access through CICS and start their attack. Alternatively, hackers can use the customer front end that’s available with CICS and perform a simple brute force attack to find a userid and password that will get them into the system.
A second attack method is using FTP. Two things need to happen first: Keylogger software needs to capture the login credentials from a systems programmer, and a “connection getter” needs to identify where to FTP to. Commands can be written to upload malicious binaries, and JES/FTP commands can be used to execute those binaries. The hacker can do it from whatever computer they are using (Windows, Linux, etc). Once into the system, the hacker can do what they want.
Similarly, hackers can use TN3270 emulation software for their attack. Provided they have some potential userids, they can then try password spraying. This is where a few commonly-used passwords are tried against every user on the system. This works better than the usual brute force attack, where many different passwords are tried against one userid, because repeated password attempts will lead to that userid being locked out by the system.
NJE allows one trusted mainframe to send a job to another mainframe that it’s connected to. Hackers can use NJE to spoof a mainframe or submit a job and gain access to that other mainframe.
Another vulnerability of modern mainframes is that they’re not as difficult to use as they used to be. They are, in fact, running a lot of software that, until recently, was only found on distributed systems. The trouble is that this common software may come with its own vulnerabilities. And that means hackers, who are familiar with exploiting those vulnerabilities on distributed systems, will be able to exploit them on the mainframe.
You may ask how a systems programmer’s laptop gets compromised by a keylogger. The answer is standard phishing attacks or by injecting Javascript into a common website. When the systems programmer browses the site, malicious code is run in the browser, which then downloads the keylogger—a drive by infection.
Insider Threats
Unfortunately, it’s not just people outside the mainframe perimeter who can cause damage to the contents of the mainframe. There is also the threat of damage from trusted people who work inside the perimeter. These fall into two groups: the mistaken and the mischievous. The first group set out with the best of intentions, but either through carelessness or lack of appropriate knowledge cause the corruption or deletion of data.
The second group do have bad intentions. This may be people who think that some files really “belong” to them, and there’s no problem if they take a copy of the files with them when they go for another job. There may be disgruntled staff who simply want to cause trouble before they are marched off the premises. But, more of a worry, are staff who are working for criminal gangs. They may have a drug problem or a gambling problem—or could owe money to gangs who ask them to put malicious software on the mainframe. Whatever the reason, your computer has now been hacked.
What Do the Hackers Want?
Once a piece of software is on the mainframe, it will want to dial home to get more instructions. The hackers will then want to increase their security level. They will want access to files containing customers details like social security numbers, credit card details, PIN numbers, as well as names and addresses. This is called doxing—it means searching for and publishing personal identifiable information. This information will be exfiltrated and can be sold on the dark web. To stop organizations restoring their files from a backup, the hackers will corrupt the backups. They will then encrypt the data and send a message, asking to be paid in bitcoins.
The real question for many sites is what to do next. Do they pay the ransom? Will the hackers unencrypt the data? Will the stolen data still appear on the dark web?
The hackers want to do all of this without the mainframe security team being aware that they are there—going through all of the tasks they need to perform before the ransomware demand is made. This can take weeks or months.
Obviously, the best solution is to have something in place that will identify as soon as the hackers start and will tell the appropriate security staff that something is going on.
Defending Against Hacks and Insider Threats With FIM Tools
Checking through SMF records to find when a change took place is not something many IT security people will undertake with any enthusiasm. What’s needed is file integrity monitoring (FIM) software, which is quite common on distributed systems and is available for mainframes. This can take a snapshot of an application or configuration file and later (weekly, hourly, or whatever time interval is required) compare that snapshot with the current state of the application or configuration file. If they’re different, an alert can be sent to appropriate staff. The first snapshot must be carried out when the files are assumed to not to have had a chance to be hacked—perhaps straight after QA testing. The snapshot uses a hashing algorithm, and the results are stored in a virtual vault so that hackers can’t modify those as well as the files under attack.
As well as regular scans, FIM tools allow scans to be carried out on an ad hoc basis. This will detect any changes that have been made to files and is particularly useful to ensure an organization is PCI compliant.
Using a FIM tool means that the breach can be detected and reported the next time a scan on the affected file is run, and each site can decide on that length of time at the individual file level. The alert, highlighting what’s been changed, can be sent as an email to a responsible person, to a Security Information and Event Management (SIEM) console, or both. The organization affected can then take the appropriate steps to deal with the breach—and this will be so much sooner than without having the FIM software installed.
In addition, some FIM products can gather the required forensic information, including file access, userids, event times and scope of attack. They can then promptly initiate policy-managed actions such as quarantine or userid suspension. Because the FIM tool knows when each component was last correct, it can initiate the appropriate actions to restore and verify that all systems are in their approved state.
What about those backups that hackers like to corrupt? Some FIM tools can regularly check those and notify appropriate staff as soon as any changes are detected. In addition, sites using the software will be compliant with the PCI and NIST security frameworks.
Mainframe Hacks Happen. Defend Your Data.
Hacking attacks on mainframes do take place. According to the 2020 IBM Cost of a Data Breach Report, the average total cost of a data breach is $3.86 million, although in the USA the average cost is a staggering $8.64 million. The reports says that the average time to identify and contain a breach is 280 days. That wouldn’t be the case if FIM software were to be used on a mainframe.