Hacking the Mainframe: 5 Security Facts CISOs Need to Know

With the right knowledge, it’s possible to hack the mainframe in under half an hour. Are you doing everything you can to secure it?

The mainframe is the most important IT asset for many organizations today, keeping operations up and running and providing the performance and number crunching required by essential technologies like machine learning and artificial intelligence. Yet, the security of the mainframe is often taken for granted, especially by modern CIOs or CISOs who typically cut their teeth in the world of distributed networking.

To them, the mainframe is legacy technology—something that is essential to the business, sure, but that can mostly be trusted to take care of itself. Some may not realize that, far from being back-office system that’s walled off from today’s biggest security threats, mainframe’s increased integration into modern IT means that it’s now more exposed than ever to risk. Given the sensitive nature of the data processed by these systems, a single mainframe vulnerability could result in a major breach, financial loss, reputational damage, and, ultimately, your job.

A Modern IT Security Strategy Includes the Mainframe

Here are five reasons why CISOs today need to develop a modern IT security strategy that incorporates the mainframe.

1-It is easier to hack the mainframe than you think. Mainframes are arguably the most securable computing platform, but any system has its weaknesses, and the mainframe is no exception. It’s still susceptible to ransomware attacks, cybersecurity threats, and vulnerabilities that leave it open to serious exposures. This misconception can lull CISOs into a false sense of security about the level of risk associated with their mainframe environment.And though some CISOs may know that they need to bolster the security of their mainframes, the typical solutions are incapable of providing a complete security strategy. For example, the big three mainframe security software tools—RACF, ACF2 and TopSecret—are helpful for establishing mainframe user permissions and access control. But they are completely blind to one of the biggest mainframe security risks: zero-day vulnerabilities in mainframe operating system code, which provide a pathway for hackers to exploit and control your mainframe. These tools simply cannot scan for OS-level code-based vulnerabilities. That’s a major blind spot.

2-There are more vulnerabilities on the mainframe than you realize. The reason why it’s so much easier to hack the mainframe than you think is because mainframe systems have a large number of vulnerabilities, which often go unreported or even undetected. Have you ever heard of a trapdoor vulnerability? How about a storage alteration vulnerability? These are two of the most severe system integrity vulnerabilities. When exploited by non-authorized users, these vulnerabilities allow people with no special privileges to access the system and alter the environment or virtual memory.

But, mainframe specialists are at a disadvantage when it comes to locating and categorizing these vulnerabilities, because of a lack of standardized vulnerability scoring, like the Common Vulnerability Scoring System (CVSS), or shared vulnerability database, like the National Vulnerability Database (NVD), that are common for other computing systems. In the absence of this type of shared information around mainframe vulnerabilities, it’s incredibly important for each organization to develop its own process for ongoing vulnerability scanning.

3-Compliance regulations now require scanning every system. That includes the mainframe. Developing a vulnerability management program is also a matter of compliance. According to the Payment Card Industry Data Security Standards (PCI DSS), any organization that deals with cardholder data is required to have a process to identify security vulnerabilities and assign a risk ranking to any newly discovered vulnerabilities.

Just this spring, the National Institute of Standards and Technology (NIST) released a revised version of their flagship risk management documents, making important changes and updates for the modern security era. Notably, NIST is now recommending that companies scan all systems. 

Many companies do have a process in place for application scanning, but application scanning alone won’t identify every system flaw. Modern CISOs need to know that the only viable solution to ensure that they’re securing their environment at every level is to scan the mainframe OS, identify vulnerabilities, and fix them.

4-It’s not enough to rely on your vendors. The mainframe industry is notoriously closed off and hasn’t benefited from the sort of transparent discussion of security breaches and independent research that is enjoyed by in the distributed networking community. Hardware vendors enabled this climate by not fully disclosing vulnerability information to customers when they were discovered and discouraging researchers who spoke up about the risks they identified.

Only now, decades after researchers first rang the alarm bell, are some vendors starting to publicly acknowledge the mainframe’s vulnerability and rolling out tools to scan for risks. But, they’re essentially playing catchup, and as a mainframe customer, you have to ask yourself whether you should put your trust in a tool that’s been developed this late in the game. When it comes to something as delicate as mainframe security, you need to trust that your tools are comprehensive and accurate enough to identify the breadth and depth of vulnerabilities that can threaten this system.  

5-Your competitors are likely already ahead of the curve. Odds are, your competitors are already investing in substantial mainframe security programs and solution. If you’re not, you’re behind the curve. And not only are you putting your organization – and the sensitive data you store – at risk, but you’re also at risk of being seen as less secure and less trustworthy than your competitors.

The finance industry in particular has traditionally been well ahead of the curve on mainframe security, due to more stringent compliance regulations than other industries. But even if your industry regulations are less comprehensive, you’re still very much at risk. The data you store on your mainframes is valuable to hackers, and your security processes should be designed to address that.

A Comprehensive Security Strategy

The mainframe isn’t inherently secure, but it’s not as difficult to protect as you might think. It’s all about treating the mainframe as you would any other computing system. Don’t just dismiss it as a legacy system. Bake it into the rest of your IT security strategy. Do your research and find the people, technologies, and strategies that you can trust to help.