The Institute for Security and Technology's Ransomware Task Force has reported that in 2021, ransomware payments by victims of such attacks increased by 70% compared to 2020. Not only is ransomware a problem for financial firms, but also for health care, education, and other industries. These attacks also impact supply chains, the environment, and the economy. The security and reliability of the mainframe have placed the platform in a unique position of being considered nearly impenetrable, but security experts say that there is no excuse for not being vigilant against cyberattacks.

Mainframe Is Vulnerable to Cyberattacks 

Mark Wilson, senior director for consulting services at BMC, says, "The mainframe is absolutely not immune and to the bad actors it’s just another computer/server. It's different in many ways but still as vulnerable as any other platform." Nestor Morejon, chief security architect at Iconium Software, agrees. "Let's dispel the notion that mainframes are not vulnerable to cyberattacks, malicious attempts to illegally access or compromise company/customer sensitive data. This outdated belief system must be re-analyzed based on empirical data from current reputable studies and research by IBM and other industry analysts," he adds.

The mainframe is one of the "most securable" platforms available, says Wilson. However, "it takes time, effort, and funding to do it properly. Given the amount of data hosted on mainframes today, they are increasingly attractive to the plethora of bad actors out there." Morejon points out, "The geographically dispersed workforce model of the user community, which was quickened by the pandemic," makes securing the platform more difficult. "It’s not the glasshouse anymore, I call it more like the Plexi-house with large holes for data ingress and egress," he explains. "It's not just corporate employees affected by this new workforce paradigm, but also partners, customers, and consultants who are working all around the world. You may have developers in India, customer service in Latin America, and marketing consultants in Europe. What’s affecting cyber controls is the fact that the data is not just at rest, it’s in transit all over the world, outside the normal data center constraints and security controls."

According to Morejon, mainframe security has been tied to the strength of its security software (i.e., RACF, ACF2, and Top Secret), which can lock down access to the data by any user, including privileged accounts. "However, when systems have super users with elevated access credentials, you've allowed them top security access to the most sensitive data," he says. "Hence, you will not get normal security violations for these users, because you’ve granted them access. The current problem is that these users are part of the geographically dispersed workforce, subject to multiple levels of cyberattacks."

Top Vectors Threatening Mainframes Today 

Mainframes are just as vulnerable to the same vectors as other platforms, they say, particularly those vectors that affect distributed systems. Wilson says the top cyberattack vectors include:

1. Compromised credentials
2. Weak and stolen credentials
3. Malicious insiders
4. Missing or poor encryption
5. Misconfiguration in the operating system (z/OS) or external security managers (RACF, ACF2, and TSS)

Bad actors want to steal data to sell it, use stolen data to steal money, or hold data hostage to demand a ransom from the enterprise. Morejon indicates that bad actors want to achieve these four basic goals: steal the data, destroy the data, compromise the data, or prevent access to the data (i.e., denial of service attacks). "With these definitions in mind, is the data on the Mainframe any different than any other platform? I don’t think so. The method by which they execute these types of attacks may be a bit different on the mainframe, but still achieve the same results," he explains. These attack vectors also fall into two major categories: impersonating users (compromised credentials) or spoofing geolocation access (IP address).

"Getting the user’s credentials is now easier than ever, since users may be providing their credentials unencrypted via an unsecured Wi-Fi environment, a Man in the Middle attack – such as a coffee shop or hotel room, and even their unprotected home office," says Morejon. "The targets are the high-privileged accounts since security control will normally not report on their access. IP spoofing is a common method by which bad actors hide the true origin of their location via multiple IP hops throughout the world or hide behind encrypted SSL tunnels."

He adds that compromised credentials can happen more easily when hardening policies (i.e., password length and complexity) are not in place, or if an organization is not using multi-factor authentication (MFA) or has weak password change policies. "Brute force attacks, such as password cracking routines, should by now be stopped by multiple failed password attempts policies," Morejon explains. He warns, "Once the credentials are compromised, especially the privileged accounts, it’s extremely difficult to report violations with normal security technologies."

According to Morejon, he says that untrained users are often compromised by social engineering tactics. For example, a fake helpdesk person can call and gain user credentials simply by passing off as an auditor or by troubleshooting a security incident. "Lack of proper use of encryption can lead to exposing the data to bad actors," he says. "Business-critical data should be encrypted at rest and in transit at all times. Again, Man in the Middle attacks can just sniff the traffic of the remote workforce to gain access to the information."

Further, Zero-Day Exploit attacks can be hard to detect until it’s too late. "Bad actors identify unpatched older versions of the operating system or application software levels and create malware to exploit the vulnerability before patching can occur," says Morejon. "A simple solution is to maintain all systems at current patched levels. This affects the mainframe as well."

Security Strategies for Mainframe

Wilson explains that multifactor authentication must be employed as one tool to prevent compromised credentials, and Morejon agrees. Other strategies enterprises can use include least privilege access controls, role-based access controls, real-time logging, monitoring, and alerting. Combining these tools can prevent credentials from being compromised or stolen. "Real-time alerting and the use of artificial intelligence and machine learning for behavioral analysis can help enterprises identify anomalous behavior, especially when combined with real-time alerting," he adds. Finally, to combat missing or poor encryption or misconfiguration of the operating system or external security managers, enterprises should employ real-time configuration compliance monitoring to ensure all settings and controls are properly deployed. Combining this with real-time alerting, Wilson says, is a sure-fire way to identify issues quickly.

According to Morejon, "the first step is to instrument the systems and services providing access to mission-critical data, then model all users who access that data in terms of their time of day access, geolocation, and type of action performed." He adds, "For example, user behavior modeling provides data over time for the analytics built into Iconium's DataLenz, allowing it to report potential security breaches and take appropriate action when an out-of-bounds anomaly is triggered."

RACF, ACF2, and Top Secret are the mainframe's top security controls, but they do not have the ability to detect and report on users (with privileged accounts) who have access rights to the data in the course of their job functions. "So, if a third shift operator with elevated privileged credentials suddenly accesses the mainframe in the middle of the day from a location across the globe, this will trigger an out-of-bounds alert," explains Morejon. "Similarly, if that same user is just running jobs and now is downloading thousands of records it’s considered an anomaly and also generates an alert." He adds, "Instrumenting also means placing the right technology in managed corporate devices and/or building it into the VPN access tools to capture the original IP address."

Vigilance is Key

Protecting the mainframe requires early detection and swift recovery, according to Wilson. File Integrity Monitoring, he explains, can help organizations identify an attack earlier, especially when used with real-time alerting. For recovery, he adds that there are many "cyber resiliency" options available, including solutions from Dell, IBM, and Model 9, among others.

However, Wilson cautions that "recovering from a ransomware attack on a mainframe will be challenging given the interconnected nature of the systems and applications." He adds, "I had a conversation with an old friend of mine recently who is the mainframe platform owner for a large financial institute. He stated that they could not restore any further back than 15 minutes given the interdependencies that the mainframe has with the other systems in their organization."

According to Morejon, DataLenz and similar solutions can offer geolocation functions to help enterprises identify original IP addresses for remote users, accurately pinpointing where the "out-of-bounds" access is located. "Is the user accessing critical mainframe data via an unsecured Wi-Fi network at a local coffee shop, or impersonating an employee from known bad actor locations or countries?" he asks. "This will cause an abnormal behavior alert for proper diagnosis and immediate action." Morejon agrees with Wilson that real-time alerting also is key. "[It allows] security personnel to quickly identify anomalies, send a message to the system console, send an email, and a text to the right person for forensic analysis."

However, without the appropriate tools and monitoring, it can sometimes take days to report and analyze mainframe-related cyberattacks because there are too many system management facility (SMF) records to sift through, he explains. "Most importantly, security violations from the most privileged accounts are not there," Morejon says. "Enterprises need the proper tools in place, as well as the time required to understand there has been a security breach in the first place," he notes. "Because DataLenz is constantly monitoring and modeling security access by users, it can detect anomalies quickly and determine the proper course of action. What used to take days, can now be accomplished in seconds or minutes."

Time is not on the enterprise's side when a security breach occurs. Firms need to employ the right tools to quickly identify behavioral anomalies and automatically terminate user sessions and suspend those accounts until further analysis can be performed, explains Morejon. "Perhaps the individual is on vacation and is working from a different location and time zone, but this will give the security analysts the ability to triage the event in context," he adds.

Bad actor intrusions are inevitable on any platform and regulatory compliance is at risk, particularly for financial firms and government entities reliant on mainframe data. Breaches can lead to millions of dollars in losses and recovery costs. Morejon and Wilson agree that to be vigilant means that enterprises need to invest in the right tools and employ the best security controls. Wilson adds that enterprises should "treat the mainframe like any other platform by having it regularly pen-tested and assessed/audited by mainframe-knowledgeable teams, as well as performing maintenance regularly." He also advises that enterprises sign up for IBM security portal updates and check it at least weekly.

Another major part of mainframe security is raising security awareness among staff to ensure employees follow strict security protocols, engage in common-sense strategies, and maintain proper user behavior. A multi-pronged effort of employing the best tools and security protocols and making employees partners in securing the mainframe can help enterprises improve their agility in catching bad actors.