security warning

This has been a fine summer. And I’m not talking about the weather: I mean the whopping fines proposed for infringements of the General Data Protection Regulation (GDPR) by Marriott Hotels and British Airways, followed by an even bigger fine in the US for Equifax – and the stunning US$5 billion fine handed to Facebook under a 20-year settlement with the Federal Trade Commission over privacy violations.

The thing is, it doesn’t have to be this way – if you get your house in order.

Yet there seems to be a worrying degree of complacency within the industry.

A few years ago, a short comic strip became the Internet meme “This is fine”. You may know it. It features an anthropomorphic dog in a hat and sitting at a table. The room is gradually burning to the ground. But the dog says: “This is fine” and then “I’m okay with the events currently unfolding” and so on, until the inevitable.

I’m not suggesting that some quarters of IT, mainframers included, are in self-denial about data protection or the state of their security. I’m stating it as fact. And the evidence seems to bear that out. Back to those fines.

In July 2019, after an extensive investigation, the UK Information Commissioner’s Office (ICO) announced its intention to fine Marriott International, Inc. almost one hundred million pounds sterling – around US$125m – for GDPR infringements. The ICO said the proposed fine related to a cyber incident that Marriott notified to them in November 2018. “A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area EEA. Seven million related to UK residents.” You probably read about it at the time.

It seems the vulnerabilities began when the systems of another hotel group, later purchased by Marriott, were compromised. Marriott co-operated with the ICO investigation and has since improved its security arrangements. Now, I don’t care how big your organization is, £100m isn’t exactly small change. Yet far bigger fines were still to come.

The same week, it was reported that British Airways faced a penalty of £183m (US$227m) for a data breach in 2018. Website users had been diverted to a fraudulent site where the details of around half-a-million customers were then harvested. The root cause was third party related and, as such, all third parties will now be under greater scrutiny. The BA fine is the biggest penalty to be handed down by the ICO.

Both BA and Marriott can appeal. Arguably the most concerning aspect of these cases is that, as I said earlier, it didn’t have to be this way.

I should make it clear that I don’t know the deep detail of these two breaches, or if they relate to mainframe systems. But I do know that both companies have mainframes.

I also know that despite the GDPR and constant warnings about the cyber threats out there, some quarters of the industry still aren’t taking their vulnerabilities seriously enough.

These fines were followed by the bombshell announcement that credit score agency Equifax had agreed to pay up to US$700m (more than £561m) as part of a settlement with the US regulator regarding a data breach back in 2017. In that incident, the records of at least 147 million people had been exposed.

Then, at the end of July, the news of Facebook’s deal with the FTC broke properly, including the biggest fine ever levied by the commission and an agreement to submit to new oversight. Okay, this is a different context, based on FTC charges that Facebook violated a previous order by “deceiving users about their ability to control the privacy of their personal information” – but it clearly shows the intention of regulators to come down extremely hard (and very expensively) on violators. 

We certainly live in dangerous times. On the one side, cyber criminals are queuing up to attack our systems. On the other, regulators are imposing huge fines for data breaches. We have been warned repeatedly. These financial penalties shouldn’t come as a shock. But there are now hundreds of millions of additional ££ and $$ reasons why we should be doing more, as an industry.

So, is your mainframe – your system of record – at risk? And are we, as an industry, still too complacent about the risks?

A quick aside: in Greek mythology, the nymph Thetis wanted to make her son Achilles immortal. Holding him by the left ankle, she dipped him into the River Styx, with the waters conferring invulnerability – but that pesky left ankle stayed mortal. And you know which part of his body was later hit by an arrow, mortally wounding him. We still use “Achilles’ heel” to refer to an unexpected weakness or vulnerability in an otherwise strong or powerful person (or system). A vulnerability that eventually leads to a downfall.

And it’s not only me talking about complacency in the industry. A few weeks ago, some interesting research by Forrester Consulting popped into my inbox, courtesy of Key Resources Inc. The title said it all: Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk.

The research covered 225 IT managers and security professionals in North America. with all roles 100%within IT, security or risk/governance/compliance. In this study, Forrester really helps us to see the wood for the trees.

Its starting point was that “companies must actively secure the mainframe to achieve overall security.” The study, focusing on financial services, healthcare and insurance, showed a worrying lack of awareness around what people needed to do to secure all parts of their mainframe environment. The net result is putting data at risk.

While a sensible 85% of companies believed that mainframe security was a top priority, only one-third “always or often” make mainframe decisions based on security. Perhaps the other two-thirds don’t read the news?

Encouragingly, 95% of respondents said “the most concerning ramification of mainframe security is a breach of customer data.” That’s a relief. Then how come only one-third “always or often” make mainframe decisions based on security?

Indeed, as the report states, “Not only are companies not making decisions with the mainframe in mind, but they are not taking actionable steps to secure the mainframe” – they are not actively scanning for vulnerabilities. Scanning the OS for vulnerabilities was considered the least important factor “when managing your organization’s mainframe security.”

So what happens when there is an attack?

Two-thirds of respondents said that protecting their systems from so-called “zero-day attacks” exploiting software weaknesses or other vulnerabilities is the greatest mainframe security challenge they face. Moreover, the research found that two-thirds of companies struggled to identify vulnerabilities rapidly. 61% said it’s difficult to find the right mainframe security staff. Indeed.

This may help to explain why virtually all the companies said they were using or plan to use third party mainframe security tech (96%) “to fill critical skills gaps” or calling on additional outside resources to review their security and compliance (95%).

And that’s the key. Even if you don’t have them in-house, the skills and technology are out there to help you check your defences, close any gaps, and build new and even stronger defences that can flex and adapt as the cyber threat landscape evolves – so you can better protect your systems of record, and all that precious data. As I keep saying, to the bad actor, mainframes are “just another system” to be hacked. And many organizations do “get it”, which is why my team is so busy.

For instance, a mainframe security assessment takes a good look at security controls so you can understand what’s working, what isn’t, and where the gaps are. One problem is that these assessments are quite often carried out by organizations or people with little to no detailed mainframe and security knowledge, using a simple checklist or tick-list audit. This is worse than “not good enough” as it can give companies and teams a false sense of security. You need to do it properly.

Of, there’s penetration testing – my personal favourite activity – to identify risks and help to plan remediation work to plug the gaps, strengthen existing defences and protect data – and so comply with the GDPR and other laws and standards.

If you want to go further, there’s also the fully managed “Security as a Service” route to security engineering and threat prevention, helping ensure your ongoing protective measures and proactive responses to cyber attacks are as robust, focused and up-to-date as they need to be.

So what’s your Achilles heel? My team could almost certainly identify and remedy it. And there may actually be quite a few.

The important thing is, at what point do you take action: now, or after you’ve been breached and hit with a huge fine? After all, if Thetis had done the job properly, holding each heel in turn and dipping Achilles twice, his story might have ended rather differently.

A global thought leader and international speaker in mainframe security and technology, and passionate advocate of all things Z, Mark Wilson is Vertali’s Technical Director. He has more than 40 years ’experience across numerous industries and diverse mainframe environments. Mark is also Region Manager for Guide Share Europe (GSE) UK. For more information email: info@vertali.com
5 thoughts on “Security complacency: is your mainframe at risk?”
    1. Mainframes have been connected to distributed for decades, it’s not a “now” issue. its been a issue for decades and one that companies don’t understand.

  1. Mainframe Security is what I do. I’m not a people leader. I’m a security specialist focused on Mainframe. for the most part I agree with the article. Mainframe is often said to be the most secure platform in the world. it is not, it is the most securable in the world. like anything it’s only as good as your security policy that you’ve implemented on it and IRM policies that take mainframe into account. not doing so leaves the mainframe in a state of interpretation instead of following policy. I’ve found some value in vulnerability scans but they often misidentify issue and confuse mater more than help. this is because the major players do not know the first thing about mainframes. first hint, our OS is not FreeBSD and our TCP/IP stack is not GNU yet that’s what these scans point to. A A&P is very valuable but so far the A&P tests I’ve seen yield no results worth it. suggestion, bring your mainframe sysprogs into the fold. have them help you in your A&P test. There are companies that do real mainframe A&P tests but usually leadership doesn’t want to pay for these that have actual value. Audits also tend to have little mainframe experience and tend to focus on the surfacey stuff but lack the skill set to dive deep into the mainframe. there are good auditors out there who can be hired but same as the A&P test. All of this is true until there is a breach then like all platforms not we’ll pay for it. how about doing that to avoid the breach instead?

Leave a Reply

Your email address will not be published. Required fields are marked *