For everyone with a mainframe, cyber security and cyber resiliency are important. For financial institutions, a major breach could, potentially, not only lead to the company going out of business, but, as we saw in 2008, could also lead to significant parts of the international financial system becoming destabilized. And that impacts on everyone. And that’s why the cyber security rules that apply to organizations offering banking or other financial services are becoming more-and-more stringent. As we all know, cyber attacks are becoming commonplace, increasing the need for top-flight security to be in place.
So, let’s start with some definitions. Cyber security is all about prevention and protection. Cyber resiliency is focused on detection, forensics, and recovery. And, obviously, that recovery must be in a timely fashion.
One thing that has changed since 2008 is that regulators insist companies have the funds necessary in order to recover. And, more recently, regulators have enhanced guideline and requirements affecting financial institutions, recognizing that cyber attacks are happening all the time, and it’s almost inevitable that one of them will be successful.
Who are the regulators setting these new rules? The cyber resiliency rules are specified by the people who regulate banking, securities transactions, insurance viability, and other related markets. People you might not have heard of. There’s the International Organization of Securities Commissions (IOSCO) and the Bank of International Settlements (BIS). They are the international agencies that specify the guidelines. Then, each participating country – USA, UK, EU, Canada, etc – agrees to abide by the rules and has its own enforcement agencies. Currently, everyone is following the “Guidance on Cyber Resilience for Financial Market Infrastructures”, which IOSCO and BIS published in June of 2016.
According to IOSCO, “Cyber Guidance provides authorities with a set of internationally- agreed guidelines to support consistent and effective oversight and supervision of FMIs (Financial Market Infrastructures) in the area of cyber risk”.
When it comes to the actual nitty gritty – the specific controls and guidance – almost every document concerning resiliency refers to the NIST (The National Institute of Standards and Technology) Framework and ISO 27001.
As you probably know, NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Over the past 20 years, they have developed and published standards, guidelines, and best practices that have become recognized as effective in providing improved security for IT systems. Other organizations can make use of the specific controls in the NIST framework on all their computer systems in order to reduce their cyber security risks.
Not surprisingly, the NIST framework suggests monitoring for both external and internal threats, recognizing hackers’ ability to steal credentials or purchase credentials on the dark web. NIST recommends integrity checking, ie verifying your software by recording a hash code on each component. That way mainframe users can identify if anything has been compromised by an insider. NIST also suggests that unauthorized software can be identified using baselines or, in a supplemental note, whitelists. This is probably where many mainframers are scratching their head about how they would do this. How can they evidence that continuous security monitoring has taken place?
Many companies use their mainframe to process credit or debit card transactions. In fact, IBM reckons that 87 percent of credit card transactions and 29 billion ATM transactions are processed on mainframes That means those mainframes need to be compliant with PCI/DSS (Payment Card Industry’s Data Security Standard) rules. Section 11.5 of the rules states that file integrity monitoring (FIM) is required. Again, many mainframers will be wondering how they have considered themselves compliant up till now without having FIM software installed. Certainly, FIM technology has a proven track record on platforms such as Windows and Linux, but has not generally been found on mainframes. What’s needed is software that implements a full ‘whitelist’ capability to ensure that every component has been checked and found correct on a weekly, daily, or, for very sensitive systems, hourly basis. In the event of a breach occurring, and an organization is found not to be compliant with the regulations, fines running into millions of dollars can result. In addition, an organization’s credit card processing privileges can be revoked. Plus, an executive of the company will have signed a form stating that their company was PCI/DSS compliant – when it wasn’t. And they may have done that based on information from you! And that, perhaps, puts both your jobs at risk.
Where does that leave hackers? Well, they’ve learned that organizations can recover from their ransomware attacks by simply restoring everything from backups. So, hackers are now targeting those backups before encrypting everything else. That means mainframe users need some way to identify immediately if their backups have been compromised. What’s needed is some kind of FIM software that will create a checksum when the backups are created. Then, it’s possible to check whether or not a change has been made to those backups by running a verification scan. This technique could also be used for database copies, program libraries, and parameter files.
But is this all ‘what-if’ thinking? Surely mainframes are so secure with RACF etc that hackers aren’t going to bother about them? The great thing about RACF and equivalent software is that it’s all about perimeter security. It’s not so good at dealing with hackers who have got through that outer barrier. For example, towards the end of 2020, the PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight a threat called an ATM cash-out attack, which cost multiple banks millions in losses. The attack involved tampering with control systems and refers to an ‘inside job; that modified the card management system’s ‘daily withdrawal limits’. As mentioned earlier, mainframes process most credit and debit card transactions. Using FIM software would have allowed these banks to monitor both parameters and executing code for unauthorized changes and quickly identify that a hack was underway. It certainly seems like something useful to do in case of a future attack.
As well as losing money by fraud, financial institutions can lose money because they end up paying fines for non-compliance. You may have recently heard about Tesco Bank in the UK. The Financial Conduct Authority (FCA) fined Tesco Personal Finance plc (Tesco Bank) £16.4 million (about USD 21.5 million) for failing to exercise due skill, care, and diligence in protecting its personal current account holders against a cyber attack. The actual cyber attack took place in November 2016. This highlights the need for financial institutions to maintain a baseline standard of cyber-resilience. And, again, FIM software would have prevented the problem.
There’s a cognitive bias called the optimism bias, where people believe that they are less likely to experience a negative event. It seems that many organizations are still thinking that
they won’t be hacked and they won’t be fined by regulators for a little bit of non-compliance. Now is not the time for such optimism. Now is the time to look for a vendor that can provide a mainframe version of file integrity monitoring software, and ensure your organization is cyber secure and cyber resilient – whether you work for a financial institution or not.
Regular Planet Mainframe Blog Contributor
Trevor Eddolls is CEO at iTech-Ed Ltd, and an IBM Champion for the eight years running. He currently chairs the Virtual IMS, Virtual CICS and Virtual Db2 user groups, and is featured in many blogs. He is also editorial director for the Arcati Mainframe Yearbook.