Mainframe security—Early Warning

The stages in a mainframe breach are familiar to most mainframers these days. Firstly, the bad actors need to gain access to the mainframe. That is as simple as going to the web and buying a user id and password combo for as little as $120. But even worse if the attack comes from an insider, they will have all the authority, including MFA access to cause all kinds of havoc since they already know what to attack. But why worry? 

According to the 2023 Cost of a Data Breach Report from IBM Security, 9% of attacks are likely to come from compromised emails, 11% from cloud misconfigurations, 12% from software supply chain attacks, 15% from a hacked business partner, 15% from compromised credentials, and 16% from phishing attacks. 5% of the breaches originated from known vulnerabilities that had yet to be patched, and 6% of attacks were initiated by malicious insiders, but they were the costliest, at an average of US$4.90 million (9.6% higher than the global average cost of US$4.45 million per data breach). 

Once the hackers are inside the mainframe, their intention is to stay there. And that means they will want to implement a few backdoors. So, even if your security does spot that there has been some kind of penetration at this stage – and that’s often a very big ‘if’ – they can get back in easily, any time they want.

The hackers will also need to raise their authorization level to give them the ability to do things that are usually reserved for systems programmers. They may very well be making changes to your system software, applications, and parameter libraries. These changes won’t have much of an impact on the day-to-day running of the mainframe, so are usually hard to detect.

They are also, at this early stage, going to install some malicious software or timebombs. That means, should they be detected and pushed off the mainframe, you will have something to remember them! Something that will require the recovery team to test their abilities and how well they have rehearsed their activities.

At this stage, it is usually unlikely that they will have been detected. They will be looking around to see what sort of data you have – whether it has any commercial value to them. They will also be looking at what other companies your mainframe is connected to that they can also hack.

They are now at the stage where they can start to copy your data. Customer information, including personally identifiable information (PII) – which can result in fines for breaking GDPR and similar laws – and other valuable or sensitive information. This action might be identified because there can be a surprising amount of network traffic in the middle of the night.

The next stage is to encrypt your data, but hackers quickly realized that organizations could simply restore data from backups. So, their actual next step is to compromise the backups – making them unusable. Then they will encrypt your data.

And, then the hackers may send a ransom demand, which demands money in return for the code to unencrypt your data.

The 2023 Cost of a Data Breach Report found that the average cost of a breach is US$4.45 million. The cost of a ransomware attack now costs on average US$ 5.13 million. Ransomware attacks made up 24% of all data breaches recorded in the survey. There’s always a big debate about whether an organization should disclose that it has been hacked and inform law enforcement. After all, the hackers are often based abroad, and a prosecution is unlikely. In addition, the news of the breach may reach the press and the company is very likely to lose customer confidence and, so, lose money over the next couple of years. The report found that organizations that didn’t inform law enforcement faced an additional cost of US$470,000. 63% of sites in the survey had involved law enforcement, the 37% that didn’t also paid 9.6% more and experienced a 33-day longer breach lifecycle.

If you work in healthcare, the report found that since 2020, healthcare data breach costs have increased by 53.3%. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of US$10.93 million.

Encryption can be a valuable defence against cyberattacks on business data. However, it can be weaponized in the hands of unscrupulous criminals, disgruntled employees, or rogue state entities. Encryption is a favourite attack vector for hackers because it is blisteringly fast on modern mainframes and easily reversable. That means the business case for perpetrators is pretty simple – break in, start a malicious encryption and sell the key back to the victim.

What’s needed is some way to automatically identifying malicious encryption processes. One way is to use a whitelist of all the authorized encryption processes. Early warning software could raise an alert and allow authorized staff to accept if it is legit. Otherwise, the system could immediately suspend the offending job or TSO user. A follow-up investigation could determine whether everything really was OK or not. If it was OK, but not on the whitelist, support staff could just resume from the exact instruction where it was suspended. They could also suggest that it gets put it on the whitelist. If, however, it’s found to be malicious or unknown, they could push the cancel button.

Is such early warning software available? It is now. Since the middle of August, FIM+ Version 2.2 from MainTegrity has offered this and other capabilities.

The early warning part of the product can also defend a site against hackers by monitoring datasets and libraries for unusual activity. It can also detect unusually high access rates or access patterns that are uncharacteristic, including access to PARMLIBs, PROCLIBs, VTAMLST, TCPPARMS, etc. It can also watch out for batch jobs or TSO users where the mass deletion of datasets exceeds a customer-defined threshold. Other nefarious actions can also be detected such as someone opening existing backups for update, or when dataset update activity is excessive. Even something as seemingly benign as scanning RACF permissions to see what access the userid has, can indicate typical hacker recon activity. For a full list see

With a data breach costing an organization so much money. It makes sense to be able to identify that an attack is taking place at as early stage as possible. Having some kind of early warning system in place would seem to make sense for all mainframe users. And having some way to prevent files being encrypted seems like an important part of anyone’s mainframe defence strategy.

Regular Planet Mainframe Blog Contributor
Trevor Eddolls is CEO at iTech-Ed Ltd, and an IBM Champion since 2009. He is probably best known for chairing the Virtual IMS, Virtual CICS, and Virtual Db2 user groups, and is featured in many blogs. He has been editorial director for the Arcati Mainframe Yearbook for many years.

Leave a Reply

Your email address will not be published. Required fields are marked *