Another SHARE conference has come and gone, and we have much to report on where mainframe security is headed. Each year, SHARE demonstrates that the mainframe is not only here to stay, it’s regaining its reputation as the king of big data in an IT landscape of massive complexity and high data risk.
Information and innovation are the most valuable commodities in our increasingly digital world. Thanks to the IT revolution, we now enjoy virtually instant categorization and access to key enterprise data assets. The downside? Many organizations have consolidated their most sensitive Intellectual Property (IP) and consumer identity data in one very predictable spot – mainframes. There can be no doubt where internal and nation-state cyber-thieves have focused their attention.
The innovative technology that brought us here is the same technology canvasing the dynamic world of IT with the burden of too much complexity. IT security visibility is blinded and lethargic from the mutually repellant worlds of distributed and mainframe networks. And because we've naturally assumed our mainframes are secure, we've taken for granted how their purpose and relevance has changed over time.
That’s the thing about myths: they’re only partly true.
Yes, File Integrity Monitoring (FIM) has been part of the distributed computing landscape for a few years now. And yes, real-time enterprise security monitoring is harder to accomplish in a mainframe environment. But as attacks become more sophisticated, FIM needs to be a key component of the entire network, including your mainframe.
There’s a well-known software vendor that has an antivirus “sandbox” that is used to explode viruses in much like a police bomb squad would do with a suspicious package at a crime scene.
Not so fast…what about MFIM.
File Integrity Monitoring (FIM) has been part of the distributed landscape for years, generally as a component of an enterprise anti-malware strategy. But as attacks become more sophisticated and nearly undetectable, FIM needs to be a key component across the entire network, mainframe included.
What to do when your mainframe catches a virus
8 Guidelines for monitoring mainframe security controls per PCI DSS Requirements
Now that we have your attention, allow us to expound on the thought. This is a somewhat valid question if you are in banking/finance, retail, healthcare, government or other environment that processes credit cards on a massive scale and requires the computing horsepower of a mainframe.
Why? Because these industries all have to adhere to the malware/anti-virus clause from the Payment Card Industry Data Security Standard (PCI DSS). At a high level, the PCI DSS provides a baseline of requirements for these industries to adhere to for the protection of cardholder data. Even if they have just one credit card transaction over the course of a fiscal year, PCI DSS applies and the penalties are significant. From the PCI Security Standards Council website FAQ page:
Database Activity Monitoring (DAM) is defined by Gartner as “… tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behavior, with minimal impact on user operations and productivity(1)…” If you know what to look for in z/OS DB2 audit trails, you have an excellent window into your mainframe database security health.
It should come as no surprise that security information and event management, or SIEM, has been fueled by industry standards groups and government agencies. Leading the charge to how data and security policies are drawn up are organizations with acronym-laden names like PCI SSC, FISMA, FERC, NERC, SOX, HIPAA and many others. The Payment Card Industry Security Standards Council, issuers of the PCI data security standard (PCI DSS), was founded by payment card giants MasterCard, American Express, Discover and several others. In 2006 they issued requirements and offered certifications for merchants, vendors and security consulting companies with the intent to “mitigate data breaches and prevent payment cardholder data fraud.”
- FIM ensures file compliance by scanning files in configuration-specified directories and then checks for unauthorized changes.
- FIM creates a baseline file configuration to be compared to any future configuration state. If there are any deviations from the baseline, an alert of potential threat can be issued.
- Good FIM practice allows for archiving to compliance standards - PCI DSS, FISMA, SOX, HIPAA, NERC, GLBA, etc... - in the event you need the data for forensics.
Seems like every day we see news headlines about yet another cyber-breach. Government agencies, local municipalities, online gaming and social platforms, financial institutions, even high-school records have been exposed in recent attacks. Scour the web and you will be hard-pressed to find the percentage of breaches occurring on mainframe versus distributed. The data just doesn’t seem to be there. Mainframe gurus will say that it is rare for a mainframe to be compromised, but the reality is that the data to confirm or dismiss this is just too hard to come by. Unless you are an insider and know the details of the breach, all we know publicly is that there was a breach, the number of records compromised and maybe the dollars affected.
No, I'm not a gamer but...
I did read an article (Sony confirms external attack brough down PlayStation Network - Dean Takahashi, April 22, 2012) on GAMESBEAT this morning that talks about the recent crash of the Sony PlayStation Network. In the article Sony points the finger at Anonymous and Anonymous denies it was to blame, even going so far as to label the media giant "incompetent."