By Ray Overby
Could your mainframe security practices be putting your organization at risk? Mainframe vulnerability management is notoriously overlooked, and there’s one common mainframe threat that most businesses aren’t adequately guarding against: code-based vulnerabilities.
I wrote a bit about this threat – and the challenge of raising awareness – in a recent article for Infosecurity Magazine, and I’d encourage you to check it out for more detail. If you’re thinking, “Wait, aren’t mainframes the most secure computing system?” – you’re right. But, that doesn’t mean they’re impervious to risk. We need to start thinking of the mainframe the way we think of any other computing platform or network when it comes to security threats.
Organizations in industries from banking to healthcare to government rely on the mainframe to store and protect their data. Usually, this includes storing highly sensitive information, like an organization’s mission-critical financial data and customers’ personally identifiable information. That makes the mainframe an attractive, lucrative target for all kinds of cybersecurity attacks and breaches. Unsurprisingly, breaches are incredibly costly – the average breach costs businesses $3.62 million.
Here’s the part that isn’t talked about enough: Mainframe security needs to go beyond the obvious security solutions RACF, CA Top Secret or CA ACF2, which are essentially used for authentication and authorization. While those commonly relied upon solutions provide some important security functions, they aren’t able to secure the mainframe at every level. The people and tools responsible for protecting this incredibly important system need to be aware of code-based vulnerabilities, a threat that has the potential to derail your business.
Code-based vulnerabilities are weaknesses that primarily exist in the interfaces between application (unauthorized) code and authorized code. When this interface software is not designed and/or coded correctly then code based vulnerabilities are created. They occur when one of the authorized programs on your z/OS system violates the IBM Statement of Integrity.
IBM’s z/OS Statement of Integrity says “IBM’s commitment includes design and development practices intended to prevent unauthorized application programs, subsystems, and users from bypassing z/OS security – that is, to prevent them from gaining access, circumventing, disabling, altering, or obtaining control of key z/OS system processes and resources unless allowed by the installation.”
It’s easy to see how that could be catastrophic for any organization, from the financial to reputational risks involved. Awareness of code-based vulnerabilities is the first step to addressing the problem. At Key Resources, Inc, we’re hard at work developing the tools businesses need to locate and fix these vulnerabilities.
To learn more about mainframe vulnerabilities, read my article, “Most Businesses Overlook One Common Mainframe Vulnerability,” in Infosecurity Magazine, or visit Key Resources, Inc’s website.