Chad Rikansrud is one of the foremost experts on mainframe security, having spent 20+ years running operations and mainframe infrastructure for one of the world's largest financial institutions and leading mainframe security assessments, exploit development, and penetration testing for many of the world’s largest organizations. Chad is an award-winning speaker and has presented at security conferences across the nation, including DEF CON, Black Hat, RSA, SHARE, DerbyCon, and more.
There are two types of people. Those who know they have a mainframe and those who don’t. Regardless of the category you fall into, I think we can all agree that mainframe security is not prioritized today.
But it should be.
Mainframes are important. They’re often used in highly regulated industries that have high-volume transactions. Think financial services, insurance companies, healthcare providers, government, airlines, and giant retailers that have been around for 15+ years.
Mainframes are built to be exceptionally resilient and are extremely fast and reliable for processing high volume, small transactions, such as ATM and credit card transactions or airline ticketing. Given the data is stored in one single place, mainframes make it easy to access and share data across an organization.
So, why don’t we prioritize mainframe security?
Because it’s misconstrued.
In this article, I’ll debunk four mainframe security misconceptions and answer many of the questions I receive regularly, including:
Why don’t we see regular mainframe breaches?
What would happen if my mainframe was breached?
Can a mainframe get infected by malware?
Who is responsible for mainframe security?
Should I pentest my mainframe?
There are many “mainframes” according to popular connotations. The IBM Z series, OpenVMS, HP Non-Stop, and the IBM iSeries, to name a few. In this article, I’ll focus on IBM z/OS given it is the mainframe of choice for the vast majority of organizations. Let’s get started.
“The mainframe rarely gets breached”
Mainframes are just as likely to experience a breach as any other system, but many wrongly assume it to be inherently secure. It can experience buffer overflows, ransomware attacks, and zero-day vulnerabilities. It’s a different architecture, but there’s nothing magical about it.
Contrary to popular assumptions, mainframes can be infected by malware – and it would work well. Malware infection is not limited to phishing emails. It can be introduced to mainframe systems directly (placed there by a programmer), remotely (via any remote management protocol such as FTP, or SSH), or via an undiscovered or unpatched software vulnerability (just like any other operating system!).
With the critical workloads running on these systems, the impact of a high-risk vulnerability being exploited could severely damage customer and business operations.
We do not see mainframe security issues making headlines or being talked about at the board level because many companies operate them with a “security through obscurity” mindset. IBM does not publicly publish the security details in authorized program analysis reports (APARs). By not providing vulnerability details publicly, it is perceived that external attackers and internal personnel threats cannot gain access to information that could put an enterprise at undue risk. However, attackers and internal threats can get ready access to z/OS and other platforms and use them to develop attacks and find vulnerabilities.
It’s important to understand that mainframes are computers. Really important and complex computers, but computers, nevertheless. And they can and do experience breaches – we are simply not always made aware of the incidents.
“Mainframes are old”
Tesla has its roots in the Model T. Does that make Tesla old and outdated?
IBM unveiled the first mainframe computer system, System/360, in 1964. Since then, do you think IBM stopped innovating? Not exactly. The images below illustrate what people often picture when they think of mainframes (left) and what a modern mainframe looks like (right).
You either refresh your tech or you don’t. It is not the mainframe technology itself that is old, it’s that organizations are not refreshing their mainframe systems when required.
Government organizations are known to maintain legacy systems. In 2017, research released on the government’s systems found that the U.S., overall, has more than 3,400 IT professionals employed to maintain legacy programming languages, such as COBOL.
Another key issue with this misconception is that mainframes are viewed as too outdated or complex for anyone new to learn. Because of this misconception, hands-on mainframe security training is nearly non-existent today. To help fill this gap, I developed Evil Mainframe, a first-of-its-kind z/OS penetration testing primer for pentesters and mainframe security professionals.
“IBM is responsible for my mainframe security”
Talk to any cloud security expert and they will understand the concept of the Shared Responsibility Model. It dictates the security obligations of a cloud computing provider – IBM included – and its users to ensure accountability. This model should also apply to the mainframe.
IBM controls all vulnerabilities and patch management in a silo for z/OS. They release patches quietly, which can give people a false sense of security. In a perfect world, IBM z/OS might operate similarly to how the Microsoft Security Response Center operates and encourages ethical hackers to stress test its systems.
People remain the easiest attack vector for mainframe breaches, whether it’s through phishing, social engineering, or brute force. Nothing about the mainframe itself prevents this (remember it’s just a computer), but security leaders are responsible for creating policies, implementing security awareness training, and educating defensive teams to detect and prevent attacks on the user side – just as they would for any other platform.
“I don’t need to perform mainframe pentesting”
The mainframe is a monolith of federated data and storage environments all hosted under one system. I call it a ‘data center in a box’. If an adversary gained access to the mainframe, they could exfiltrate data, delete data, access all collateral that supports your business operations in a single platform.
As I've reiterated throughout this article, cyberattacks are possible in a mainframe. It has Java, web apps, etc. just like any other platform. Yet, mainframes are often left out of enterprise vulnerability management programs. We perform application pentesting, cloud pentests, and external network tests regularly, so why do we overlook the mainframe? It’s like getting a physical, but the doctor doesn’t examine your heart.
To improve your mainframe security posture, you don’t need all the bells and whistles. Mainframe penetration testing is a basic security activity you can do to:
Eliminate the false sense of security that accompanies mainframe systems.
Validate your detective controls and capabilities – are you detecting the pentesters in the system?
Do more with less. The number of people that operate and manage these technologies is dwindling. A pentest can help you prioritize the riskiest vulnerabilities and work as an extension of your team.
Comply with regulatory pressures. As mentioned earlier, mainframes are often found in highly regulated industries – and regulators are getting smarter. Get proactive with your testing strategy.
Avoid a mainframe outage and continue doing business in a meaningful way.
Final Words
Mainframe security should be prioritized and it’s up to you to drive your security strategy. You have best practices for all your other platforms – apply them to your mainframes as well! Business and security leaders that have mainframe systems, or realized they operate on a mainframe after reading this article, must take ownership over their mainframe security. By getting proactive with mainframe security, we can prevent breaches, stay ahead of regulators, and ultimately reduce organizational risk.
There are two types of people. Those who know they have a mainframe and those who don’t. Regardless of the category you fall into, I think we can all agree that mainframe security is not prioritized today.
But it should be.
Mainframes are important. They’re often used in highly regulated industries that have high-volume transactions. Think financial services, insurance companies, healthcare providers, government, airlines, and giant retailers that have been around for 15+ years.
Mainframes are built to be exceptionally resilient and are extremely fast and reliable for processing high volume, small transactions, such as ATM and credit card transactions or airline ticketing. Given the data is stored in one single place, mainframes make it easy to access and share data across an organization.
So, why don’t we prioritize mainframe security?
Because it’s misconstrued.
In this article, I’ll debunk four mainframe security misconceptions and answer many of the questions I receive regularly, including:
Why don’t we see regular mainframe breaches?
What would happen if my mainframe was breached?
Can a mainframe get infected by malware?
Who is responsible for mainframe security?
Should I pentest my mainframe?
There are many “mainframes” according to popular connotations. The IBM Z series, OpenVMS, HP Non-Stop, and the IBM iSeries, to name a few. In this article, I’ll focus on IBM z/OS given it is the mainframe of choice for the vast majority of organizations. Let’s get started.
“The mainframe rarely gets breached”
Mainframes are just as likely to experience a breach as any other system, but many wrongly assume it to be inherently secure. It can experience buffer overflows, ransomware attacks, and zero-day vulnerabilities. It’s a different architecture, but there’s nothing magical about it.
Contrary to popular assumptions, mainframes can be infected by malware – and it would work well. Malware infection is not limited to phishing emails. It can be introduced to mainframe systems directly (placed there by a programmer), remotely (via any remote management protocol such as FTP, or SSH), or via an undiscovered or unpatched software vulnerability (just like any other operating system!).
With the critical workloads running on these systems, the impact of a high-risk vulnerability being exploited could severely damage customer and business operations.
We do not see mainframe security issues making headlines or being talked about at the board level because many companies operate them with a “security through obscurity” mindset. IBM does not publicly publish the security details in authorized program analysis reports (APARs). By not providing vulnerability details publicly, it is perceived that external attackers and internal personnel threats cannot gain access to information that could put an enterprise at undue risk. However, attackers and internal threats can get ready access to z/OS and other platforms and use them to develop attacks and find vulnerabilities.
It’s important to understand that mainframes are computers. Really important and complex computers, but computers, nevertheless. And they can and do experience breaches – we are simply not always made aware of the incidents.
“Mainframes are old”
Tesla has its roots in the Model T. Does that make Tesla old and outdated?
IBM unveiled the first mainframe computer system, System/360, in 1964. Since then, do you think IBM stopped innovating? Not exactly. The images below illustrate what people often picture when they think of mainframes (left) and what a modern mainframe looks like (right).
You either refresh your tech or you don’t. It is not the mainframe technology itself that is old, it’s that organizations are not refreshing their mainframe systems when required.
Government organizations are known to maintain legacy systems. In 2017, research released on the government’s systems found that the U.S., overall, has more than 3,400 IT professionals employed to maintain legacy programming languages, such as COBOL.
Another key issue with this misconception is that mainframes are viewed as too outdated or complex for anyone new to learn. Because of this misconception, hands-on mainframe security training is nearly non-existent today. To help fill this gap, I developed Evil Mainframe, a first-of-its-kind z/OS penetration testing primer for pentesters and mainframe security professionals.
“IBM is responsible for my mainframe security”
Talk to any cloud security expert and they will understand the concept of the Shared Responsibility Model. It dictates the security obligations of a cloud computing provider – IBM included – and its users to ensure accountability. This model should also apply to the mainframe.
IBM controls all vulnerabilities and patch management in a silo for z/OS. They release patches quietly, which can give people a false sense of security. In a perfect world, IBM z/OS might operate similarly to how the Microsoft Security Response Center operates and encourages ethical hackers to stress test its systems.
People remain the easiest attack vector for mainframe breaches, whether it’s through phishing, social engineering, or brute force. Nothing about the mainframe itself prevents this (remember it’s just a computer), but security leaders are responsible for creating policies, implementing security awareness training, and educating defensive teams to detect and prevent attacks on the user side – just as they would for any other platform.
“I don’t need to perform mainframe pentesting”
The mainframe is a monolith of federated data and storage environments all hosted under one system. I call it a ‘data center in a box’. If an adversary gained access to the mainframe, they could exfiltrate data, delete data, access all collateral that supports your business operations in a single platform.
As I've reiterated throughout this article, cyberattacks are possible in a mainframe. It has Java, web apps, etc. just like any other platform. Yet, mainframes are often left out of enterprise vulnerability management programs. We perform application pentesting, cloud pentests, and external network tests regularly, so why do we overlook the mainframe? It’s like getting a physical, but the doctor doesn’t examine your heart.
To improve your mainframe security posture, you don’t need all the bells and whistles. Mainframe penetration testing is a basic security activity you can do to:
Eliminate the false sense of security that accompanies mainframe systems.
Validate your detective controls and capabilities – are you detecting the pentesters in the system?
Do more with less. The number of people that operate and manage these technologies is dwindling. A pentest can help you prioritize the riskiest vulnerabilities and work as an extension of your team.
Comply with regulatory pressures. As mentioned earlier, mainframes are often found in highly regulated industries – and regulators are getting smarter. Get proactive with your testing strategy.
Avoid a mainframe outage and continue doing business in a meaningful way.
Final Words
Mainframe security should be prioritized and it’s up to you to drive your security strategy. You have best practices for all your other platforms – apply them to your mainframes as well! Business and security leaders that have mainframe systems, or realized they operate on a mainframe after reading this article, must take ownership over their mainframe security. By getting proactive with mainframe security, we can prevent breaches, stay ahead of regulators, and ultimately reduce organizational risk.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
