IBM Lab Services Helps Clients Stay Vigilant Against Data Hackers
In fixing leaks and reinforcing data safety, Lab Services team members know the headaches administrators are dealing with, and they make use of the numerous security tools in the IBM toolbox.
By Gene Rebeck06/01/2017
In July 2015, an operator noticed some heavy UNIX* System Service (USS) activity that seemed highly suspicious. Some scripts were sending spam messages all over the world from the client’s mainframe.
The client called IBM Systems Lab Services for z Systems* and LinuxONE*, and the Lab Services team sprang into action. The team of highly skilled specialists has deep technical knowledge in a number of different areas, including network, storage and security for z/OS* and Linux* for z Systems. After performing a forensic search on the client’s system, Lab Services determined that the hackers had made a miscalculation. They thought they’d hacked a Linux system—and hadn’t figured out they were on a mainframe and could access customer data. The hackers had used the system as a spamming machine without digging further. If they’d discovered that the client was managing a large amount of its customers’ personal data, the resulting leak would have been a disaster.
It was a close call. By and large, cyber thieves are more wily and sophisticated. With many types of data bringing in billions of dollars on the black market, they’re devoting all of their time trying to outwit organizations’ data-protection strategies. For them, hacking is a full-time job. But system administrators can rarely dedicate all of a staffer’s hours to monitoring illicit activity on their systems.
In fixing leaks and reinforcing data safety, Lab Services team members know the headaches and indigestion administrators are dealing with, and they make use of the numerous security tools in the IBM toolbox. They also know what z Systems administrators will have to confront in the future. New global data privacy standards will require organizations to add new layers of protection to the data they store.
Firefighters, Physicians and Teachers
Lab Services works on other z Systems issues besides security, but with hackers working full time to find ways to evade the latest data-protection measures, security keeps Lab Services staff notably busy. Didier Andre, a mainframe consultant for Lab Services who focuses on z Systems, describes the department as “a team of firefighters,” putting out fires.
“But usually, our consulting service is about prevention,” Andre adds. “People tend to say or to think that mainframe is the most secure platform. That’s not 100 percent true—it’s the most securable. And we’re providing services to help our clients to make it the most secure.”
Because preventive measures are a major part of their work, another way to think of Andre and his Lab Services colleagues is as physicians. For IBM clients that request their help, they conduct what they call security “health checks” on the entire system. That starts with IBM’s RACF* software, which provides basic security for the mainframe. But that’s just the start of helping clients ensure their systems are as secure as possible.
“We’re looking holistically at how you’re protecting the data—when you have it, when you receive it, and when you send it off,” says Craig Johnston, a Lab Services consultant specializing in mainframe security. “That’s especially important for PCI DSS, because those systems are just part of the bigger picture—including how you’re protecting the data from a merchant, through the card issuer, the reconciliation of the bills and so on.”
PCI DSS applies to companies of any size that process credit card data and it mandates cryptographic use, because organizations that accept such payments must store, process and transmit cardholder data. For hackers, that data is pure gold, and organizations must guard that treasure on a PCI-compliant system. PCI DSS is a set of requirements designed to secure and protect customer payment data. Not following the PCI DSS standards puts an organization’s customers’ credit data at risk.
A breach could cost that organization millions in repairs, reparations to customers or potential loss of reputation and business.
In helping clients keep their customers’ data safe, Lab Services pays particular attention to cryptography (i.e., crypto). Crypto covers all technologies used to convert plain text into scrambled text so that outsiders can’t access or “read” it.
“A lot of that has to do with the encryption of the data to protect the data on the system,” Johnston says. “We look at the actual installation to determine if the encryption is being done only half way—if at all. We then help clients fine-tune the encryption.” Lab Services helps clients update crypto for devices, databases and applications, as well as entire systems.
Lab Services examines and uses several tools when working with clients to fortify the walls around their important data. Crucial elements of the protection strategy are encryption keys—code that scrambles “plaintext” into “ciphertext” that outsiders can’t read. Encryption keys are designed with algorithms intended to ensure that every key is unpredictable and unique. Without an encryption key, ciphertext can’t be unwound back to plaintext.
The z Systems servers also have dedicated CryptoCards. These tools are managed primarily by the Integrated Cryptographic Services Facility, a software element of z/OS that works with Security Server RACF and other cryptographic features to produce high-speed cryptographic services. Lab Services can configure the software around CryptoCards and help clients create different encryption keys.
IBM also has a product called Enterprise Key Management Foundation (EKMF), developed by IBM’s Crypto Competency Center in Copenhagen, Denmark. EKMF provides centralized key management on z Systems, notably useful for meeting PCI requirements. In addition, Lab Services also helps with the deployment of IBM Security Guardium* Data Encryption for DB2* and IMS* databases, which is used to prevent leaks from data databases, data warehouses and big data environments. Guardium incorporates a key to encrypt data stored on DB2 databases.
Another important consideration is that clients using encryption keys to protect their data will also need to protect the keys themselves. Otherwise, Johnston says, “the data might as well not be encrypted.” This is where IBM’s Security Key Lifecycle Manager (SKLM) can help. The SKLM product, which centralizes and automates the encryption key management, also can encrypt the keys themselves, whether they’re stored on physical tape or IBM storage media such as XIV* or DS8000*.
“Lab Services can help the client configure its DS8000 or the full-disk encryption of that drive,” Johnston says. Lab Services also works with z Systems clients to set up IBM’s Trusted Key Entry workstation, which manages the master keys that protect those operation keys through CryptoCards.
Now Lab Services is beginning work to help z Systems clients be prepared for new regulations and rules that will require them to further fortify their system’s security systems and practices.
One new regulation is PCI DSS 3.2, an update to the PCI standard. Perhaps the biggest change that PCI DSS 3.2 incorporates is the use of multifactor authentication (MFA) for administrators to access cardholder data. Compliance with 3.2’s MFA requirement will become mandatory Feb. 1, 2018. As Andre notes, had this requirement been in place a couple of years ago, it would have prevented the July 2015 USS hack. “Even with a user password, the hacker would have been denied any access without the second form of authentication provided by MFA,” he says.
To help clients meet the DSS 3.2 MFA standard, IBM is developing a mainframe solution implementation service. Lab Services is one of the teams being trained to deliver this service. It expects to be conducting deployments with customers by the end of this year.
Also on Lab Services’ security agenda this year: helping clients upgrade their mainframe environments to meet the upcoming European Union’s General Data Protection Regulation (GDPR). This new data-protection standard extends the region’s data-protection law to all foreign companies processing data of EU residents. Scheduled to go into effect in May 2018, the GDPR will put in place stringent rules not only for data protection, but also for reporting data breaches to EU authorities. Organizations that don’t comply with the GDPR could be liable for fines in the tens of millions of euros.
According to Johnston, Lab Services is developing focus on the major requirements and sub-requirements; it’s developing the same process for GDPR. “We’ll come up with a list of issues to look at and show clients where their system is deficient,” Johnston says. “We’ll be coming up with alert desk checks for z Systems, and we’ll have assessments on that.”
For z Systems clients with cardholder data to protect, that’s good news. Hackers never rest. Lab Services, however, is helping the organizations it serves to be prepared and protected..
Sponsored Content: The Threat Is Real–Averting Cyber Attacks
With increased threat levels, cyberattacks have become mainstream and we see new threats from more venues than ever before. Threats from the Internet of Things, ransomware and malware, like MIRAI, and others provide unlimited paths into an organization’s infrastructure and introduce more risk than ever before.
Today’s mainframe is just another server in the data center, accessible internally and externally like every Windows*, UNIX*, Linux* or other server. Not only are mainframe environments vulnerable to internal malicious users, but also to external hacktivists, criminals and competitors. To ensure critical assets are properly protected, organizations should perform regular mainframe security assessments.
To prevent a cyber breach, we advocate a comprehensive security assessment that includes collecting, processing and assessing all relevant customer data based on best practices. Upon conclusion a mainframe security assessment should provide an actionable report that includes details on the findings, the severity ranking of each finding, instructions for remediating problems and security against future security breaches.
Protect your critical infrastructure and gain the confidence you need knowing your mainframe is safeguarded and protected against security breach and other potential cyber risk.
CMO, Vanguard Integrity Professionals
Brian has a 25-year track record in global marketing, corporate strategy, business development and global branding.
Sponsored Content: Securing Mainframe Vulnerabilities
One of the more efficient ways to uncover known or unknown vulnerabilities on the mainframe is through penetration testing. For various reasons, however, this often gets overlooked by enterprises today.
Phil Young, co-founder of zedsec 390, believes this is the case for multiple reasons, including lack of support. He says, “We have the problem of core vendors pretending that it is 1999 and hiding vulnerabilities; [and] Chief Information Security Officers and Chief Risk Officers are largely unaware of the risk posed to the enterprise by an unsecured mainframe, both from a data exfiltration risk and a loss of revenue caused by downtime due to an attack.”
Chad Rikansrud, co-founder of zedsec 390, points to a skills gap, noting that there isn’t the necessary overlap of technical skills between those who deeply understand mainframe technologies and those who are well-versed in the current techniques and adversaries that compose the current threat landscape.
While organizations are committed to ensuring security and compliance, Young believes they tend to focus their energies in the wrong areas. “The mainframe is largely overlooked because of its relative obscurity and appearance of infallibility,” he says. “Because of this, there is a larger focus on compliance and very little actual security testing. Unfortunately, advances in compliance ultimately occur due to security research. Since security research on the mainframe is effectively stagnant, compliance guides see very few updates. Furthermore, since most compliance departments lack mainframe expertise, they may not even know that their compliance guides are no longer applicable.”
The topic of security is one that continues to be front and center with mainframe professionals. Find out more at the upcoming SHARE Providence event, Aug. 6-11 in Rhode Island, where security will be a top focus.
Get Started Today
The Lab Services z Systems and LinuxONE practice is an experienced group of consultants with proven expertise on the platforms to help clients design and deliver highly available infrastructure solutions. Learn more: ibm.co/2oaDtV2
Sponsored Content: Real-Time Mainframe Visibility in Your SOC Is the Key to Security
A common misconception dating back to the dawn of the internet is “we don’t need to worry about our mainframe getting hacked.” Part of this thinking arose because the mainframe existed in a different IT world than its counterparts across Windows* and distributed systems–the systems powering the internet.
The myth has perpetuated itself to more modern times where we still have two different worlds of IT (mainframe versus distributed) with different resources managing them. The resulting disconnect makes shoring up all avenues of network intrusion nearly impossible as already-complex IT environments are further complicated by a mainframe versus distributed disconnect.
To that end, those residing in the mainframe world may still think “big iron” is impenetrable. However, WebSphere* web access, 3270 Telnet connections and CICS* middleware have brought the mainframe closer than ever to the internet’s vulnerabilities.
Event visibility is critical. Today, sophisticated security operations centers (SOCs) manage system-wide security but most don’t audit mainframe event activity in real time. If you’re going to secure all avenues of intrusion from threat, you must include your mainframe alongside all your distributed assets in your SOC and monitor privileged user events from the mainframe alongside the distributed events.
President and CEO, CorreLog Inc.
George has served as president of CorreLog since its inception and has been a successful entrepreneur in the software business for over 30 years
Gene Rebeck is a freelance writer based in Duluth, Minnesota.More →
Sponsored ContentAchieve Compliance Without Impacting Productivity
Post a Comment
Note: Comments are moderated and will not appear until approvedcomments powered by Disqus