Files, such as lists of usernames and passwords and confidential client information, should not remain on the mainframe, where they are exposed to any type of user who gains physical or remote access.
Often, companies provide users with significantly more access to mainframes than they should be given. They do not do it with malicious intent; they simply do not have the expertise or time to identify which roles should receive higher privileges and how to manage such accounts. If attackers were to compromise just one of those users, they would not need to work much more to escalate their access level. When it comes to mainframes, David has seen unencrypted network communication between web servers and mainframes using the Telnet protocol TN, which is not encrypted by default.
That means any data traversing that protocol on the network can be viewed and recorded by potential adversaries. While there are ways to apply encryption around it, not many companies do so because it has not been a standard practice in most security programs.
Many applications are written with unintentional security flaws, such as logic flaws, cross-site scripting XSS , code flaws and others. Mainframe application flaws are no exception. If applications are not built and deployed securely, they can expose the entire mainframe environment to an attacker.
To keep track of mainframe security, it is essential to include these assets in security maintenance that oversees vulnerability management , patching and testing. At a basic level, companies should make sure access to their mainframes requires strong passwords. They should also enable encryption and ensure that their applications have gone through a secure-by-design build phase.
That means testing applications as they are being designed and implementing a security plan during the development phase and post-deployment. This strategy ensures that risks are identified prior to the launch of an actual attack, avoiding a real-time scramble for a solution. It also provides critical audit records needed for compliance. Based on the authorization, access is either allowed or denied. It comes with several basic safeguarding features, including online security, authentication and authorization, and encryption.
For companies that require additional security, an external security manager ESM might fit their needs. The right security solution will depend on the Linux distribution being used to operate the mainframe.
ESMs add extra layers to the basic security measures that mainframes already supply. They help companies meet compliance and customer expectations. With RACF, you can establish pervasive encryption for absolute security. Files are encrypted at every point, including in storage and during transmission. CA Technologies offers two compatible security solutions for the mainframe environment. ACF2 controls access to sensitive information and critical business assets.
With advanced authentication, applications can increase their assurance that users are correctly identified and data is protected. To them, the mainframe is legacy technology—something that is essential to the business, sure, but that can mostly be trusted to take care of itself. Given the sensitive nature of the data processed by these systems, a single mainframe vulnerability could result in a major breach, financial loss, reputational damage, and, ultimately, your job.
Mainframes are arguably the most securable computing platform, but any system has its weaknesses, and the mainframe is no exception. This misconception can lull CISOs into a false sense of security about the level of risk associated with their mainframe environment. And though some CISOs may know that they need to bolster the security of their mainframes, the typical solutions are incapable of providing a complete security strategy.
But they are completely blind to one of the biggest mainframe security risks: zero-day vulnerabilities in mainframe operating system code, which provide a pathway for hackers to exploit and control your mainframe. These tools simply cannot scan for OS-level code-based vulnerabilities. Have you ever heard of a trapdoor vulnerability?
How about a storage alteration vulnerability? These are two of the most severe system integrity vulnerabilities. When exploited by non-authorized users, these vulnerabilities allow people with no special privileges to access the system and alter the environment or virtual memory.
But, mainframe specialists are at a disadvantage when it comes to locating and categorizing these vulnerabilities, because of a lack of standardized vulnerability scoring, like the Common Vulnerability Scoring System CVSS , or shared vulnerability database, like the National Vulnerability Database NVD , that are common for other computing systems.
That includes the mainframe. Developing a vulnerability management program is also a matter of compliance. According to the Payment Card Industry Data Security Standards PCI DSS , any organization that deals with cardholder data is required to have a process to identify security vulnerabilities and assign a risk ranking to any newly discovered vulnerabilities.
Just this spring, the National Institute of Standards and Technology NIST released a revised version of their flagship risk management documents, making important changes and updates for the modern security era.
0コメント