Image

So Why Are We Still Using Mainframes?
Mainframes really do have an image problem, and it’s no wonder. As Chad said in his talk at DerbyCon 5.0:“Why don't you care about such a thing? Because you've been taught not to. Schools teach you that mainframes don't matter, if they are mentioned at all. Well guess what! Not only do they matter, everything you do, your family does, your government does, relies on them.”Let’s rule out that myth first. Mainframes are far from obsolete. Fact is, they’re not going anywhere. These babies are not antiquated relics; they're sophisticated and modern, and they are built for reliability, power and speed. We’re talking almost 100 percent uptime, insane amounts of storage and terabytes of RAM (yes, terabytes!). Then, there’s volume capacity. These machines can process unbelievable numbers of transactions per second. Think of banking, travel, government – where you need to process enormous volumes of data rapidly and reliably. And should these fail – well, they are designed to be very modular and are highly resilient to failure. Claire Bailey, Director of Federal, State and Local Solutions, at Compuware, says this in a recent online article for Government & Technology:
“The mainframe is a technically matchless platform. Its performance, scalability, reliability and security are far beyond that of any distributed or cloud infrastructure. In fact, despite the incalculable investments made in these commodity platforms, they have never come close to delivering what the mainframe does. That’s why the most critical workloads in both the public and private sectors continue to run almost exclusively on mainframes.”Or, as Chad summarized in his talk: “If it’s important, it’s running on a mainframe.”
What’s Really on Them and Why We Should Care
So, who uses them? Almost all Fortune 100s – 90 percent, according to IBM, who makes the platform (zSeries) and the flagship operating system z/OS. That would include airlines, hotels, banks and any major financial institutions; various levels of government (think taxes); healthcare; the infrastructure we see all around us. Yes, even 911 relies on an IBM mainframe.Image

- 71% of all Fortune 500 companies have their core business on the mainframe.
- 23 of the world’s top 25 retailers use a mainframe.
- 92% of the top 100 banks use a mainframe.
- 10 out of 10 of the top insurers use a mainframe.
- More than 225 state and local governments worldwide rely on a mainframe.
- 9 of the top 10 global life and health insurance providers process their high-volume transactions on mainframe.
So They’re Secure, Right?
In a word, maybe. One could infer that the lack of mainframe hacks in the news would imply they are unhackable; this would be a scary assumption. Chad was struck by the scary thought that nobody, except maybe a select few (and all the folks at IBM, internally), were actually probing mainframes and their security, until he found Phil (I’m pleased to report there may be as many as 10 of them now). They discovered a disconnect between security culture and mainframe culture and that nobody was talking about that gap. If you ask Phil Young, he’ll share this, a sentence from the IBM-MAIN mailing list that sums up what he has been trying to say and do over the last three years:“Since security implementation on z/OS, independent of the tool, is the realm of either the sysprog (with little time to deal with it on a daily basis) or the security staff (where dedicated z/OS specialists are few and far between) – this can and does lead to potential gaps in coverage.”
Image

Can We Secure Mainframes the Way We Secure Other Stuff?
Let’s start here: while the high level principles all apply, most of the detailed tech stuff you know does not. As Chad explained in his talk at DerbyCon, don’t go down this road. You can certainly exploit mainframes by traditional means, but (and it’s a big but) there are radical differences in: the architecture, the CPU, and the instructions. There is no tribal knowledge, no ready-to-reference FAQs in the traditional Open Systems sense. Below are some of the key obstacles we currently face:- Penetration Testing Tools: these need to be built or ported to the Z architecture.
- Skilled Folks: There are increasingly fewer with the requisite skillset; even fewer who have the mainframe technical knowledge plus an information security background. As the experienced mainframers leave, the skills leave with them.
- Unhelpful Attitude: good luck finding online support. Responses are often “You should not be doing this.” It’s a culture of keeping it between the people who need to know.
- Complicated System: Manuals are thorough. Maybe too thorough. TCP/IP alone for Z/OS has 16 manuals, a total of 13384 pages or 59.39 MB worth of PDF files. Everything is documented to the nth degree. There are no quick and dirty FAQs.
“If installing the tool is the easy part of what you’re trying to do then you’re not doing it on a mainframe,” says Chad.
Yes Virginia, You CAN Hack a Mainframe
Most mainframers view their system as impenetrable, all safe and closed off. However, mainframes do have vulnerabilities, but that info isn’t made public. In fact, no details are released to the clients, only that a patch has been created and a CVSS score. IBM decides what users need to know. Given that these systems should be walled off, Phil wondered if you could find mainframes on the internet, so he went hunting. He originally used Shodan and Google. Surprisingly, he found that there were mainframes online. The question was – how to connect. Nmap was never meant for mainframes. In fact, according to Phil’s recent Skytalks talk, when it found them, a large majority came up as IIS/SSL? So, hacker that he is, Phil engineered it a bit. Phil wrote TN3270 Emulator for Nmap in LUA: tn3270lib. Which finally delivered the desired results. Which allowed him the ability to properly identify internet facing mainframes and take a screenshot of its beautiful TN3270 interface:Image

Image

Image

We Need YOU!
Just ask them – Chad and Phil will both attest that a solid community of like-minded techno-elites such as yourselves are desperately needed to learn this dark art. As Chad says:“Somehow I feel we need to increase the number of bodies on the ‘good guy’ side for both preventative/testing and incident response should the worst happen. The learning curve is steep. So my goal is to get folks excited about securing their or others’ mainframes (if that’s their job) AND flatten the learning curve by creating easy-to-use tools, integrating into existing frameworks, etc.”
Image

- If you have a mainframe or access to one, you should be testing it
- If you haven’t got direct access to a box, you can buy an emulator from IBM that will run a virtual mainframe on a Linux machine for a fraction of the cost of the real thing.
- You need to invest time and money in the R&D to secure it
- All kinds of third party software runs on mainframes like Java, HR, Web, accounting, and lots more. All these have exploits on x86 systems. How do we know what that looks like on the mainframe? (Hint: Many of the same vulnerabilities still apply)
Image
