It seems that every week we’re reading about an Internet security breach at some company or agency. Of course, you don’t want it to be your company, but if it is, you want to be able to respond effectively. Here we discuss how to determine the risk of an Internet attack on your mainframe and what to do if it does happen.
Your most recent IS audits may not have clearly outlined whether you’re at risk of Internet attacks on your mainframe. To get the answer yourself, follow these steps.
First, a basic principle of Internet security is to have several layers of protection. If a hacker can break into just one computer and access your information assets, that’s too easy. However, if a hacker has to break into one computer to access a second computer, and then has to break into the second computer before reaching your mainframe, this can be reasonable protection.
To understand your risk, ask your telecom staff and mainframe security staff to meet with you. They should draw a circle representing your mainframe and any other computers with valuable assets. They will then draw additional circles around that circle, showing the outer rings of protection, including firewalls. Ask them to walk you through the barriers a hacker would have to break through to get to your mainframe from the Internet. Ask them if there are any backdoors that would make it easy to bypass the barriers. (A good test is to ask if there are any employee PCs connected to your internal intranet that have modems connected to a phone line. If the employee left the computer on so he could use software in place such as PC-Anywhere to allow him to dial in from home, this modem could bypass all your firewalls.)
Second, following the principle of multiple layers of security, make sure your mainframe security staff is using all the applicable tools to protect Internet connections. This could include security software (e.g., RACF, ACF2, or TopSecret) using the SERVAUTH resource class, blocking of all unused ports, Policy Agent software, encryption including Secure Sockets Layer (SSL), and formal change control over all the programs, JCL, and control files belonging to the Internet daemons (e.g., FTP). It’s common for mainframes to be connected to the Internet without careful implementation of these tools.
If you have DB2 applications facing the Internet, make sure there’s formal review of code to protect against SQL injection attacks. SQL injection vulnerabilities may be one of the most common weaknesses in mainframe Internet security.
Third, make sure you know where all your information assets are located. If some department has its own LAN connected to the Internet, or outside the protection provided by your firewalls, is there valuable information stored there? If so, and there was an Internet breach, would you or the department be held accountable?
There’s a straightforward solution to this problem: Modify the forms where the owners of an application request protection of their data. Add a check box for them to specify that their data shouldn’t be located outside the data center or on Internet-facing computers. Ask the owners to review their requests using the new forms because you want to provide them with protection against Internet attacks.
This approach can also address another problem you face: Your CEO loves her Apple iPad and wants to use it to connect to the mainframe. Other employees see the CEO doing this and want to do it, too. Add a checkbox to the request form specifying that an application’s data is not to be copied onto laptops or handheld devices or anywhere outside the data center. This checkbox technique solves a problem by reframing responsibility. You don’t have the authority to tell the CEO not to use her iPad, but the owners of applications do have the authority to specify how their data is to be protected. If they request tight access controls, you can and should carry out their request.
Next, meet now with your public relations department to plan how to respond if there’s a breach. They will help you say the right things the right way and they can work to provide the newspapers with a balanced story.
Finally, tell the rest of your organization what you’re doing and what they need to do to protect against Internet breaches. They will welcome your reassurance.
