Sep 9, 2020

Worried about a Ransomware attack on your mainframe?

Maybe you should be. Z/OS is just as vulnerable as other platforms. Typical hacker techniques, such as infected email attachments and keystroke capture programs can be aimed at a mainframe attached PC. Phishing for valid credentials or simply buying them on the dark web are even simpler. As Forrester, in a 2019 research article says Perimeter security has failed. Good access security and firewalls are requirement, just not enough on their own. Chad Rikansrud, a respected cyber-security expert, exposes an all too real scenario of how vulnerable mainframes actually are. In his presentation to IBM SHARE outlines simple attacks hackers can use to infiltrate your mainframe. That is why central banks and security frameworks in PCI, NIST and GDPR protocols now include Whitelisting of approved software and ensuring that you backups have integrity. Classic products don’t include ransomware specific features because the threat is too new, and that should make everyone worried. That is why we created FIM+. Because no other product fills those gaps for mainframes. What makes ransomware truly insidious is that it is relatively easy perpetrate. Just break through perimeter defenses and encrypt something that hurts. No data to collect, get outside, and sell, just ask for the ransom. Once a hacker gets access to an attached workstation, they can start finding you weakest links. Pretty soon they are searching your catalog and finding your most sensitive databases. Over the years, hackers have found that good detection capabilities and reliable backups allow target companies to recover from an attack. So now they try to compromise your backups first so when they encrypt your database, you’re defenseless. When you finally get the ransom note you’d better get ready to pay since you are already compromised and out of time to react.

What can FIM+ do to help? Whitelisting is the number 1 recommendation of most security experts to avoid ransomware attacks. From the outset FIM+ has been able to discover of all of the programs, parameters, JCL and other components essential to the operation of your system. It then monitors those key elements to make sure no unauthorized changes are made. FIM+ stores the whitelist in an encrypted vault that includes support for multiple software versions and on-going changes. Another layer of protection is super-fast backup verification. FIM+ ensures that backups and image copies have integrity. If that changes FIM+ provides you a valuable early warning that you are about to be ransomed. However, you need to react fast, likely in minutes. Instantaneous alerts from our real-time monitoring of key components is another way FIM+ helps you stay ahead of hackers. With an email or text alert delivered directly to their phone, your response team knows the second things are changed and can react before real damage occurs. Automated forensics now kicks in. With 3270 and GUI interfaces FIM+ helps both experienced and newer support staff see all the relevant information needed to take corrective action. Now, what was altered, which IDs are implicated, the scope of impact, are known with a single click. This includes SMF access records and perhaps approval info from your change management system. Since FIM+ knows when things were last correct, it can select only info from the attack interval. That eliminates the need to review thousands of redundant access records that just complicate your response efforts. In addition, FIM+ can automatically quarantine files that are found to be incorrect. The guilty user ID can be suspended immediately, so it can’t inflict more damage. Policy-managed recovery activities allow the team to react correctly.

At each step complete audit records are retained. So not only is your security better you can prove PCI, NIST, GDPR compliance to any auditor. The Bottom Line? If you have FIM+ in place, a hacker can gain access to an attached PC. But what is really different is when they hit the mainframe. With continuous Whitelist, and backup monitoring, the response team is notified immediately of all malicious changes, including a ransom attack. Can you?