The percentage of internal breaches increased from 15 percent in 2003 to 44 percent in 2008; that dramatic change was noted in a 2008 survey commissioned by CA Technologies. The same survey showed that most IT leaders consider internal security threats a bigger risk to business than external attacks.
In the mainframe world, we’ve focused our efforts on securing our systems from outside threats and controlling the abuse of privileges by our massive user communities. Unfortunately, we’re missing exposures that, as noted in the survey, originate on the inside.
Efforts to secure the mainframe date back to the early ‘70s. The SHARE Security Project was formed in 1971, and it immediately began deliberations on how to secure IBM systems. The committee went around in circles, dealing with the issues of system integrity and system security, often confusing the two concepts. None of the members were satisfied with the non-existent level of security provided by the, then current, IBM operating system, OS/MVT.
Then, in 1973, IBM announced a new operating system, OS/VS2 Release 2, which included this system integrity statement as part of the IBM VS2 Release 2 Planning Guide:
System integrity is defined as the ability of the system to protect itself against unauthorized user access to the extent that the security controls can’t be compromised. That is, there’s no way for an unauthorized problem program using any system interface to:
- Bypass store or fetch protection; i.e., read or write from or to another user’s areas
- Bypass password checking; i.e., access password-protected data for which a password hasn’t been supplied
- Obtain control in an authorized state.
In VS2 Release 2, all known integrity exposures have been removed. IBM will accept as valid, any APAR that describes an unauthorized program’s use of any system interface (defined or undefined) to bypass store or fetch protection, to bypass password checking, or to obtain control in an authorized state.
The system integrity statement preceded the advent of any of the three mainframe security systems:
- Resource Access Control Facility (RACF), which IBM introduced in 1976
- ACF2, developed by SKK Inc. in 1978 and now owned by CA Technologies
- Top Secret, developed by CGA Allen in 1981 and now owned by CA Technologies.
The method used to protect data before the advent of these security systems was rudimentary passwords, but it’s easy to replace the concept of simple password protection with the controls of a security system. Clearly, even as far back as 1973, mainframe security systems were built on, and dependent on, the foundation of operating system integrity.
IBM has done a commendable job of maintaining system integrity over the years and has been responsive to any reported system integrity exposure. But, what about:
- Independent Software Vendor (ISV) products
- Locally developed exits and authorized programs
- Software obtained from other installations via shareware such as the CBT Tape (see www.cbttape.org)?
System integrity exposures are particularly exploitable by insiders who accounted for almost half of the documented breaches in 2008.