In the early days of computing, everything was easier to secure. The data center was behind a wall of glass and secured behind locked doors opened only by those chosen few with the magic key. Data security was rudimentary compared to today; RACF was in its infancy; and data theft, destruction, and alteration did occur, but always as an inside job. Even in those early years, tools existed to tighten controls on data access, but it was up to systems programmers to use them.
Data communications, based on Binary Synchronous Communications (BSC) or Systems Network Architecture (SNA)/Synchronous Data Link Control (SDLC), used analog circuits. These were so difficult to hack that they were never seriously considered as a major point of entry for illicit activity. That is quite the opposite of today, where the common backbone network—the Internet—links everyone to everything, creating a tremendous number of possibilities for attack. In the ’60s and ’70s, establishing a high-speed circuit with conditioning from New York to Los Angeles required coordinating with several telephone companies across the continent, and waiting six months or longer. Now worldwide connectivity is as close as your local ISP and the wall jack in your office.
A widely held opinion is that computers are computers; thus, they’re all subject to the same security issues. This is true to some extent, but all computers aren’t created equal; you get what you pay for, and the combination of an extensive, feature-rich hardware architecture coupled with a mature, stable operating system can provide a formidable fortress. Programmers who properly use tools such as RACF can enshroud applications in effective security and stop an unauthorized application from accessing prohibited resources.
If you want proof of this claim, consider what you can find by searching news archives and trade journals, looking for references to mainframes and data loss, hacking, security breaches, and similar topics. Recent research included checking the archives of ComputerWorld, InformationWeek, and The Wall Street Journal for reports of unauthorized access of any traditional mainframe environment via userid/ password exploitation, corruption of a mainframe-based networking resource, or contamination of a mainframe sys- tem software component.
This list may sound decidedly short, but it represents the basic foundation of mainframe safety, security, and integrity. This isn’t to trivialize security implications of online transaction processes such as CICS or IMS, but these application environments interface with the underlying system security components and can provide programmed security with or without additional authorizations from the system security manager component. Application security within a transaction processing collection is dependent upon the designer and programmer. Poor design will beget a poor application with poor control. RACF will stop an unauthorized application from accessing prohibited resources, but it must be correctly applied.
Browsing the archives was an interesting endeavor. When it came to unauthorized mainframe access by outside hackers, there wasn’t a single published report among nearly 850 full-text documents published over the last decade. Many reports concerned data theft and data loss in which a mainframe was the primary processor but not the focus of the hacking. In those cases, peripheral networking equipment or intermediate servers were successfully targeted; the mainframe was never touched. Theft of data in this manner was the most prevalent and damaging due to Personally Identifiable Information (PII) involved, such as credit card information, medical data, membership records, etc.
Next most frequent was theft of media containing sensitive data. This category includes tapes, optical media, flash drives, laptops, and desktop computers. Physical control of removable media and equipment seems to be the easiest security method to implement but the alarming rate of theft occurrences reported suggest that by itself, it’s insufficient.
Although no news items mentioned failed mainframe security, that doesn’t mean there were no intrusions. A random hacker may not be able to squeak past a properly configured RACF user- id/password challenge, but a disgruntled employee or other insider might.
Several news accounts described unauthorized data access by employees, but this type of security violation is more difficult to thwart due to the attacker’s access to internal information. Proper procedures development and enforcement can significantly mitigate this type of problem.
VM experts Melinda Varian, Dave Jones, and Phil Smith III recounted one infamous example of mainframe hacking that took place in 1987—the IBM XMASCARD EXEC procedure written in Rexx that was sent to VM/CMS users. The program displayed a “Merry Christmas” message on the 3270 display and then proceeded to read in the user’s address book and automatically send itself to every address it found. The resulting traffic overloaded IBM’s internal VNET and the BITNET.