System z’s are vulnerable to “insider attacks” when the system configuration or ACP controls are improperly implemented. It is important to realize that “insiders” does not just include employees. It also includes contractors and hackers who were able to steal the logon credentials of trusted insiders; which is how the Pirate Bay hacker gained his initial entry into the System z’s at Logica and the Nordea Bank in Scandinavia(2). Once inside the System z perimeter, the system is vulnerable for the reasons listed above and others as well.
It is crucial that organizations realize that while their System z’s are vulnerable to “insider attacks”, System z is a highly securable system if properly configured. I have heard from several organizations that their System z’s have been secure for more than 40 years and are now waiting for an Audit Report finding to justify further investment. So instead of being proactive, these organizations are more focused on being reactive. Think about the harm to both the organization and to the individuals whose data is being held by it that this attitude exposes.
(1) 1974 SHARE Presentation on Data Security Requirements www.share-sec.com/history.html
(2) Pirate Bay co-founder charged with hacking IBM mainframes, stealing money http://www.pcworld.com/article/2034733/pirate-bay-cofounder-charged-with-hacking-ibm-mainframes-stealing-money.html
About the Author
Barry Schrager, creator of ACF2, started in data security in the early 1970′s when he introduced TSO (IBM’s Timesharing Option) to the faculty, staff, and students at the University of Illinois in Chicago where he was Assistant Director of the Computer Center. TSO provided full capabilities of the Operating System, then MVT, to its users, which meant they could allocate and delete datasets, write programs to access them, etc. The problem was there was no usable security available on the system—the only security was password protection where the console operator would be prompted for the password for batch jobs and the TSO user for TSO sessions. There was also no way to identify and validate users gaining access to the system from batch jobs. Students began modifying and deleting datasets just for fun. If you think about it, they would be called “hackers” today.
So, Barry wrote a user validation system called Resident Account to validate all users for access to the system and then had Eberhard Klemens, who was working for him at the time, develop intercepts to control access to datasets based upon the first character of the second level index. So, for example, a dataset with a name of userid.$xyz.data, because of the $ would only be accessible to the user himself and a dataset with a name of userid.#xyz.data would be accessible to everyone for just read access. This allowed faculty and students doing research to protect their data and allowed professors the ability to share data in a read-only mode with their classes.
Because of this work, in 1972 Barry was asked to form the Security Project within the SHARE organization and, in 1974, the Project submitted its requirements to IBM which included “protection by default” and “algorithmic grouping of datasets and users” (think ACF2 pattern masking and RACF generic profiles). IBM responded in 1976 with RACF, which did not meet the requirements, and told Barry they were not achievable, so Barry worked on developing a system that would meet the requirements. This was done as a prototype at the University of Illinois and then the London Life Insurance Company of London Ontario Canada supported the development of the commercial product, ACF2.
ACF2 was the first commercially successful security system and was, and in many cases is still being, used by the Executive Office of the President of the United States, the Senate, the CIA, NSA, M-5, the Federal Reserve System, the FDIC, General Motors, Chrysler, Procter & Gamble, the entire Australian Government, and many other significant organizations. When SKK was acquired by UCCEL at the end of 1986, ACF2 had a 60% market share against both IBM’s RACF and CA’s Top Secret.
Barry continues to be involved in mainframe data security as President of Xbridge Systems, Inc. (www.xbridgesystems.com), the developer of the mainframe data discovery product, DataSniff, and is honored to be a member of Enterprise System Media's Mainframe Hall of Fame, which includes such luminaries as Dr. Gene Amdahl and Admiral Grace Hopper. For more on the history of data security, see the SHARE Security Project’s History at www.share-sec.com/history.html.