• Follow us

Internet

Why hackers love mainframe passwords – and what to do about it

Hackers are now very adept at misleading people into revealing their passwords. And they are able to use clever technology to crack, steal or bypass passwords altogether. No hardware platform is immune. So why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication? What are the hurdles they face and how can they overcome them?

The state of mainframe security

Research tells us that only one in five mainframe customers are already using –

or planning to introduce – multi-factor authentication (MFA) to protect access to data and applications. MFA involves using an extra authentication step or ‘factor’ that is much harder to crack than a password, such as a physical token, a biometric identifier or a time-sensitive single-use PIN generated by a pin-pad or mobile phone.

Low take-up of MFA means the vast majority of mainframe users are still relying on password protection alone. This shocking statistic is one of the key findings of a poll of 81 mainframe users conducted by Macro 4 at the end of last year.

Let’s just stop and think about the implications of that. Mainframe systems are used by many of the world’s biggest enterprises – including the ten top insurers, 44 of the top 50 banks, 18 of the top 25 retailers and 90 per cent of the largest airlines – to run their business. If these systems were undermined by hackers, revenue and reputation would be at risk. The organisations could also face heavy fines for breaching compliance regulations such as GDPR. 

The problems with passwords are not all down to hackers, either. There are risks from within the enterprise, too. Users don’t always follow best practice around protecting their passwords. They write them down and don’t update them regularly, or they share them with work colleagues, for example. Like ‘hiding’ your front door key under a stone, a casual attitude to password protection effectively leaves the door open for a current or ex-employee with malicious intent to infiltrate your company’s core business systems.

All this means that, in 2019, relying exclusively on passwords can expose business-critical applications to unacceptable risk.

Multi-factor authentication on the mainframe: awareness is not the problem

Multi-factor authentication (MFA) technology has been around and widely used outside of the mainframe environment for many years. IBM introduced their z/OS MFA solution, which works closely with IBM’s RACF security manager, back in 2016. But it was only in November 2017 that IBM introduced a more complete MFA solution. And there are of course other non-IBM MFA and security managers available.

As part of our research we wanted to gauge awareness of MFA amongst the mainframe community. When questioned, 64 per cent of mainframe users in our survey sample said they are aware that MFA is now available to control access to mainframe applications.

And 59 per cent were aware that MFA is a key component of compliance with regulations – such as the GDPR and the Payment Card Industry Data Security Standard (PCI DSS) – which require enterprises to take effective measures to control and protect access to personal information.

So we can conclude that the low adoption of MFA is not simply due to a lack of awareness.

The number one challenge: changing old code

When asked what they felt were the barriers to implementing MFA, the biggest concern of mainframe users – raised by 28 per cent of our survey sample – was the risk of changing application code in order to support it.

That is not surprising when you consider that mainframe systems have been around for a very long time – having been introduced as far back as the 60s and 70s as a reliable platform to host business-critical applications. Many mainframe applications are old, bespoke, and extend to millions of lines of code that companies are wary of changing due to a lack of people within the business with the right knowledge and skills to do so.

Changing code in an application that is not well understood or perhaps even well documented could have unpredictable results, so many companies would understandably prefer to leave well alone. 

The impact of skills shortages

A lack of skills was in fact among the other barriers highlighted. 25 per cent of the sample said they felt MFA was not being adopted by the mainframe community due to a lack of mainframe skills. A further 22 per cent mentioned the lack of IT security skills.

On top of this, 22 per cent of the mainframe users we surveyed cited the challenges and cost of installing MFA hardware and a further 17 per cent mentioned the challenges and cost of installing MFA software as barriers to implementation. 

Expect end-user resistance

Another barrier to MFA adoption is resistance from end users, highlighted by 21 per cent of the sample. It is common to experience ‘push-back’ from colleagues who are unhappy about being forced to learn and embrace new and unfamiliar authentication systems that aren’t as convenient as just typing in a user ID and password.

This kind of end-user resistance is even higher outside of the mainframe world. In a separate survey of large enterprises, 63 per cent of decision makers said they experienced a backlash from employees who did not want to use multi-factor authentication.

User resistance is therefore to be expected, but should not deter companies from adopting MFA. Instead they need to put measures in place to make the authentication process easier for users.

So what can be done to reassure enterprises that introducing MFA on the mainframe is viable? And what options are available to help them take on the perceived challenges? 

1         Minimising application disruption

First let’s address the concerns around disruption. The truth is that introducing MFA does not always require changes to be made to the mainframe application itself.

This is the case, for example, if you are using modern mainframe session management software to provide end users with ‘single sign-on’ access to their mainframe applications.

Many z/OS customers already use mainframe session managers. They require users to go through the login process only once – at the start of the day – after which they can access all their applications without having to log in to each one separately. Users can also switch between their applications throughout the working day without having to re-authenticate each time.

By choosing to introduce MFA on the session manager, you don’t actually touch the underlying applications themselves, so there are no risky changes to worry about. Some older mainframe applications may not even be compatible with MFA, so using a session manager avoids additional coding, testing and deployment to support MFA.

2          Getting users on side

Next let’s tackle the challenge of end-user resistance. First, make sure any roll-out of MFA is underpinned with a training programme that educates users about the importance of strengthened security on the mainframe, and the risks of relying solely on password authentication.

Second, get executive sponsorship. MFA must be seen by everyone to have the full and firm backing of senior leadership across the enterprise – not just IT management and security experts. It should be explained that improving security is not just an IT initiative: it is an important business priority that reduces risk to the whole organisation.

Third, make MFA as easy and frictionless as possible for users. For example, when logging on, users could be shown help and guidance messages – or reminders about the new authentication process – to minimise any initial confusion and to help make the introduction of MFA a user-friendly experience. Displaying this kind of on-screen guidance is simple and easy to do on a session manager login screen, for instance. 

3          Mainframe skills shortages

One way to minimise the impact of skills shortages is to limit the need for mainframe specialists when installing and supporting MFA on IBM Z. Once again it’s session management software that comes to the rescue. By introducing your MFA system on a session manager you save time and effort and minimise the amount of application coding, testing and deployment required. It means MFA only has to be implemented in one place – the session manager – rather than on the many individual applications that are typically hosted on a mainframe.

Similarly, once you have implemented MFA on a session manager, there is a limited requirement for mainframe skills for ongoing administration and support. If you want to change something, such as introducing new MFA hardware – different key fobs, for instance – or just roll out software updates, then this can all be implemented and tested against the session manager rather than against the multitude of underlying mainframe applications.

4          Managing MFA costs and complexity

Mainframe IT teams that do not have experience of MFA should consider involving a specialist security consultancy – both when selecting the appropriate software and hardware options and to help with the overall complexity of creating an effective, secure, long-term solution for the organisation. Any solution has to be easy to use and support, while providing a high level of protection. All without breaking the bank.

A consultant can help you save money by providing advice on hidden costs such as the end-user training required for different authentication options and the ease of administration of those options. Should you use a mobile app or a separate pin pad that users carry with them, for example?  And what is the backup plan if a user loses their phone or hardware device?

Considering these issues at the outset, avoids problems later. I have come across mainframe users who have tried to implement MFA without either recruiting people with the right specialist skills or involving a third party, and their plans have dragged on with recurring delays. In the long run, if you want to limit the cost and ensure a successful and timely implementation, it makes sense to invest in the right skills to help you make the right technology decisions. 

Any new technology roll-out will bring challenges, whether they are technical hurdles, concerns over resources or reluctance from those who aren’t comfortable with having to change. However, there are ways and means to address these issues and limit the costs. Adopting MFA is something mainframe shops simply must find a way to do, and the good news is that there are options available to make the whole process easier.

Keith Banham, mainframe research and development manager, Macro 4Image source: Shutterstock/scyther5

Read More



Leave A Comment

More News

ITProPortal

Ryuk ransomware "still going strong" 2019-02-20 11:00:19Multiple groups still using Ryuk to extort money from companies.

Keep your business centre operations running 24/7 with 2019-02-20 08:00:40Reboot to restore solutions help IT admins take a preventive approach to computer management at business centres, thus enhancing the availability and

Microsoft uncovers major hacking attempts against EU organisations 2019-02-20 07:30:44Firms across Europe were hit in the attacks.

Qualcomm unveils most powerful 5G modem 2019-02-20 07:00:06Second-generation X55 modem will hopefully power the first 5G smartphones.

12 billion devices will be internet-connected by 2022 2019-02-20 06:30:28Up to four billion IoT devices will be online soon, Cisco estimates.

UK companies still worried about cyber risks 2019-02-20 06:00:38They fear 5G, but they're willing to invest.

Don’t let the tech takeover: Time rich, mindfulness 2019-02-20 06:00:22With today’s data-driven on-demand economy, we are winning back some of that precious time. But are we getting the most out of it?

The technology trust gap that’s hurting sales efforts 2019-02-20 05:30:02Here are my five key steps to get salespeople onboard with technology projects:

Why hackers love mainframe passwords – and what 2019-02-20 05:00:37Why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication?

Reflecting on data privacy for 2019 – Why 2019-02-20 04:30:11Below, six industry experts give their take on why data security needs to be at the heart of operations, and their opinions on what can be done to ens

Shipping on the cusp of a digital wave 2019-02-20 04:00:42Despite its significance, the industry still remains largely untouched by digital transformation and efficiencies it can bring.

Microsoft Surface Go review 2019-02-19 12:19:33An ideal pocket-sized budget work companion, but don't expect anything earth-shattering.

Dev Pro

Pen Testing Takes Center Stage at RSA 2019-03-07 01:21:00Virtual pen testing can enable automated data feeds and model execution from real-time assessment inputs; simulate loss scenarios associated with atta

FireEye, Agari Offer Advanced Email Protection 2019-03-07 00:20:00The rise of attacks against email concern many organizations, and vendors are on the case. There were several announcements of products attempting to

Amazon Gives AI to Harvard Hospital in Tech's 2019-03-06 20:45:00Amazon Web Services is working with a Harvard-affiliated teaching hospital in Boston to test how AI can simplify medical care.

Multiple Biometric Products Introduced at RSA 2019-03-06 20:39:00Unisys debuted a tool that associates a user's network rights with their verifiable biometrics, and Feitian wants user fingerprints for for authentic

Zuckerberg Says Facebook to Focus on Private Communication 2019-03-06 20:34:00The changes would involve making it possible to send messages between the different properties Facebook owns, including WhatsApp and Instagram, which

Samsung Is Said to Be Preparing More Foldable 2019-03-06 19:42:00Samsung Electronics Co. is working on a pair of new foldable smartphones to follow its Galaxy Fold.

Can Alphabet Become the Next Big Cybersecurity Vendor? 2019-03-06 17:00:00Backstory, a nascent Alphabet cybersecurity unit’s first product, aims to protect enterprise infrastructure on-prem and in the cloud.

How to Compare the Cost of HCI Systems 2019-03-06 04:24:00Find out why traditional storage metrics aren’t adequate when it comes to evaluating HCI systems and how to assess costs.

LogRhythm Tackles Network-Borne Threats Via Automation 2019-03-06 00:21:00LogRhythm, a company focused on security intelligence, has introduced a new product that reduces the humans required to discover and respond to advanc

New Approach to Perimeter Security Will Better Protect 2019-03-05 18:51:00Unlike other firewall solutions which focus on protection outside the network perimeter, the VMware Service-Defined Firewall flips the model on its he

Bare-Metal Cloud Firmware Security Fail Isn’t Limited to 2019-03-05 13:05:00"This is really a broader industry concern about the firmware layer being effectively ignored by almost everybody.”

Ubuntu Long Term Support Announcement Begs Security Questions 2019-03-04 19:51:00Canonical's announcement that Ubuntu long term support will span a decade must be considered in the context of hardware, the cloud and CI/CD.

TechRadar: Internet news

The Samsung Galaxy Fold just changed the future 2019-02-20 20:04:54The Fold is too expensive, weird and thick for the mainstream… but this is just the beginning.

Best security camera: keep an eye on your 2019-02-20 19:53:36We've collected together all of the best smart security cameras for keeping your house safe when you're not around.

YouTube TV: Everything you need to know about 2019-02-20 19:42:38Watch out cable, YouTube TV is here to liberate the contract-bound masses. Here's everything you need to know.

Best running headphones 2019: our top 10 choices 2019-02-20 19:17:39From tarmac to trail, the best running headphones will keep your tunes going right up to the finish line.

Best Samsung Galaxy S10e pre-order plans and prices 2019-02-20 19:14:50Samsung's Galaxy S10e is supposedly its more affordable offering, but you can save even more with these plans

Best Samsung Galaxy S10 Plus pre-order plans and 2019-02-20 18:50:12The larger of Samsung's Galaxy S10 phones obviously costs the most, so here's how you can nab it for less.

Samsung's new Galaxy Fit and Fit E are 2019-02-20 18:47:15If you're going to release a fitness tracker these days, you need something exciting... but only the price might attract you.

Best Samsung Galaxy S10 pre-order plans and prices 2019-02-20 18:36:04Samsung's latest flagship will no doubt be its best to date, and here's how you can ensure you get your hands on it.

Remote code execution vulnerability discovered in WordPress 2019-02-20 18:31:48Researchers have discovered a critical flaw that could allow hackers to gain complete control over a user's WordPress blog.

Samsung Galaxy S10 Plus vs Samsung Galaxy Note 2019-02-20 18:20:13The Galaxy S10 Plus has a screen the same size as the Galaxy Note 9, but what else is similar?

Best Samsung Galaxy S10 outright prices in Australia: 2019-02-20 18:14:28Samsung's next flagship series, the Galaxy S10, has been revealed – here's how you can secure your pre-order.

Here's everything that launched at Samsung Unpacked 2019 2019-02-20 17:25:39Samsung just announced a huge number of new devices, so we've rounded up the info you need on them all right here.

Enterprise – TechCrunch

Clari platform aims to unify go-to-market operations data 2019-03-06 09:00:29Clari started as a company that wanted to give sales teams more information about their sales process than could be found in the CRM database. Today,

Matterport raises $48M to ramp up its 3D 2019-03-05 12:05:55The growth of augmented and virtual reality applications and hardware is ushering in a new age of digital media and imaging technologies, and startups

SurveyMonkey acquires web survey company Usabilla for $80M 2019-03-05 09:00:09SurveyMonkey announced today that it has acquired Usabilla, an Amsterdam-based website and app survey company, for $80 million in cash and stock. Zand

Salesforce releases myTrailhead, a customizable training platform 2019-03-05 08:00:10Salesforce has been using the notion of trailblazers as a learning metaphor for several years, ever since it created Trailhead, a platform to teach cu

Can predictive analytics be made safe for humans? 2019-03-04 13:44:40Massive-scale predictive analytics is a relatively new phenomenon, one that challenges both decades of law as well as consumer thinking about privacy.

Scytale grabs $5M Series A for application-to-application identity 2019-03-04 10:33:34Scytale, a startup that wants to bring identity and access management to application-to-application activities, announced a $5 million Series A round

Rackspace announces it has laid off 200 workers 2019-03-01 16:42:03Rackspace, the hosted private cloud vendor, let go around 200 workers or 3 percent of its worldwide workforce of 6,600 employees this week. The compan

Open-source communities fight over telco market 2019-02-27 18:36:02When you think of MWC Barcelona, chances are you’re thinking about the newest smartphones and other mobile gadgets, but that’s only half t

Box fourth quarter revenue up 20 percent, but 2019-02-27 17:09:52By most common sense measurements, Box had a pretty good earnings report today, reporting revenue up 20 percent year over year to $163.7 million. That

Compass acquires Contactually, a CRM provider to the 2019-02-27 13:01:44Compass, the real estate tech platform that is now worth $4.4 billion, has made an acquisition to give its agents a boost when it comes to looking for

Threads emerges from stealth with $10.5M from Sequoia 2019-02-27 09:05:43The rapid rise of Slack has ushered in a new wave of apps, all aiming to solve one challenge: creating a user-friendly platform where coworkers can ha

New VMware Kubernetes product comes courtesy of Heptio 2019-02-26 11:00:17VMware announced a new Kubernetes product today called VMware Essential PKS, which has been created from its acquisition of Heptio for $550 million at


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.