• Follow us

Internet

Why hackers love mainframe passwords – and what to do about it

Hackers are now very adept at misleading people into revealing their passwords. And they are able to use clever technology to crack, steal or bypass passwords altogether. No hardware platform is immune. So why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication? What are the hurdles they face and how can they overcome them?

The state of mainframe security

Research tells us that only one in five mainframe customers are already using –

or planning to introduce – multi-factor authentication (MFA) to protect access to data and applications. MFA involves using an extra authentication step or ‘factor’ that is much harder to crack than a password, such as a physical token, a biometric identifier or a time-sensitive single-use PIN generated by a pin-pad or mobile phone.

Low take-up of MFA means the vast majority of mainframe users are still relying on password protection alone. This shocking statistic is one of the key findings of a poll of 81 mainframe users conducted by Macro 4 at the end of last year.

Let’s just stop and think about the implications of that. Mainframe systems are used by many of the world’s biggest enterprises – including the ten top insurers, 44 of the top 50 banks, 18 of the top 25 retailers and 90 per cent of the largest airlines – to run their business. If these systems were undermined by hackers, revenue and reputation would be at risk. The organisations could also face heavy fines for breaching compliance regulations such as GDPR. 

The problems with passwords are not all down to hackers, either. There are risks from within the enterprise, too. Users don’t always follow best practice around protecting their passwords. They write them down and don’t update them regularly, or they share them with work colleagues, for example. Like ‘hiding’ your front door key under a stone, a casual attitude to password protection effectively leaves the door open for a current or ex-employee with malicious intent to infiltrate your company’s core business systems.

All this means that, in 2019, relying exclusively on passwords can expose business-critical applications to unacceptable risk.

Multi-factor authentication on the mainframe: awareness is not the problem

Multi-factor authentication (MFA) technology has been around and widely used outside of the mainframe environment for many years. IBM introduced their z/OS MFA solution, which works closely with IBM’s RACF security manager, back in 2016. But it was only in November 2017 that IBM introduced a more complete MFA solution. And there are of course other non-IBM MFA and security managers available.

As part of our research we wanted to gauge awareness of MFA amongst the mainframe community. When questioned, 64 per cent of mainframe users in our survey sample said they are aware that MFA is now available to control access to mainframe applications.

And 59 per cent were aware that MFA is a key component of compliance with regulations – such as the GDPR and the Payment Card Industry Data Security Standard (PCI DSS) – which require enterprises to take effective measures to control and protect access to personal information.

So we can conclude that the low adoption of MFA is not simply due to a lack of awareness.

The number one challenge: changing old code

When asked what they felt were the barriers to implementing MFA, the biggest concern of mainframe users – raised by 28 per cent of our survey sample – was the risk of changing application code in order to support it.

That is not surprising when you consider that mainframe systems have been around for a very long time – having been introduced as far back as the 60s and 70s as a reliable platform to host business-critical applications. Many mainframe applications are old, bespoke, and extend to millions of lines of code that companies are wary of changing due to a lack of people within the business with the right knowledge and skills to do so.

Changing code in an application that is not well understood or perhaps even well documented could have unpredictable results, so many companies would understandably prefer to leave well alone. 

The impact of skills shortages

A lack of skills was in fact among the other barriers highlighted. 25 per cent of the sample said they felt MFA was not being adopted by the mainframe community due to a lack of mainframe skills. A further 22 per cent mentioned the lack of IT security skills.

On top of this, 22 per cent of the mainframe users we surveyed cited the challenges and cost of installing MFA hardware and a further 17 per cent mentioned the challenges and cost of installing MFA software as barriers to implementation. 

Expect end-user resistance

Another barrier to MFA adoption is resistance from end users, highlighted by 21 per cent of the sample. It is common to experience ‘push-back’ from colleagues who are unhappy about being forced to learn and embrace new and unfamiliar authentication systems that aren’t as convenient as just typing in a user ID and password.

This kind of end-user resistance is even higher outside of the mainframe world. In a separate survey of large enterprises, 63 per cent of decision makers said they experienced a backlash from employees who did not want to use multi-factor authentication.

User resistance is therefore to be expected, but should not deter companies from adopting MFA. Instead they need to put measures in place to make the authentication process easier for users.

So what can be done to reassure enterprises that introducing MFA on the mainframe is viable? And what options are available to help them take on the perceived challenges? 

1         Minimising application disruption

First let’s address the concerns around disruption. The truth is that introducing MFA does not always require changes to be made to the mainframe application itself.

This is the case, for example, if you are using modern mainframe session management software to provide end users with ‘single sign-on’ access to their mainframe applications.

Many z/OS customers already use mainframe session managers. They require users to go through the login process only once – at the start of the day – after which they can access all their applications without having to log in to each one separately. Users can also switch between their applications throughout the working day without having to re-authenticate each time.

By choosing to introduce MFA on the session manager, you don’t actually touch the underlying applications themselves, so there are no risky changes to worry about. Some older mainframe applications may not even be compatible with MFA, so using a session manager avoids additional coding, testing and deployment to support MFA.

2          Getting users on side

Next let’s tackle the challenge of end-user resistance. First, make sure any roll-out of MFA is underpinned with a training programme that educates users about the importance of strengthened security on the mainframe, and the risks of relying solely on password authentication.

Second, get executive sponsorship. MFA must be seen by everyone to have the full and firm backing of senior leadership across the enterprise – not just IT management and security experts. It should be explained that improving security is not just an IT initiative: it is an important business priority that reduces risk to the whole organisation.

Third, make MFA as easy and frictionless as possible for users. For example, when logging on, users could be shown help and guidance messages – or reminders about the new authentication process – to minimise any initial confusion and to help make the introduction of MFA a user-friendly experience. Displaying this kind of on-screen guidance is simple and easy to do on a session manager login screen, for instance. 

3          Mainframe skills shortages

One way to minimise the impact of skills shortages is to limit the need for mainframe specialists when installing and supporting MFA on IBM Z. Once again it’s session management software that comes to the rescue. By introducing your MFA system on a session manager you save time and effort and minimise the amount of application coding, testing and deployment required. It means MFA only has to be implemented in one place – the session manager – rather than on the many individual applications that are typically hosted on a mainframe.

Similarly, once you have implemented MFA on a session manager, there is a limited requirement for mainframe skills for ongoing administration and support. If you want to change something, such as introducing new MFA hardware – different key fobs, for instance – or just roll out software updates, then this can all be implemented and tested against the session manager rather than against the multitude of underlying mainframe applications.

4          Managing MFA costs and complexity

Mainframe IT teams that do not have experience of MFA should consider involving a specialist security consultancy – both when selecting the appropriate software and hardware options and to help with the overall complexity of creating an effective, secure, long-term solution for the organisation. Any solution has to be easy to use and support, while providing a high level of protection. All without breaking the bank.

A consultant can help you save money by providing advice on hidden costs such as the end-user training required for different authentication options and the ease of administration of those options. Should you use a mobile app or a separate pin pad that users carry with them, for example?  And what is the backup plan if a user loses their phone or hardware device?

Considering these issues at the outset, avoids problems later. I have come across mainframe users who have tried to implement MFA without either recruiting people with the right specialist skills or involving a third party, and their plans have dragged on with recurring delays. In the long run, if you want to limit the cost and ensure a successful and timely implementation, it makes sense to invest in the right skills to help you make the right technology decisions. 

Any new technology roll-out will bring challenges, whether they are technical hurdles, concerns over resources or reluctance from those who aren’t comfortable with having to change. However, there are ways and means to address these issues and limit the costs. Adopting MFA is something mainframe shops simply must find a way to do, and the good news is that there are options available to make the whole process easier.

Keith Banham, mainframe research and development manager, Macro 4Image source: Shutterstock/scyther5

Read More



Leave A Comment

More News

Latest ITProPortal news

Ryuk ransomware "still going strong" 2019-02-20 11:00:19Multiple groups still using Ryuk to extort money from companies.

Keep your business centre operations running 24/7 with 2019-02-20 08:00:40Reboot to restore solutions help IT admins take a preventive approach to computer management at business centres, thus enhancing the availability and

Microsoft uncovers major hacking attempts against EU organisations 2019-02-20 07:30:44Firms across Europe were hit in the attacks.

Qualcomm unveils most powerful 5G modem 2019-02-20 07:00:06Second-generation X55 modem will hopefully power the first 5G smartphones.

12 billion devices will be internet-connected by 2022 2019-02-20 06:30:28Up to four billion IoT devices will be online soon, Cisco estimates.

UK companies still worried about cyber risks 2019-02-20 06:00:38They fear 5G, but they're willing to invest.

Don’t let the tech takeover: Time rich, mindfulness 2019-02-20 06:00:22With today’s data-driven on-demand economy, we are winning back some of that precious time. But are we getting the most out of it?

The technology trust gap that’s hurting sales efforts 2019-02-20 05:30:02Here are my five key steps to get salespeople onboard with technology projects:

Why hackers love mainframe passwords – and what 2019-02-20 05:00:37Why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication?

Reflecting on data privacy for 2019 – Why 2019-02-20 04:30:11Below, six industry experts give their take on why data security needs to be at the heart of operations, and their opinions on what can be done to ens

Shipping on the cusp of a digital wave 2019-02-20 04:00:42Despite its significance, the industry still remains largely untouched by digital transformation and efficiencies it can bring.

Microsoft Surface Go review 2019-02-19 12:19:33An ideal pocket-sized budget work companion, but don't expect anything earth-shattering.

TechRadar: Internet news

The Samsung Galaxy Fold just changed the future 2019-02-20 20:04:54The Fold is too expensive, weird and thick for the mainstream… but this is just the beginning.

Best security camera: keep an eye on your 2019-02-20 19:53:36We've collected together all of the best smart security cameras for keeping your house safe when you're not around.

YouTube TV: Everything you need to know about 2019-02-20 19:42:38Watch out cable, YouTube TV is here to liberate the contract-bound masses. Here's everything you need to know.

Best running headphones 2019: our top 10 choices 2019-02-20 19:17:39From tarmac to trail, the best running headphones will keep your tunes going right up to the finish line.

Best Samsung Galaxy S10e pre-order plans and prices 2019-02-20 19:14:50Samsung's Galaxy S10e is supposedly its more affordable offering, but you can save even more with these plans

Best Samsung Galaxy S10 Plus pre-order plans and 2019-02-20 18:50:12The larger of Samsung's Galaxy S10 phones obviously costs the most, so here's how you can nab it for less.

Samsung's new Galaxy Fit and Fit E are 2019-02-20 18:47:15If you're going to release a fitness tracker these days, you need something exciting... but only the price might attract you.

Best Samsung Galaxy S10 pre-order plans and prices 2019-02-20 18:36:04Samsung's latest flagship will no doubt be its best to date, and here's how you can ensure you get your hands on it.

Remote code execution vulnerability discovered in WordPress 2019-02-20 18:31:48Researchers have discovered a critical flaw that could allow hackers to gain complete control over a user's WordPress blog.

Samsung Galaxy S10 Plus vs Samsung Galaxy Note 2019-02-20 18:20:13The Galaxy S10 Plus has a screen the same size as the Galaxy Note 9, but what else is similar?

Best Samsung Galaxy S10 outright prices in Australia: 2019-02-20 18:14:28Samsung's next flagship series, the Galaxy S10, has been revealed – here's how you can secure your pre-order.

Here's everything that launched at Samsung Unpacked 2019 2019-02-20 17:25:39Samsung just announced a huge number of new devices, so we've rounded up the info you need on them all right here.

Dev Pro

Samsung Revamps Flagship Phones With 5G, Low-Cost Options 2019-02-20 22:09:00Samsung Electronics Co. debuted its most extensive new lineup of smartphones, taking on Apple Inc. amid a slowing market with new low-end and premium

Samsung Launches $1,980 Galaxy Fold Phone That Turns 2019-02-20 21:30:00Samsung Electronics Co. unveiled a $1,980 smartphone with a foldable screen, a dramatic shift in the mass market for phones.

Samsung Galaxy S10 Versus IPhone Xs Max: How 2019-02-20 21:11:00Having a family of three devices has become a trend, and in many ways the S10e, S10, and S10+ are Samsung’s answers to Apple’s iPhone XR,

Apple Is Said to Target Combining IPhone, IPad, 2019-02-20 18:41:00Apple Inc. wants to make it easier for software coders to create tools, games and other applications for its main devices in one fell swoop -- an over

Microsoft Says Russian Hackers Targeted European Think Tanks 2019-02-20 17:39:00The U.S. company said it was “confident” that attacks targeting employees of organizations including the German Council on Foreign Relatio

Google's On-Prem Data Center Software for Hybrid Cloud 2019-02-20 17:02:00Configuration management added in latest version of Cloud Services Platform, which differentiates by being able to run on customers’ existing ha

How Energy-Assisted Storage Is Being Put to Work 2019-02-20 15:48:00Vendors are tapping energy-assisted recording storage to overcome HDD capacity/size limits.

Too Much Data? Copy--or Copy Data Management--That 2019-02-20 14:46:00Actifio's copy data management solution is designed to mitigate the storage and security concerns of copy data.

Disaster Recovery Appliance Speeds, Simplifies Recovery 2019-02-20 02:25:00Arcserve's disaster recovery appliance allows companies to quickly restart applications in the event of disasters and consolidate various methods of

Deep Packet Inspection Powers New Industrial Systems Security 2019-02-19 17:39:00Nozomi's SCADAguardian uses deep packet inspection against tables of known malware behavior, as well as pattern recognition and relationship observat

The Most Mindnumbing of Office Tasks Made One 2019-02-19 17:20:00Global spending on robotic process automation software was estimated to reach $680 million in 2018, up 57 percent from the previous year, and is on co

China Abandons Cybersecurity Truce With U.S., Report Says 2019-02-19 16:52:00A slowdown in Chinese hacking following the cybersecurity agreement Obama’s administration secured in 2015 appears to have been reversed, cybers

TechCrunch » Enterprise

Clari platform aims to unify go-to-market operations data 2019-03-06 09:00:29Clari started as a company that wanted to give sales teams more information about their sales process than could be found in the CRM database. Today,

Matterport raises $48M to ramp up its 3D 2019-03-05 12:05:55The growth of augmented and virtual reality applications and hardware is ushering in a new age of digital media and imaging technologies, and startups

SurveyMonkey acquires web survey company Usabilla for $80M 2019-03-05 09:00:09SurveyMonkey announced today that it has acquired Usabilla, an Amsterdam-based website and app survey company, for $80 million in cash and stock. Zand

Salesforce releases myTrailhead, a customizable training platform 2019-03-05 08:00:10Salesforce has been using the notion of trailblazers as a learning metaphor for several years, ever since it created Trailhead, a platform to teach cu

Can predictive analytics be made safe for humans? 2019-03-04 13:44:40Massive-scale predictive analytics is a relatively new phenomenon, one that challenges both decades of law as well as consumer thinking about privacy.

Scytale grabs $5M Series A for application-to-application identity 2019-03-04 10:33:34Scytale, a startup that wants to bring identity and access management to application-to-application activities, announced a $5 million Series A round

Rackspace announces it has laid off 200 workers 2019-03-01 16:42:03Rackspace, the hosted private cloud vendor, let go around 200 workers or 3 percent of its worldwide workforce of 6,600 employees this week. The compan

Open-source communities fight over telco market 2019-02-27 18:36:02When you think of MWC Barcelona, chances are you’re thinking about the newest smartphones and other mobile gadgets, but that’s only half t

Box fourth quarter revenue up 20 percent, but 2019-02-27 17:09:52By most common sense measurements, Box had a pretty good earnings report today, reporting revenue up 20 percent year over year to $163.7 million. That

Compass acquires Contactually, a CRM provider to the 2019-02-27 13:01:44Compass, the real estate tech platform that is now worth $4.4 billion, has made an acquisition to give its agents a boost when it comes to looking for

Threads emerges from stealth with $10.5M from Sequoia 2019-02-27 09:05:43The rapid rise of Slack has ushered in a new wave of apps, all aiming to solve one challenge: creating a user-friendly platform where coworkers can ha

New VMware Kubernetes product comes courtesy of Heptio 2019-02-26 11:00:17VMware announced a new Kubernetes product today called VMware Essential PKS, which has been created from its acquisition of Heptio for $550 million at

ExtremeTechInternet –

Microsoft’s Chromium Edge Browser Leaks Remind Us of 2019-03-05 16:28:56Microsoft has admitted that people don't want to use Edge. Now we've gotten our first glimpse of its new Chromium-based browser, and shockingly, it

Investigators Find QuadrigaCX Crypto Wallets Were Emptied Before 2019-03-05 13:02:14After examining data provided by the exchange, auditor Ernst & Young reports that the exchange's wallets were emptied months before the founder'

Facebook Uses 2FA Phone Numbers to Help Other 2019-03-05 10:24:30Facebook has once again been caught abusing two-factor authentication for purposes beyond security. And once again, you can't stop it. If Facebook wa

HBO CEO Leaving Amid AT&T Demand For More 2019-03-04 11:15:22The sudden departure of HBO's CEO suggests rumors about AT&T's plans for the network were accurate. It wants a Netflix competitor, hell or high

Coinhive to Shut Down, but Will Cryptojacking Die 2019-02-28 16:47:37Coinhive is shutting down, thanks to slumping cryptocurrency prices. Will it cut down on cryptocurrency-mining malware? The post Coinhive to Shut Dow

Samsung Now Preloads McAfee on All Smart TVs 2019-02-28 15:02:40According to Samsung, all of its smart TVs sold this year will use McAfee Security and ship with the software preloaded. The post Samsung Now Preloads

New Caching Change Could Dramatically Accelerate Google Chrome 2019-02-28 10:06:09Google has new ideas to improve Chrome's performance, courtesy of a new back/forward cache. The post New Caching Change Could Dramatically Accelerat

Intel Unleashes Blizzard of 5G Products, Snow Ridge 2019-02-26 09:47:34Intel launched a raft of new products and solutions at MWC, with customer announcements and long-term plans for 5G deployments. The post Intel Unleas

Facebook Will Shut Down Its Data Collection VPN 2019-02-22 15:22:13A VPN is supposed to help preserve your privacy, but free VPNs are a very different animal. A free VPN from Facebook? That's just asking for trouble.

Newly Patched WinRAR Vulnerability Existed for 19 Years 2019-02-22 10:04:43The year 2000 was historic for a variety of reasons, and apparently it was also the year WinRAR introduced a serious vulnerability into its Windows ap

The Equifax Breach Might Have Been a Foreign 2019-02-15 10:02:17Security professionals are starting to suspect this was not the work of a profit-motivated hacker but rather an incredibly successful intelligence ope

14.8 Million Accounts Compromised in 500px Breach 2019-02-15 07:30:40The first question you have to ask in a situation like this is, "Why are we only hearing about this now?" The post 14.8 Million Accounts Compromised


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.