I first wrote about the risks that the Internet of Things (IoT) portended back in 2014. Even then, it was obvious the rush to commercialize the new technology was leaving gaps that thieves and cyber terrorists would inevitably exploit.
As organizations scramble to profit from new technology, the risks to enterprise mainframes increases, which requires new safeguards against them. The IoT is a technology that will bring additional value, convenience, and productivity — there’s no doubt about that. Unfortunately, we will experience periods when the security of IoT devices is going to expose enterprises and individuals to very negative outcomes.
What Does Mainframe Have to Do With IoT?
As a data security professional, I follow Brian Krebs, an American journalist and investigative reporter known for his coverage of profit-seeking cybercriminals. The excellence of his reporting has made him one of the premier voices in the data security space, and his outspokenness has made him one of the notable targets for those who want to demonstrate their technical or cybercriminal expertise. His site, Krebs on Security, suffered one of the largest distributed denial of service attack (DDoS), where access to his site was drowned by as much as 665 Mbps. The most interesting element, however, was the origination points of that deluge of data. As Krebs himself notes, “… The huge assault this week…appears to have been launched almost exclusively by a very large bot net of hacked devices.”
The second attack of similar nature impacted a far broader audience than data security professionals seeking to read a blog. It affected consumers of a wide variety of online services, including Netflix, Spotify, Twitter, Pinterest, CNN, Tumbler, Reddit, and more. The attack impacted these services across a broad swath of the United States, and succeeded by attacking not the services themselves but by attacking an Internet services company, Dyn. By flooding Dyn’s DNS servers with requests from a vast number of endpoints, the attackers succeeded in creating impacts that made national news. Level 3 Communications confirmed that this attack also originated, at least in part, from IoT devices.
While the nature of the attackers remains open to question, these two events, and likely others that are occurring at smaller scale, are indications of what will be a pervasive problem. As we have invited the IoT into our lives for the convenience it offers for resetting thermostats, scheduling recordings on our DVR’s, turning on the oven for dinner, and so on, we have also invited millions of difficult to protect, difficult to manage, and difficult to fix Internet transmitters into our homes in the volumes of millions. It will be some time before the technology in the firmware for these devices catches up to the technology of the cyber criminals using them to set up bot networks. Such networks are potent revenue generators for criminals, as once established they can be used over and over against different targets and to originate different kinds of attacks.
The Mainframe Is Not Immune to Internet-Based Attacks
That last point is the one that we as mainframe security professionals must be the most concerned about. While there is little risk directly to the mainframe, and the large accumulation of regulated and sensitive data it holds, from a DDoS attack or crippling of a third-party DNS service, we must recognize that we are in the early stages of what could be a protracted and sophisticated exploit of the millions of IoT enabled devices in the world.
The bottom line is the mainframe is no longer immune to Internet-based attacks as it has become a constantly connected member of the enterprise infrastructure. There are more ways to get to the mainframe now than were ever contemplated by its initial security architecture. As the mainframe takes on new roles of serving up webpages, collecting and analyzing the explosion of data legitimately generated by IoT devices, and so on, it is now open to attacks from vectors never before possible.
Therefore, the data protection posture of mainframe-dependent enterprises must evolve. Mainframe protections must be exercised to prevent the compromise of privileged users’ credentials, constant monitoring of transaction volume must be applied, and continuous diligence to ensure all regulated and sensitive data is identified and appropriately protected must become the standard.
Is your mainframe prepared for IoT? I’d love to hear your thoughts on this topic and what your organization is doing to protect the mainframe.