Details of the OPM Hack
By this time, I hope everyone knows what happened, but in case you don’t; in 2015, two separate data breaches, or “penetrations”, at the Office of Personnel Management exposed 14 million people’s personal info – including background investigation information and fingerprints. Information that could be used to either murder or blackmail current or ex-government employees, including spies.
FedTech magazine asserted that the hack was a direct result of “outdated technology” including COBOL. A programming language was responsible for the largest government hack that we know about? As Micro Focus Product Marketing Director Ed Airey explains, COBOL most certainly was not to blame.
Rather, Ed states, “Modern COBOL technology delivers the trusted reliability and robustness that it did in 1960 but with the ability to connect to modern technologies and architectures including cloud, mobile, .NET, and Java, as well as the latest hardware platforms from the z13 mainframe to the latest incarnations of Windows, UNIX, and Linux.”
Where is at fault for the OPM Breach?
If COBOL isn’t to blame for the OPM Breach, then what went wrong? Possibly the same weaknesses which exist in many a mainframe infrastructure, which organizations might not even realize are there:
- Weak or missing endpoint-to-mainframe encryption.
- Weak passwords which may not have been changed in years, if ever.
- No linkage between an organization’s identity and access management system and the mainframe, resulting in orphaned accounts and violation of least privilege.
- User activity monitoring.
Inspector General McFarland said as much, noting in his Capitol Hill testimony that OPM has failed to act on the recommendations of his office to modernize and secure its existing IT infrastructure.
So, this begs a wider question: who is in charge of the mainframe and access to it at the typical organization? Who is in charge of ensuring that the mainframe is protected from the insider threat, or outsiders who become insiders? Application support, Desktop Manager, a baby-boomer who is about to retire? Do any security professionals, your CISO, or risk manager have any knowledge what’s up with the mainframe and how it is accessed? Such questions could make for an interesting conversation in many organizations today.
While our primary contact is the desktop manager, the requirements are often influenced by IT security and their compliance teams. New security standards, updated industry or governmental regulations the organization is required to meet, emerging security threats – these are all key factors in ensuring a safe and secure mainframe operation. Yet, whether the terminal emulator used to access your mainframe comes from Micro Focus or a competitor, desktop managers alone may not be fully aware if their current setup meets those regulations.
There was a M*A*S*H episode wherein Winchester anonymously gifts an orphanage with expensive chocolates and is outraged to find that they have been sold on the black market. Later he is chagrined to learn that the chocolate was sold to buy staple goods. He reflected that “It is I who should be sorry. It is sadly inappropriate to give dessert to a child who has had no meal.”
What does this have to do with the typical mainframe organization? Or your own mainframe environment? What are your top 10 security priorities? I would hope that one of them is to understand the compliance regulations that apply to you and what they’re trying to tell you about your security program. Compliance for compliance’s sake is not the objective, but those regulations can help you understand how you might be mishandling sensitive information.
Is your organization focusing on the chocolate (lower priority programs), before you have appropriately nurtured your mainframe by ensuring that it is as securely protected as your other key infrastructure? We know that organizations are challenged with trying to fit current security requirements into their mainframe systems and applications and have done our best to make it as transparent as possible. Our products have been designed so that our customers don’t have to risk downtime by making costly changes to their mainframe, but rather implement solutions which sit in between their mainframe and their users. This not only allows them to secure access to the mainframe, but at the same time, use advanced terminal emulation features which can increase end user productivity.
Securing the Mainframe
While the risk is significant, the resolution is at hand. Micro Focus can join mainframes to an organization’s existing identity and access management system, securely protect communications using the latest FIPS 140-2 validated encryption, mask sensitive data to GDPR, HIPAA, and PCI standards, support multi-factor authentication, and generally make life a lot easier through centralized management and auditing of mainframe access.
The Micro Focus Host Access Management and Security Server (MSS) is a nerve center for an advanced, secure mainframe access program. Just add the appropriate terminal emulator and you’re on your way to keeping yourselves off of the front page for the wrong reasons.
Want to learn more? Stop by our booth at SHARE next week in San Jose, California – and attend our two sessions: VSP: Top 3 Reasons to include Terminal Emulation in your Security Strategy and This Is Not Your Father’s Terminal Emulation – to learn how we can help.