The misconception that mainframes are inherently secure makes it easier for hackers to take advantage of this fallacy and gain access to a trove of sensitive public information, especially through seemingly benign software updates or downloads.
The software supply chain is under attack. In 2021, 61% of security breaches occurred at weak points in the supply chain, up from 44% the previous year.
The public sector isn’t immune from this surge of indirect attacks. The SolarWinds hack affected about 100 private sector companies and nine federal agencies, including the Justice Department, State Department, Census Bureau and NASA, even though 18,000 organizations downloaded the malware. In the attack, Russian hackers breached SolarWinds’ defenses and inserted malicious code into its infrastructure monitoring software, which was then installed by unwitting IT managers via routine software updates.
Threats hidden in third-party software can even penetrate the mainframe and other secure elements of an organization’s IT infrastructure. Yet government agencies still assume their mainframe and legacy IT infrastructure are prepared for and shielded from such attacks. This oversight puts agencies at risk of exposing sensitive information and becoming the next high-profile cybersecurity horror story.
Rather than waiting for others to uncover a threat, agencies must implement a proactive strategy that directly improves visibility into their software suppliers' supply chain. Only then can IT leaders bolster defenses at every point along the chain -- protecting mainframes and other vital infrastructure.
Supply chain threats gain attention. But where’s the mainframe?
Supply chain attacks have garnered attention as more organizations use third-party solutions for their business needs and software suppliers outsource their software development, exposing gaps in current operations. In fact, 93% organizations suffered a data breach due to a supply chain vulnerability in the past 12 months, according to an October 2021 survey.
These threats have prompted concerns from the public and private sectors alike. President Joe Biden’s executive order on cybersecurity last year contained several measures to address supply chain weaknesses, including requirements for vendors to provide a software bill of materials for each component of their products. Meanwhile, tech giants like Amazon, Microsoft and Google are investing in an initiative to detect vulnerabilities and bolster security in open-source software projects.
But even as the software supply chain makes front-page news, threats to the mainframe fly under the radar. Why don’t we hear more about mainframe attacks?
It’s not because they’re infrequent. Rather, it’s because organizations rarely publicize that their mainframe has been compromised: It’s a “conspiracy of silence” that’s now creating a false sense of security. The misconception that mainframes are inherently secure makes it easier for hackers to take advantage of this fallacy and gain access to a trove of sensitive public information, especially through seemingly benign software updates or downloads.
Ignoring a problem doesn’t make it go away. It only further entrenches issues and makes them more difficult to correct down the line. What mainframe vulnerabilities are we failing to acknowledge and address?
How to protect mainframes from supply chain attacks
Government agencies from the IRS to state motor vehicle departments continue to rely on mainframes to store and analyze massive amounts of secure customer data. The mainframe isn’t going anywhere — and neither are supply chain attacks. So, here are three steps agencies should take to protect their mainframe’s cybersecurity:
1. Make code signing programs a standard protocol.
Agencies can no longer trust code at face value, especially when they have no idea who wrote it. Code signing, which adds a private key to software and applications that verifies that the included code has not been tampered with after it was signed, ensures the software is free of malicious code and other malware.
Agencies and their vendors should also double-check the legitimacy of any products about to be installed. This process is a simple yet effective first line of defense against possible threats.
2. Proactively scan for vulnerabilities.
More than a third of companies say they have no way of knowing whether an issue may arise with a third-party supplier’s software. That percentage is way too high.
Agencies should take a proactive approach to threats by continuously scanning for vulnerabilities in both operating system software and application programs. This practice increases the likelihood of finding zero-day vulnerabilities placed in code before important information is jeopardized.
3. Vet the vendors.
The average organization uses thousands of third-party software solutions, so agencies must thoroughly evaluate each partner’s supply chain standards. It’s not good enough to ask vendors to sign off on their software. Agencies must determine where software is developed, how it is tested and how it is packaged.
They can start by analyzing vendors’ security and development maturity, asking questions and acquiring a high level of visibility into each partner’s development standards and QA team. Then, codifying vendor agreements will help ensure partners are capable of maintaining code and supply chain integrity long term. Finally, IT managers should spend time assessing available third-party reviews, which provide a wealth of honest insights from current and former customers, paying close attention to feedback from organizations similar in size and industry.
Each of these checkpoints goes a long way toward ensuring new vendors are up to snuff and won’t introduce vulnerabilities into mainframe operations.
The SolarWinds attack was a wake-up call for public sector decision-makers, but it wasn’t the end of software supply chain attacks. In the past year, high-profile hacks like Log4j and Codecov demonstrated how the supply chain still poses a major cybersecurity risk for any organization working with third-party software.
The public trusts agencies can keep their data secure. Make sure that trust is warranted.
Editor’s note: This article was changed July 1 to clarify that the number of SolarWinds customers impacted by Sunburst attack was less than 100, even though 18,000 downloaded the malware.