Skip to main content
MainTegrity Cyber Security Framework (CSF)
MainTegrity Cyber Security Framework (CSF)
End-to-End Cyber Security for IBM z/OS

The Attack Vectors Have Changed

Direct attacks against mainframes are rare. What has replaced them is far more dangerous.
CSF was built on a simple design principle: assume the perimeter will be breached, then detect what people with legitimate credentials are doing, stop them when their behavior turns suspicious, and notify the right people immediately.

Protect yourself from

Compromised network devices

Attackers now reach z/OS through compromised trusted network devices — Windows servers, Linux hosts, VPN appliances, and other infrastructure your organization may not even own. 

Insider Attacks

Stolen credentials give adversaries the same access as legitimate users, rendering traditional perimeter security ineffective against the most common attack vector. 

Ransomware

Specialized ransomware-as-a-service operations, often state-sponsored, custom-build attack software targeting specific organizations. AI-powered tooling allows thousands of attacks to be launched simultaneously, each tailored to its target.

Gaps in existing security tools

Traditional security tools like RACF, ACF2, and Top Secret build strong walls. But when attackers walk through the front door with valid credentials, those walls cannot help. A typical mainframe site has two to four security staff, often part-time. 

The adversary has thousands of well-funded engineers, now augmented by AI. The gap between attack capability and defensive capacity has never been wider.

Attacks Are Easier Than You Think

From real-world penetration testing:

  • Privilege escalation (becoming RACF SPECIAL) requires only 6 assembler instructions
  • User impersonation (acting as another user) requires only 7 instructions
  • AI assistance: ChatGPT generated working mainframe hardware encryption assembler code
  • Tools freely available: Pen testing tools on GitHub can be used by attackers

You don't need 40 years of mainframe experience to attack a mainframe. Early Warning levels the playing field.

The IBMUSER Attack Vector

Every z/OS system has IBMUSER — a high-powered default account. Most sites disable it, but it often remains available in a revoked state. Attackers who gain RACF SPECIAL can:

  1. Resume the IBMUSER account
  2. Set their own password
  3. Log on with superuser capabilities

Early Warning detects successful IBMUSER logons — which should never occur in production.

The Cost of Inaction

Anthem's 2015 breach: 78.8 million patient records, undetected for three months, five years of litigation, over five hundred million dollars. UnitedHealth Group in 2024: a third of all Americans affected, nine-day outage, three billion dollar write-down. Equifax in 2017: 147 million consumer records, 1.4 billion dollars.

Common thread: slow detection, unclear scope, prolonged recovery. CSF addresses all three.

More About The Cost of Breaches

Ransomware as a Service (RaaS)

One-stop shopping for hackers deploying ransomware

You don't need 40 years of mainframe experience to attack a mainframe. Commercial quality, managed-service style hacking platforms exist that help even novice hackers mount sophisticated attacks.    

Insider Threats

Your biggest threat has a parking spot 

Insider attacks often use legitimate credentials, so how can you protect yourself?  CSF has you covered with Early Warning, Supply Chain and FIM+.