Skip to main content

Why Mainframe Security Postures Vary So Widely

Phil Young, director of mainframe penetration testing at NetSPI, describes the most commonly omitted security controls, and why they get skipped

Andrew Wig November 5, 2025

As a penetration tester responsible for probing mainframe systems for vulnerabilities, Phil Young is a sandcastle’s worst nightmare.

“Sometimes I feel like I’m coming in and someone’s built a really beautiful castle, and I’m coming in and kicking it down and saying, you didn’t put up a fence. And now they have to really go back and build a fence and rethink their controls,” Young, director of mainframe penetration testing at NetSPI, tells TechChannel.

Some mainframes are locked down like a vault. Some are riddled with misconfigurations. But why do these security postures vary so widely? From his 20 years spent plumbing the depths of mainframe environments to identify security gaps, Young has some answers. Many of them lie in the nooks and crannies of vast, complex systems.

“So many potential gaps, thus so many potential security configurations,” says Young.

Standards for security controls do exist. For instance, the U.S. Department of Defense’s standards, known as DISA STIGS, have been adopted by many organizations outside the military. However, a universally agreed-upon set of mainframe security controls has not taken hold.

Here, Young outlines the most common security omissions he’s come across in his 20-year career as a pen tester.

FTPS

Young says that in the course of his work, he often comes across traditional FTP, which is inherently unencrypted. “No one should be using it. IBM has offered for a long time the ability to encrypt FTP traffic using FTPS,” he advises.

Continued use of FTP highlights a common theme that arises when organizations decide which security control to implement: fear of disruption, which goes hand-in-hand with fear of the unknown. In the case of FTP, a given enterprise may not have a full accounting of who is using it, and therefore doesn’t know what kind of disruptions would be caused by replacing it.

“Sometimes it’s not as easy as just flipping a switch and turning it on because of the downstream impacts,” Young says.

Multifactor Authentication (MFA)

MFA is such a ubiquitous presence in daily online life that it may come as a surprise that it’s far less common on the mainframe, where implementing the control requires far more coordination. “The challenge is the mainframe has so many ingress points,” Young says.

There might be a CICS application, an FTP server, a web app running CICS in the backend and TSO interfaces—all of which have to be addressed when implementing MFA. Also, adding MFA may cause roadblocks for automated processes that system administrators may not even know exist.

These complications mean MFA adoption is not nearly as prevalent as Young would like to see. When it is in place, his break-in attempts as a pen tester are often thwarted.

“My colleagues and I often talk about how a lot of our attacks could be stopped just with MFA, because we’re stealing credentials,” he says. “If we’re doing spear phishing or any kind of fishing, if there’s MFA in the way, then we’re done. We can’t really move on.”

Output Security

Young often finds that outputs from queries can be found in job logs that are widely accessible within a system, and those logs may include confidential client information or user credentials. He says that typically, only the user who generated the output log should be able to view it. While there may be times when it is beneficial to share job logs among users, access should be controlled by groups in those cases, he advises.

If they can access them, he and his fellow pen testers can use those output logs to get a better picture of the system they are probing. “We can see, okay, these are the users that run jobs. These are the types of jobs that they’re running. And from an attacker perspective, it’s a really good wealth of information to allow us to profile the system and also occasionally access sensitive data. And it is incredibly easy with FTP to download all those job logs with one command.”

Data Access Controls

Too often, Young finds mainframe environments where access to data is too widespread for his liking. Even though his testing is always done from the perspective of a non-privileged user, it’s not uncommon for him to have read access, or greater, to thousands of data sets.

“Statistically, some of it will have confidential information,” he says. Fixing access issues is simply a matter of cyber hygiene. “It’s cleanup,” he says “Review access to data sets: How many data sets do you have? Who needs that? Do you really need to even keep them? Have they passed the regulatory requirement for keeping that data?”

Increasing Maximum Password Length

Increasing maximum password length, especially in RACF, requires a jump from an eight-character maximum to a 14 character minimum, Young notes. While this intervention may seem simple on face, the change can disrupt login flows and cause trouble to automated processes, like the screen scraping that is used in centralized identity access management products.

“That’s just one example of where if I change that login flow, that product no longer works,” Young says.

AES for Password Hashing

Everyone should be using the Advanced Encryption Standard (AES) algorithm for password hashing, especially since the leading enterprise security management products (ESMs) all support it, Young says. He notes that he still comes across shops using the older Data Encryption Standard (DES).

Unlike some other controls, the disruption caused by implementing AES is “almost nil,” according to Young. This one, he says, is an easy fix—low-hanging fruit that “should have been caught long before I showed up.”

TSO Password Pre-Prompt

Implementing a security control is sometimes as easy as switching on a particular setting. One method at attackers’ disposal is user enumeration, in which they gather usernames based on the error responses received when trying to log into a system.

Young explains that this allows hackers to use downstream attacks like password sprays. “Or if we’re doing a red team engagement, we could use that to spearfish some users that we target specifically,” he says. “And all that is fixable by turning TSO password pre-prompt on in TSO.”

The Excuses

Failure to implement the above controls isn’t necessarily a matter of ignorance; the decision of what controls to use and what to ignore often comes down to a cost-benefit analysis.

In that process, enterprises must consider how security eats away at the budget for other, potentially more exciting initiatives. “It is not uncommon to have (pen test) reports that have 10, 20, 30 findings. And so whatever budget you had allotted for upgrades or whatnot, now you have to focus on this instead,” Young says.

He explains that when an organization is budgeting expenditures, it may conclude that certain security vulnerabilities are tolerable if their implementation would mean missing out on opportunities elsewhere. In that case, a security lapse may just be the cost of doing business.

Unnecessary security vulnerabilities can often be chalked up a disconnect between the IT security team and the specialized mainframers, Young explains. The mainframers may be responsible for provisioning accounts in RACF, adding users and removing users. “They’re not responsible for, say, ensuring that all services are encrypted on the mainframe. That’s not their responsibility.” Meanwhile, historical silos and communication barriers limit visibility for security teams into mainframe security posture, he adds.

In messy conditions like widespread access to data logs, one culprit may be personnel changeover combined with organic enterprise growth and the generation of hundreds of thousands of data sets. “It’s daunting to think, well, who’s going to review that access?” Young says. “Mind you, large enterprises do their annual access recertifications every year, but these kind of things tend to fall through the cracks.”

Onion Tears

A crack in one layer might not be a problem if there is another layer shielding targets from attackers—defense in depth. It’s like locking your front doors but also having a safe protecting your most prized possessions, Young explains.

When it’s too easy to peel back those layers to the onion, he might shed a metaphorical tear. “I can sometimes get emotional during my pen tests,” he says.

He sometimes finds himself thinking, “It shouldn’t have been this easy.”

Related Articles See more

Articles

ISVs Push Back Against zPDT Sunsetting

Andrew Wig

November 24, 2025

Video

Protecting Your IBM Power Environment: Expert Insights on Cybersecurity and Malware Defense

November 20, 2025

Sponsored Content by
Fortra

Press Releases

ASPG Announces Release of MegaCryption PC V2.3

November 18, 2025

© 2025 TechChannel. All rights reserved

Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.