Mainframe Companies Must be Proactive and Educated in Testing and Protection, Expert Says

Illustration by The Heads of State

Companies are finding new and creative ways to test and showcase the security of their systems. For example, Facebook’s Bug Bounty program ( gives a monetary bounty to anyone who finds a security bug and meets certain criteria.

Companies engaging in these public programs can be more confident in their security posture because not only do they have their own internal security team working for them, but they have enlisted the help of hackers who are doing it for money and also for the company’s benefit instead of detriment, says Philip Young, cybersecurity threat management expert with a large financial institution.

The plus side of encouraging these programs and organized contests, Young points out, is that people are learning how to probe and attack the system. This helps companies stay ahead of any potential vulnerabilities. Enterprises find out where possible weaknesses might be and how people trying to attack the system think, providing analytics on what did and did not work in what way, while viewing the attack landscape as a whole in real time.

“The more people you have looking at something, the more secure it’s going to be … for you and for the world,” Young says.

Raising Awareness

A frequent speaker at conferences who has an active online presence, Young is a self-taught mainframe security specialist who speaks to raise awareness of the mainframe, stressing the platform’s importance to ensure the information on it stays secure.

As a teenager watching movies like “War Games” and “Hackers,” where the plots involve accessing a mainframe, Young became interested in the platform. After earning a computer science degree in college, he started running security assessments on mainframes as a consultant.

It wasn’t until five years later when Young’s company was performing an audit of its system that his interest took off. “I started thinking back to all the times I have done audits of mainframes and worked with people who are responsible for mainframe security,” he recalls. “I talked to them about things like firewalls and they didn’t really seem to understand the security landscape as it is today. That really kicked off a passion of ‘I want to look into this. I want to see how things are working.’ ”

In 2012, Young began presenting at conferences. That same year he created a tool, with the help of industry friends Dhiru Kolia and Nigel Pentland, that implemented support to an offline password cracker for the RACF* database for password audits. Young and Kolia also added a plugin to the open-source network security tool Ettercap—used to conduct man-in-the-middle attacks—so it would support time-sharing option (TSO) credentials. Young created this to demonstrate the importance of encryption.

He took his curiosity to another level in 2014, scanning for Internet-facing mainframes because he was interested in seeing what the login screens look like. In his research, Young accessed more than 300 3270 terminal displays. The types of enterprises with Internet-facing screens were as varied as the designs on those screens.

When Young talks about what he found, people ask if it’s a security issue, to which he points out he simply found a login screen. “A lot of the time, I talk to mainframe engineers and they say ‘We do not care [about security] because our mainframe does not face the Internet,’ ” Young says. “That is their main security control. … They view one of their key controls as the mainframe is not Internet-facing. If the platform is secure enough, it should not matter.”

One discovery from the project that surprised Young was how little SSL was being used. Although he admits the sample size of 300 terminal displays was small, he found only about half were using cryptography.

Valerie Dennis Craven is a Minneapolis-based writer and editor.

comments powered by Disqus



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

Upgrade Your Mainframe with Operational Business Intelligence

Companies race to transform their businesses by delivering operational insights to their employees


CICS Security With RACF

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters