My career has, over the nearly four years of working in this field, predominantly been comprised of RACF Administration and Engineering, interspersed with other opportunities that I foolishly volunteered myself for. Such opportunities have included writing articles, performing security assessments, taking part in podcasts, training for penetration testing, supporting ESM migrations, etc.
Now adding to that list, having been invited by Mark Wilson, the editor of Cheryl Watson’s Tuning Letter, to write revisions and updates to past topics from the archives. For the sake of full transparency, I am not a tuning specialist: I am a technical consultant with a specialization in the discipline of security.
With that said, I intend to lean into my knowledge of security and focus on any articles around this topic, finding content that is still relevant but modernizing where necessary.
Target Audience
This article is for anybody who works in a security role on a z/OS platform. It reflects information on the most prolific vulnerabilities on the platform, as found by Vanguard and Vertali from their security reports on IBM Z Systems. It reminds us that security is no less relevant today than it has ever been and that we must all be more mindful of this discipline.
Context to the original article
In 2015, the No. 3 Tuning Letter marked the start of a new aesthetic for the newsletter with the fresh company logo for Watson & Walker.
Featuring contributions from Brian Marshall, No. 3 expressed how it is a truly scary world out there, and we cannot afford to rest on our laurels. While z/OS is generally acknowledged as being the most securable system, it is only truly secure if you properly implement the appropriate facilities to keep your data fortified. Returning to the past contributions of Vanguard, we are returning to this content and seeing which aspects may have changed over the last decade.
Brian Marshall and Philip Emrich have both delivered presentations on ‘The Top Ten Security Vulnerabilities in z/OS Security’ at the SHARE conferences over the years. Cheryl was impressed with these sessions, and so too am I, which is why we wanted to look back on the article “Top 10 Security Findings” and review this, highlighting progress, persistent gaps, and emerging priorities.
From 2015 to 2025: a decade of z/OS Security Assessments
Ten years ago, most security assessments primarily uncovered issues rooted in legacy configurations because our industry was hindered by a false sense of security. In 2015, many organizations had become complacent and overconfident, naïvely believing that mainframes were “unhackable” due to their isolated nature.
This blasé attitude was quashed multiple times over as several high-profile breaches occurred in quick succession—Anthem and the U.S. Office of Personnel Management (OPM) were both hacked in 2015, followed by Equifax being hacked in 2017.
Such a stark reminder of the effective mortality of the mainframe and the overall fallibility of any technology caused a change in the cultural zeitgeist of mainframe enthusiasts. No longer did people refer to the mainframe as “the most secure platform”, instead, they amended such references to “the most securable platform”, acknowledging the inherent limitations that must be addressed by diligent security engineers.
Following this cultural change, organisations have become more wary of exploits as they are now expected to test their system more and to be compliant with greater regulations. Thus, the need for comprehensive security assessments has only grown over the decade.
Change is the only constant
The more things change, the more they stay the same. In the modern era where system penetration and exfiltration of customer data are a valid concern, a security assessment of your mainframe security server is effectively required. Just because security assessments are as crucial now as they were when Zayn Malik left One Direction, that doesn’t mean the exact same issues are as ubiquitous as they once were.
Security Assessments generally cover the same ground, regardless of the company delivering them: They act as a rigorous review of the implemented security policies, procedures and security controls.
Having analyzed the results from multiple RACF and z/OS security assessment reports for a myriad of international clients and conferred with peers from the security discipline within Vertali, I have categorized the most prevalent security findings in recent years. They may not be the most egregious, but they demand attention just the same. The more prevalent the security finding, the more likely it is to exist in any given system, maybe even your own…
Vanguard’s Top 10 Security Assessment Findings of 2015
On page 46 of the original 2015 article denoted the 10 most prevalent findings, as seen below:
Top 10 z/Os Security Assessment Findings
- Excessive Number of User IDs with no Password Interval
- Inappropriate Usage of z/OS UNIX Superuser Privilege, UID=0
- Resource Profiles with UACC or ID(*) greater than READ
- Resource Profiles with UACC or ID(*) of READ
- Started Tasks IDs are not Defined as PROTECTED IDs
- Improper Use or Lack of UNIXPRIV Profiles
- Excessive Access to the SMF Data Sets
- Excessive Access to APF Libraries
- RACF Database is not Adequately Protected
- General Resource Profiles in WARNING Mode
Reflecting on this list, colleagues at Vertali noted that some of the past findings are less pervasive than they were a decade ago.
To read the full article and Vertali’s expert response, log in to Cheryl Watson’s Tuning Letter, 2025 No 3.
Catch more security content from Vertali.
0 Comments