I missed the first part of this thread but I would point out that the threats to z/OS are not limited to "Internet-connected" systems.
1. Consider insider threats. Security experts disagree on the percentage of breaches attributable to insider threats, but it is certainly not zero. I might argue that due to the somewhat specialized knowledge required, that mainframes are at greater risk from insiders, relative to outsiders, than more "common" systems. 2. A machine you do not consider to be Internet-connected may be "Internet-reachable." One trick that bad guys use is "hopping" from one machine to another. The mainframe might not be connected to the Internet, but it might be connected to a machine that was connected to a machine that was connected to the Internet. 3. People make mistakes. That mainframe may well be one router or firewall "oops" away from the Internet. How often do your security people make firewall changes that deny someone access that they require? They yell about it right away, don't they? When the firewall folks make an error that grants excessive access, no one yells ... Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Clark Morris Sent: Tuesday, July 11, 2017 6:18 AM To: [email protected] Subject: Running unsupported is dangerous was Re: AW: Re: LE strikes again [Default] On 10 Jul 2017 21:58:28 -0700, in bit.listserv.ibm-main [email protected] (Peter Hunkeler) wrote: >>>>You can also use a JCL statement to override (if available) LE Parms. >>>> >>>> https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.z >>>> os.r13.ceea500/ceedd.htm >>> >>> >>>No, he can't because he's on z/OS 1.4. I already proposed CEEOPTS DD, and Norbert Friemel remembered me it's not yet supported at that release. > > >>From a security point of view, your customer is asking for disaster if >>the system has any direct or indirect connection to the Internet. The >>lack of integrity fixes alone is a major exposure. > > >Clark, > >I'm missing how your comment is related to this thread, and especially to my post. Peter. I should have changed the subject line. When your post stated the release being run and other posts noted the lack of support, alarm bells rang in my head. Running 1.4 on any system that isn't isolated is the equivalent of running Windows XP. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
