Of course I think encryption helps security, but it can't stop someone
from hacking a different way, such as using the methods already setup to
decrypt data (like I think Steve was referring to). For example, if I
could get on a system and eventually get APF dataset authority, I could
hack into RACF or even IOS/ICSF and watch the bits fly by, hopefully
without much notice. At that level, encryption is meaningless. I'd
even bet the Equifax data was encrypted internally.
Better for all of us would be to have people stop relying on things like
my name and SSN for identification, making the Equifax dump relatively
useless. Yes, I want a chip embedded under my skin! I'll even take
chip number 666 if nobody else wants it :)
Jesse 1 Robinson wrote:
There was a lot of discussion at SHARE this summer about the impact of the new EU regulation that imposes Draconian penalties on a company that fails to report data breaches *very* quickly. (Who was Dracon anyway, and why such a hard *ss?) The EU rule stipulates that if breached data is encrypted, then there is no obligation to report and no penalty. The difference in cost to a large company ought to pay for several z14s.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Steve Smith
Sent: Wednesday, September 13, 2017 6:15 AM
To: [email protected]
Subject: (External):Re: Would encryption have prevented known major breaches?
The bottom line is this: stolen encrypted data is much harder to use, or it
takes time and effort to crack it. But no encryption seals all the attack
vectors, many of which would bypass encryption.
E.G. z/OS Data Set Encryption is so transparent, many users won't even know
the data *is* encrypted. (in my experiments with it, it's actually more
difficult to get a glimpse at the encrypted data than to see it in the clear).
So a bad guy who breaches the system in a way that impersonates an authorized
user won't be bothered by the encryption at all.
Crypto-wizards know exactly how hard it is to crack particular forms of
encryption. It's nothing to IBM's shame if someone builds a powerful enough
machine to do it; or far less likely a mathematical genius finds a better
algorithm. Now, if their implementation has some fatal back-door that gets
exploited, then they'd deserve much more than embarrassment.
sas
On Wed, Sep 13, 2017 at 8:54 AM, Elardus Engelbrecht
<[email protected]> wrote:
Peter Relson wrote:
Isn't the answer really: no, it would not have prevented the breach but it
would have prevented the breach from having the undesirable effects (e.g.,
exposing sensitive data)?
Actually in my humble opinion, there are TWO answers - Yes and No.
It depends on how the breach took place in the first place.
If breachers are insiders themselves, you're basically out of luck and goodbye
to your [sensitive and unencrypted] data.
If breachers can install nefarious software on your z/OS users workstation,
they can mis-use those workstations to steal [and perhaps decrypt] whatever
they want.
If you are leaving a hole somewhere where (non-SSL) application, FTP and TELNET
for example, are open to the outside world, then you deserves to be punished.
... etc ...
If breached data is encrypted, I believe that there is not a regulatory
requirement to report the breach.
I don't know about rules and regulations, but I believe ALL breaches should be
reported somehow. Of course, red faces will follow despite the encrypted data.
Perhaps if someone can really decrypt it, then big blue has a red face...
Groete / Greetings
Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
