4. Get management buy in to fix the problems they find, if any. 5. Even if they find nothing, repeat the pen test periodically.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Charles Mills <charl...@mcn.org> Sent: Tuesday, May 7, 2019 9:26 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? I was travelling and I have kind of lost track of where this thread has gone. Let me throw three thoughts out there. 1. Our job is to make our platform -- and if you are at a customer, your site -- as secure as reasonably possible. Not "more secure than Windows." It is NOT like the joke about the two hunters being chased by a bear, one of whom says "I don't have to run faster than the bear; just faster than you." You have to run faster than ALL the bears. 2. "Oh, but they got a userid and password from somewhere else." A userid and password is nothing. You know who has a userid and password? All of your users. Another name for your users is "insider threats." 3. You think your mainframe in darned near invulnerable? Put it to the test. Hire one of the pen testing firms like RSM or Vanguard. Report back here if they find no vulnerabilities. Tell me I'm wrong. Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
