"That is not new, it has already been, for there is nothing new under the Sun."
There have been extensive discussions here over the decades about bad auditors. OTOH, if you're lucky enough to have competent auditors, they can really help. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Bill Johnson <00000047540adefe-dmarc-requ...@listserv.ua.edu> Sent: Wednesday, May 8, 2019 1:53 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: mainframe hacking "success stories"? The problem in my recent shops is management and security people whose mainframe knowledge would struggle to fill a thimble. They find security “holes” that are not really holes because they have no idea how the mainframe or its security apparatus works. Sent from Yahoo Mail for iPhone On Wednesday, May 8, 2019, 1:28 PM, Seymour J Metz <sme...@gmu.edu> wrote: Sometimes management won't let you correct a security problem until an auditor finds it. A package or service that locates *real* threats can be very useful leverage for tightening things up. OTOH, an auditor, product or service that claims bogus security issues, sometimes missing real issues at the same time, is worse than useless. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Sankaranarayanan, Vignesh <vignesh.v.sankaranaraya...@marks-and-spencer.com> Sent: Wednesday, May 8, 2019 10:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: mainframe hacking "success stories"? I guess the point of contention really is "vULnErAbiliTIeS"... Words have meaning, a vulnerability is not equal to a loosely configured/hardened system. Of course, I could be wrong but I take the word to mean zero-days or something that breaks a module/function, and the way it breaks is exploited for further foothold, etc. An open wound is vulnerable, but not wearing your seatbelt is NOT a vulnerability, it's a risk! Yes, when the CEO has to issue a public statement it doesn't matter whose turf the hole is in, but that doesn't mean common sense goes out the window, and suddenly 2 random and unrelated things are equal. Way too many times, a normal, but potentially dangerous config miss/omission is labelled as VULNERABILITY VULNERABILITY VULNERABILITY VULNERABILITY YOUR MAINFRAME IS DOOMED, YOUR RACF TEAM IS AN ABSOLUTE ZERO, YOU ARE DONE FOR..... unless you hire us and we can sort it all out for you. Everyone's gotta pay bills, sure, but I'm not particularly fond of the kind of salesman that creates the demand --just to push their product--... like the pen-selling example in the Wolf of Wall Street. Products are cool, but what's cooler is what people can achieve with vanilla stuff. A beautifully setup piece of REXX/ASM/bunch of scripts on various platforms can easily outperform Next Gen security greatness. Not being completely dismissive of course, but many times, it's easier to stick in a product than doing the hard thing, which is to learn to be efficient and effective with what you've got. - Vignesh Mainframe Infrastructure -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Charles Mills Sent: 08 May 2019 02:26 To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: mainframe hacking "success stories"? I was travelling and I have kind of lost track of where this thread has gone. Let me throw three thoughts out there. 1. Our job is to make our platform -- and if you are at a customer, your site -- as secure as reasonably possible. Not "more secure than Windows." It is NOT like the joke about the two hunters being chased by a bear, one of whom says "I don't have to run faster than the bear; just faster than you." You have to run faster than ALL the bears. 2. "Oh, but they got a userid and password from somewhere else." A userid and password is nothing. You know who has a userid and password? All of your users. Another name for your users is "insider threats." 3. You think your mainframe in darned near invulnerable? Put it to the test. Hire one of the pen testing firms like RSM or Vanguard. Report back here if they find no vulnerabilities. Tell me I'm wrong. Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN MARKSANDSPENCER.COM ________________________________ Unless otherwise stated above: Marks and Spencer plc Registered Office: Waterside House 35 North Wharf Road London W2 1NW Registered No. 214436 in England and Wales. Telephone (020) 7935 4422 Facsimile (020) 7487 2670 http://secure-web.cisco.com/1tXrycjZt65r8itxPWtiSpcSBSbgYEO9yEsp-Ju8yXoB2KksloCg6AIzvtjjOC3z6-677n_k-7qjNQnbFVPP3018gggmboywthXztkaL5CShfp5sy2mR9p8qTIffDVc1oysRfrYUi9FIPJYjxSdExj64aVLabgJgai3RXXa_RwOQ0ze8bBRMTO3E7qmIyUDO-2TvtvMJkJckxd5H1VorFY57YAeJgBBKDjlHMhTvZICo1Ke4aepBxXFEAFm5MTYTHwJdEfE9R3lt1Ubn5x6CAFWD-A9wRVbKzrhRduLKz0XtMEzgdrZGhgLrcBRDIJ1QmFrbRXD-1LgoxzGWKy5sChQjempZidX9-AZeQ2n9j-VvYw0NyOxe5ZQsI4HKUmMBFDxJI7jao-nipAzob-BkaN02FIpkscL4F12RJrwiM3mGPR9yq684U3UsPVQAHsFpD/http%3A%2F%2Fwww.marksandspencer.com Please note that electronic mail may be monitored. This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
