+1CharlesSent from a mobile; please excuse the brevity. -------- Original message --------From: Alan Altmark <alan_altm...@us.ibm.com> Date: 5/14/19 11:28 AM (GMT-08:00) To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? Reading all of these posts has brought out the salient points of IT security:1. All the technology in the world won't help you if you don't use it.2. Stupid people can outwit a capable machine (SET SECURITY OFF).3. Z security builds on its long history and culture of talented people, effective processes, and robust products. When all are fully engaged, its security mechanisms are really hard to beat.4. The bad guys have time on their side, often putting the good guys on the defensive. The difference between the two is what protects you. The more places you have those buffers, the better the protection will be.5. Sometimes obscurity is good. Sometimes not. It depends on what you are hiding and from whom. But don't be upset when your secret is becomes known. It shouldn't be your only defense.6. When someone possesses valid credentials to a system, only their activities while using them will tell you if they are Good or Evil. This is the weakest part of all system security. Humans are vital to IT security, yet are the weakest link, being both easiest to manipulate and capable of being compromised. (I've seen the movies; retinal scanners won't help.) We try to recognize changes in system behavior to know when something is wrong, yet we pay little attention to human activities. (How to recognize when your Db2 database is being surreptitiously unloaded in small bits over a long period of time.)7. The "Z" on the box doesn't make it more secure than any other platform (no miracles or magic). It does, however, come with an impressive arsenal that you can use to make it so. I would be comfortable saying that it is "more securable" than any other general purpose platform. That encompasses both the types of security services and the difficulty in subverting them.8. Prevention is better than detection, but detection lets us know when our preventive measures have failed.9. Have you done all that is *commercially reasonable* to protect your data and your services? All that is possible may not be reasonable in some contexts, so don't fall into that trap. Understanding your liability (cost of loss) helps you assess "reasonable".10. Assume that nothing is perfect. (You would be correct.) Bad things happen to good people. If you detect that, in spite of your best attempts, the unthinkable has happened, are you prepared to deal with it competently, calmly, and quickly?Alan AltmarkIBM Systems Lab Servicesz/VM Consultant----------------------------------------------------------------------For IBM-MAIN subscribe / signoff / archive access instructions,send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
