In securing Mainframe: One thing I've noticed over the years is how a Company will "hide" their Mainframe hardware. The Hardware for me now is in a unmarked Building that looks like a bunker (I'm told). Pretty bad that the location is in my town, however the address is NOT circulated. The first installation that I worked at, it was well known where the data center was. It was no issue to walk into Operations and tour new equipment or talk to operators. Now, forget it.
Thanks, Tom Savor -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Schuffenhauer, Mark Sent: Wednesday, May 29, 2019 2:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls ⚠ EXTERNAL MESSAGE – Think Before You Click My sales favorite was knowing key functionality is vaporware, talking up everything the software would do some day. Then being horrified when you realize the 'decision makers' are eating it up. None of them ends up in hell when the product doesn't work and the functionality delivery date keeps getting pushed forward... but, I got to work with a 3745 until 2009. Security is no good without PEN testing and auditing from the Security Technical Implementation Guide (STIG) documents. If you haven't crossed your eyes and dotted your teas.... wait, reverse that. Your odds of solid security can be greatly decreased. No security by obscurity. EBCDIC is not a method of encryption. Stop people from using stupid passwords. Ideally daily ID's have no elevated access, any elevated id must be checked out, activated, with a new password on each use. I realize that would be messy, but if you have better password security(pass phrases, excluded words (months of the year, or seasons) or MFA going, never mind. This isn't the paragraph you're looking for... -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Ray Overby Sent: Wednesday, May 29, 2019 10:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls In response to "Mistakes, lack of time, lack of control, lack of skills. Not a platform weakness." comment: The mainframe platform, z/OS, and ESM's all rely on integrity to function. A single TRAP DOOR code vulnerability pierces the veil of integrity and can be used to compromise the mainframe. Is this a platform weakness? I think so. The platform relies on all code it runs adhering to certain rules. z/OS could be changed to better check and enforce those rules. Would you say that the elimination of User Key Common storage is an example of a z/OS change to address a mainframe platform weakness? I think so. An interesting observation. Thanks. On 5/29/2019 5:25 AM, R.S. wrote: > That's classical FUD. > Frightening people. > "if an exploit", "if job reads you RACF db", "unintended consequences". > What exactly hacking scenario can provide RACF db to the hacker? > Yes, I saw APF libraries with UACC(ALTER), UID(0) as standard TSO user > attribute, even UPDATE to RACF db. But it's problem of people. > Mistakes, lack of time, lack of control, lack of skills. Not a > platform weakness. > > It's typical that assurance/lock/gun salesmen tend to talk about > risks, threats and dangers. They create a vision. > My English is poor, but I can observe it for two of debaters here. > It's visible. I don't like social engineering. > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN DISCLAIMER: This email and any attachments may contain confidential information that is intended solely for use by the intended recipient(s). If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the communication. If you received this email in error, please contact the sender by reply email and immediately delete the communication. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
