Is IBM trying to get out of z/OS? Abby Ross states "passwords and confidential
information should not be on the mainframe because they are exposed to any type
of user". This article is about selling IBM services and moving to Unix. So
called experts yet she and her team obviously don't understand z/OS security.
She gives a list of Unix security exposures. I'll go thru them shortly.
It's sad that these so called IBM security experts give out such bad advice to
their customers. The actual solution is to treat z/OS Unix security exactly the
same as any other Unix system. Unix programmers get the flexibility to do
everything but with that comes the responsibility to learn corporate Unix
security standards. z/OS Unix must comply with both corporate standards (Unix
and z/OS).
Item 1 - password policies: In what world is an 8 character passwords easily
guessed in 10 attempts? She even thinks hackers will have a whole day to crack
it. Even worse she sites a colleagues example of Windows active directory
services breach exposing a z/OS user's password. Is she saying that Unix
doesn't have this exposure with Windows Active Directory Services? If not, then
what corporate standard is z/OS Unix missing?
Item 2 - data left behind: When was MVS ever a setup and forget system? Planned
properly then much of the security will occur naturally (e.g. naming
conventions). Fewer people are needed to maintain z/OS corporate standards
because they are very easy to follow.
"Certain data should be secured". Obviously but people must follow corporate
standards (e.g. naming conventions or the equivalent Unix standard).
"Sensitive data should be deleted". In Unix, why bother with deletion when you
can't delete from the backups. The only solution for any Unix system is to
properly protect the data. Deleting datasets from z/OS and HSM is trivial but
why bother when it's properly secured in the first place.
"passwords and confidential information should not be on the mainframe because
they are exposed to any type of user" totally boggles the mind. They think it's
a great idea to move sensitive data to systems that are getting hacked all the
time (do a web search for the last year to see the reported cases).
"They had a hacker who found privileged data". People make fewer (and far less
impact) security mistakes on z/OS than Unix. Think back to that web search.
Item 3: over-privileged users. Most people forget 90% of the z/OS users are
either CICS and IMS who don't have direct access to any datasets and often
restricted to specific transactions. How many of the remaining 10% are
considered over-privileged by their companies policies? Is that mostly z/OS
Unix where they aren't following corporate Unix standards?
Item 4: unencrypted protocols. Specifically she sites "TN3270 defaults to
unencrypted for webservers". z/OS TN3270 easily supports SSL encryption.
Doesn't the blame belong to the a web server not using the SSL port? This is a
usage issue instead of a technical issue. Set a corporate standard and everyone
must follow.
Item 5: insecure applications. Security in CICS, IMS, TSO and batch are hidden
with very few exceptions (e.g. TCP sockets). There are only 3 commonly used
security products (RACF, ACF2 and Top-Secret) and they are so heavily used that
testing is considered far superior to Unix equivalents.
Unix gives programmers the flexibility to implement anything they want. Because
this flexibility includes security, they have the responsibility to test what
ever security they implement. Who takes responsibility for all the freeware in
use by those applications (huge list)? How about frameworks (software bundles)?
How about each programmer's set of utilities and tools? Do you really think
most Unix systems are being properly validated?
The biggest factor in security is human. z/OS has greatly reduced that
exposure. Unix needs to grow up and take responsibility for it's failures. Or
maybe we just need another 100 API's, frameworks and utilities.
Jon.
On Tuesday, August 13, 2019, 06:57:59 AM PDT, Charles Mills
<charl...@mcn.org> wrote:
I disagree somewhat with the other two commenters.
The papers are NOT an advanced how-to for RACF administrators! (For that, see
the DISA STIGs!) But they are a decent intro for a manager who is ignorant of
-- and frankly, need not be concerned with -- configuration details. They
weren't written for readers of this list -- but think about your manager or his
boss ...
The first paper is pretty good IMHO. Would anyone disagree that the five
vulnerabilities listed are at least among the top ten or so vulnerabilities?
The second paper is certainly airline magazine level. Yeah, the quote cited by
Lennie makes absolutely no sense. But there are some good points in there.
Would anyone disagree with the following? Would anyone say it would NOT be good
if every CIO at a mainframe organization read the following?
The mainframe
was and is critical to commercial databases, transaction
servers and applications that require high reliability,
scalability, compatibility and speed. In fact, mainframes
handle 30 billion business transactions every single day—
and that number is only expected to grow1.
However, companies face challenges ensuring their mainframes
are secure. With IT resources stretched and criminal attacks
on the rise, CIOs and CISOs need to make sure their mainframes
are locked down.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Filip Palian
Sent: Monday, August 12, 2019 6:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Mainframes testing
Hey List,
This can be of interest to some:
-
https://securityintelligence.com/posts/top-five-security-focus-areas-for-mainframes/
- https://www.ibm.com/downloads/cas/A9NKZ8WE
Any thoughts/comments?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
