× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Mark - Based on real experiences I would have to disagree with a couple of your assertions.

A truly secure org would not give permission for such a report ...
I doubt the authors need any permission to discuss & draw conclusions from studying audit results. There would be nothing identifying in any of these results.

the current picture seems to be that I can not get in anywhere without VPN...
We can all recommend best practices, but the actual implementation is never approaching or even close to 100%. Several of my own customers have been warned repeatedly about remote access problems, and because they have not yet (that they know of) been compromised continue with less than vpn. There is also a perception that Win XP Remote Desktop Connection outside a vpn is good enough (after all, MS did call it "Remote Desktop" so it must be good!) I would have to say "the majority" of shops I personally have worked in have weak remote access security. Also the advertised gotomypc that users can implement on their own (if not cut off)

This means the problem is entirely composed of internal users and controllable...
Internal is a big & controllable problem...but
Surely you are not saying the problem is only VPN remote access and internal users? Web servers, ftp (not vpn) servers (and clients), i5 email servers, trading partners server access other than vpn...

I do think many i5 shops insecure, but much of the problem I encounter is management perception, not IS - if it's been working, no need to change it....

jim franz




----- Original Message ----- From: "Mark Villa" <iseries.4.me@xxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Sunday, November 05, 2006 8:58 AM
Subject: Re: iSeries Security in Computerworld


Why would the CE need that access all the time ?

Good question. Sounds a little historic.

This is my opinion only, not necessarily fact, and I have not read the
report only the article. No offense to -anyone- and here is my view:
We've all had the math problem about finding the population
/distributions of sets - I will leave it at that as far as describing
what "I" think is a sample that applies to what I see in the field.
Additionally, the audience of such a report contains the best of the
best, so I did not think anyone worthy of the responsibility would
misinterpret ANYTHING reported.  Like so many others, I have
scrutinized what is reported for years, you become adept at
assimilating real content / value at hand - fast and getting your own
facts to continue forward or simply know that it is not your cup of
tea.

A truly secure org would not give permission for such a report or even
run the software for the purpose of outside entity reporting unless
for compliance, which was not mentioned. That population may be
omitted altogether. Therefore, I conclude that the article is for
management fright effect/wake-up call, since no one else cares. Now we
have: -CONTEXT.  I know this is an emotional topic (and it should not
be) but the recent posts about the unreported side of the house are in
line with my observations. Excluding vendors with accepted risk boxes
for clients, the current picture seems to be that I can not get in
anywhere without VPN.
This means the problem is entirely composed of internal users and controllable.
They sign the employment agreement for responsible behavior with
corporate assets. The set of sec issues at risk seemingly will be
accidental/lack of knowledge in origin excluding VPN hackers and lost
portables. The disgruntled element of risk is enough to justify
uniformity of all the systems -yes but it seems we tend to cap the
bottle with VPN rather than apply security uniformly.

As a side note, I think IBM and ALL OS vendors have done a terrible
job at making this an easily managed asset. It is ridiculous that we
have to try so hard to see what users might be able to peek at
payroll. It has ALWAYS been this way and has not improved much. Of
course, we expect a lot sometimes, it's not as simple as a telephone
or water meter in the yard and it helps keep people like me busy.

Is i5 security simply a matter of internal priorities?  And the focus
of the article perhaps far too narrow. Would it not be more credible
with two sources one being the audit team or enterprise assessment
rather than an i5 only audit?
Might the real question(s) be:
#1 - Is the reason that i5 is neglected because it is not problematic,
out of scope - year after year? In that same meeting everyone notes
concerns about the weekly Microsoft catastrophe?
-Squeaky wheel gets the grease.

#2-Is the reason because it is too complex and they have not loaded
software to manage the solution?
-Hardly, you get what you pay for.
--
Mark Villa
Summerville, SC
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.