Dear Al, Thank you for your kind mentions about our BPCS security tools and services. I've amended your note below to include the URLs pertinent to each of your suggestions. Here's a summary-level URL which presents the security tool list entitled 'Bells & Whistles for BPCS' ----> http://www.upisox.com/bells.html By the way, trying to fix the BPCS security hole by shutting down all access points from outside the BPCS environment is a broken strategy because it is not fail-safe. There will always be one more unanticipated hole that will cause a vulnerability ... ... an analogy --> trying to shut down every access point reminds me of the avid suburban vegetable gardener that tries to protect her plants with all sorts of fences and barricades and bags of pepper and wind chimes and scarecrows. But, before the end of the growing season, something goes wrong ... all the those preposterous barriers end up being defeated by a soccer ball kicked in by the neighbor boy or a hail storm or a utility worker marking off underground cables. Barriers to access don't provide fail-safe protection if the individual objects remain vulnerable. Peace to you, Milt Habeck Unbeaten Path North America toll free: (888) 874-8008 International: (262) 681-3151 mhabeck@xxxxxxxxxx +++++++ +++++++ +++++++ +++++++ +++++++ +++++++ From: Al Mac To: SSA's BPCS ERP System Sent: Sunday, April 17, 2005 6:45 PM Subject: Re: [BPCS-L] Re: BPCS - Program Security Shalom BPCS Security was dramatically re-written going from version V4 to V6 to address many long standing issues with prior versions. Some of the security threats are non-obvious to many IT and management staff, and BPCS security can be cumbersome to navigate and manage. In general, we trust people to behave responsibly, whether ordinary users, or IT people, but opportunities abound for various kinds of human error and embezzlement to go unnoticed. For example, an error is made in defining an item, we conclude from the data that it is unprofitable ... it is not unprofitable, the data is wrong, but this is non-obvious. Lots of things in BPCS are non-obvious, not just errors in security, it is a systemic problem. What usually is noticed first is that many people need to access INV100 to change lots of stuff unrelated to each other, and it is very easy for someone to accidentally field exit thru some field managed by some other corporate dept, and mess things up, with no one the wiser. Solution ... clone the INV100 software creating INVI* this and that variants where customer service updates the list price and last quote but not much else, purchasing updates info on last vendor contract, engineers update revision level, plant maintenance updates tooling ... each dept getting at THEIR fields, then limit who has authority to these different areas. UPI and other firms have supplied add-on products to help resolve this area: * security files management made friendly http://www.unbeatenpathintl.com/BIOnly-start/source/1.html * security audit to identify weaknesses in a format that tells management what the problems are, without providing info useful to a hacker, such as how many passwords are easy to guess and have not been changed in eons, or if virtual sessions are setup so that a potential hacker can have infinite password guesses. http://www.upisox.com/bill.html * data base monitoring that is BPCS field specific to sensible interests, such as who changed the price, shipped out some stuff, then changed the price back; or changed the GL rules, so that inventory transactions invisible from GL, then walked off with a pile of inventory, then changed the GL rules back again. http://www.upisox.com/stitch.html * conversion tool to get BPCS security from vulnerable group authority to rules changed to more modern theories on good 400 security, and get the whole task accomplished smoothly without a big hassle. http://unbeatenpathintl.com/battendown/source/1.html Al Macintyre BPCS/400 Computer Janitor +++++++ +++++++ +++++++ +++++++ +++++++ +++++++ From: shalom@xxxxxxxxxx To: bpcs-l@xxxxxxxxxxxx Sent: Sunday, April 17, 2005 8:31 AM Subject: [BPCS-L] Re: BPCS - Program Security >Daniel, >I would like to point out several problems with BPCS security. As I have >not managed a BPCS environment during the last 4 years, maybe some problems >were resolved in the new versions, although I doubt it. > ><snip> > >Step 3 >Change the default object authority to modify the sensitive files, >and allow data modification only to those who need it. >This will not work for files like IIM!! > >Shalom Carmel >www.venera.com - exposing AS/400 insecurity
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.