Dear Al,

Thank you for your kind mentions about our BPCS
security tools and services.

I've amended your note below to include the URLs pertinent
to each of your suggestions. Here's a summary-level URL
which presents the security tool list entitled 'Bells & Whistles
for BPCS'  ---->   http://www.upisox.com/bells.html

By the way, trying to fix the BPCS security hole
by shutting down all access points from outside the BPCS
environment is a broken strategy because it is not fail-safe.
There will always be one more unanticipated hole that will
cause a vulnerability ...

  ... an analogy --> trying to shut down every access point
            reminds me of the avid suburban vegetable gardener
            that tries to protect her plants with all sorts of
            fences and barricades and bags of pepper and wind
            chimes and scarecrows. But, before the end of the
            growing season, something goes wrong ... all the
            those preposterous barriers end up being defeated by
            a soccer ball kicked in by the neighbor boy or a hail
            storm or a utility worker marking off underground
            cables.

Barriers to access don't provide fail-safe protection if the
individual objects remain vulnerable.

Peace to you,

Milt Habeck
Unbeaten Path
North America toll free: (888) 874-8008
International: (262) 681-3151
mhabeck@xxxxxxxxxx




+++++++   +++++++   +++++++   +++++++   +++++++   +++++++
From: Al Mac
To: SSA's BPCS ERP System
Sent: Sunday, April 17, 2005 6:45 PM
Subject: Re: [BPCS-L] Re: BPCS - Program Security

Shalom

BPCS Security was dramatically re-written going from version V4 to V6 to
address many long standing issues with prior versions.

Some of the security threats are non-obvious to many IT and management
staff, and BPCS security can be cumbersome to navigate and manage.  In
general, we trust people to behave responsibly, whether ordinary users, or
IT people, but opportunities abound for various kinds of human error and
embezzlement to go unnoticed.  For example, an error is made in defining an
item, we conclude from the data that it is unprofitable ... it is not
unprofitable, the data is wrong, but this is non-obvious.  Lots of things
in BPCS are non-obvious, not just errors in security, it is a systemic
problem.

What usually is noticed first is that many people need to access INV100 to
change lots of stuff unrelated to each other, and it is very easy for
someone to accidentally field exit thru some field managed by some other
corporate dept, and mess things up, with no one the wiser.

Solution ... clone the INV100 software creating INVI* this and that
variants where customer service updates the list price and last quote but
not much else, purchasing updates info on last vendor contract, engineers
update revision level, plant maintenance updates tooling ... each dept
getting at THEIR fields, then limit who has authority to these different
areas.

UPI and other firms have supplied add-on products to help resolve this area:

    * security files management made friendly
         http://www.unbeatenpathintl.com/BIOnly-start/source/1.html


    * security audit to identify weaknesses in a format that tells
management what the problems are, without providing info useful to a
hacker, such as how many passwords are easy to guess and have not been
changed in eons, or if virtual sessions are setup so that a potential
hacker can have infinite password guesses.
       http://www.upisox.com/bill.html


    * data base monitoring that is BPCS field specific to sensible
interests, such as who changed the price, shipped out some stuff, then
changed the price back; or changed the GL rules, so that inventory
transactions invisible from GL, then walked off with a pile of inventory,
then changed the GL rules back again.
        http://www.upisox.com/stitch.html


    * conversion tool to get BPCS security from vulnerable group authority
to rules changed to more modern theories on good 400 security, and get the
whole task accomplished smoothly without a big hassle.
       http://unbeatenpathintl.com/battendown/source/1.html

Al Macintyre
BPCS/400 Computer Janitor


+++++++   +++++++   +++++++   +++++++   +++++++   +++++++

From: shalom@xxxxxxxxxx
To: bpcs-l@xxxxxxxxxxxx
Sent: Sunday, April 17, 2005 8:31 AM
Subject: [BPCS-L] Re: BPCS - Program Security

>Daniel,
>I would like to point out several problems with BPCS security. As I have 
>not managed a BPCS environment during the last 4 years, maybe some problems 
>were resolved in the new versions, although I doubt it.
>
><snip>
>
>Step 3
>Change the default object authority to modify the sensitive files,
>and allow data modification only to those who need it.
>This will not work for files like IIM!!
>
>Shalom Carmel
>www.venera.com - exposing AS/400 insecurity 



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.