|
Brian, Years ago I was an EDP security auditor for a bank and this is indeed a SERIOUS hole in security. Only a very few profiles should have *SECOFR authority at all and they should NOT be profiles which are used in the normal course of business. I.E. users should NOT be signing on with such profiles EXCEPT to perform security officer type duties. The users who have such authority should be required to sign a document indicating that they are aware of the extent of the authority those profiles give them and that they accept responsibility for the use/misuse of those profiles. The highest level of auditing should be turned on. BTW, are you running at security level 40 or even 50? Absolutely NO profile used for FTP should have *SECOFR authority. How much training in system administration has this ES/9000 guy had? If the bank shortchanged him on training that isn't an excuse but it would indicate how cheap the bank management really is. (Potentially throwing away thousands to save pennies.) Who in the bank management is ultimately responsible for security including EDP security? Did the folks at Jack Henry give any kind of training in system administration or security or does their documentation give pointers? They are a reputable company long in the business of banking software. If, after your best efforts, you cannot convince this individual (or your management) of the need to make the machine as tight as possible, you should go to the EDP auditors at the FDIC and report this organization. Believe me, that will get management's attention. The FDIC (and the Comptroller of the Currency) can (and will) create serious regulatory problems. Given the tight scrutiny that banking companies and their subsidiaries are under vis a vis Y2K exposures, the regulators will fry this bank for leaving any openings for financial defalcations to occur as any thief could just wait until the Y2K rollover and let his/her thievery be blamed on that. If you don't do all that you can with the awareness level that you have, there is always the possibility you could be blamed for NOT informing the regulators. Document every conversation you have with anyone in management (or even the individual involved). Preferably do your communications in writing. There is a Federal law protecting "whistle blowers" if you have to go that far but hopefully you can get management or this individual to do that right thing. Randy Mangham Pacific Crest Consulting San Diego, CA brian wrote: > Despite repeated warnings, however, the ES/9000 guy has left several joe > (userid=password) user profiles on the box. Many of them are > USRCLS(*SECOFR) or possess special authorities that would make gaining all > other authorities trivial. +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
