• Subject: Re: AS/400 security ignored
  • From: Randy Mangham <randym69@xxxxxxxxxxx>
  • Date: Mon, 08 Mar 1999 08:25:31 -0800
  • Organization: Pacific Crest Consulting


Years ago I was an EDP security auditor for a bank and this is indeed a SERIOUS
hole in security. Only a very few profiles should have *SECOFR authority at all
and they should NOT be profiles which are used in the normal course of business.
I.E. users should NOT be signing on with such profiles EXCEPT to perform 
officer type duties. The users who have such authority should be required to 
a document indicating that they are aware of the extent of the authority those
profiles give them and that they accept responsibility for the use/misuse of
those profiles. The highest level of auditing should be turned on. BTW, are you
running at security level 40 or even 50? Absolutely NO profile used for FTP
should have *SECOFR authority. How much training in system administration has
this ES/9000 guy had? If the bank shortchanged him on training that isn't an
excuse but it would indicate how cheap the bank management really is.
(Potentially throwing away thousands to save pennies.) Who in the bank 
is ultimately responsible for security including EDP security? Did the folks at
Jack Henry give any kind of training in system administration or security or 
their documentation give pointers? They are a reputable company long in the
business of banking software.

If, after your best efforts, you cannot convince this individual (or your
management) of the need to make the machine as tight as possible, you should go
to the EDP auditors at the FDIC and report this organization. Believe me, that
will get management's attention. The FDIC (and the Comptroller of the Currency)
can (and will) create serious regulatory problems. Given the tight scrutiny that
banking companies and their subsidiaries are under vis a vis Y2K exposures, the
regulators will fry this bank for leaving any openings for financial 
to occur as any thief could just wait until the Y2K rollover and let his/her
thievery be blamed on that. If you don't do all that you can with the awareness
level that you have, there is always the possibility you could be blamed for NOT
informing the regulators. Document every conversation you have with anyone in
management (or even the individual involved). Preferably do your communications
in writing. There is a Federal law protecting "whistle blowers" if you have to 
that far but hopefully you can get management or this individual to do that 

Randy Mangham
Pacific Crest Consulting
San Diego, CA

brian wrote:

> Despite repeated warnings, however, the ES/9000 guy has left several joe
> (userid=password) user profiles on the box.  Many of them are
> USRCLS(*SECOFR) or possess special authorities that would make gaining all
> other authorities trivial.

| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].