Summary of LONG post. ================== We have identified several challenges with computer security in our recent discussion (archives at midrange dot com) and some of us have stated some beliefs in reality that others have shown to be false (e.g. extremely inexpensive nature of reliable backup that crosses platforms). My position is that many of the challenges of computer security today do not need to be that way in perpetuity. I believe they are easily fixed & that opportunities exist for computer vendors, some of them on this list, to make a small bundle bringing that reality to the rest of us. I took some of the links below from my working document on Computer Security Myths, which is now up to approx 35 pages, to illuminate my points, if you wish to pursue the ideas I am sharing. Anyone who is interested can contact me off the list to get a copy via e-mail attachment of what I am working on. JT asked in another post what might be done to persuade the powers that be that an improvement in computer security is a worth while investment ... well you know, if one of your employees sends an e-mail to an employee of a business partner & that e-mail is infected with a computer virus, do you think that might have a negative impact on the business relationship? There might even be legal liabilities ... check out http://www.mazunetworks.com/radin-toc.html I believe that many enterprises have invested in computer systems such that making them secure is not a simple proposition, and what they really need to do is take security into consideration at the time that they retire their platform for next generation investments. I have stated many times that if you get a computer system whose security is a house of cards & you put a padlock on it, that aint gonna work, you have to rebuild the house so it is made out of secure stuff ... http://www.zdmcirc.com/zdmcirc/popups/ewkpop.ht recent series of articles in e-Week on computer security show exactly how much hassle it is to add computer security to the house of cards that is what passes for computer systems that most enterprises buy these days. A comparable resource is http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf I absolutely agree that many many enterprises have computer systems that can be made very secure but have not in fact been done so. I absolutely agree that in most cases the reason why an enterprise has an insecure computer system is not a technical problem but a people problem. I absolutely agree that people are in fact a major weak link for computer security today & in recent history, but things are being done in that department so this does not always need to be the case. These things could be highlighted, such as in computer magazine articles, to help accelerate the repair process, My employer has a form of ISO 9xxx quality standards with respect to the products we make & engineer, so I know something about the subject without being an expert in it. Since I first observed ISO 9xxx, the quality industry has made great strides. In the beginning, it was merely the notion that a company knew what the heck it was doing, had documented that, and was in fact adhering to its own documents. But ISO 9xxx has advanced to the point that you get higher marks if your documented procedures include certain things that other companies expect you to have, that might be standards in some industries. Now the weak link of people doing unwise practices with respect to corporate security, could be addressed via this ISO 9xxx standards approach ... there would be certain things that belong in the company practices document if they take security seriously, that the ISO auditor could verify they are in fact doing. We are now at the stage in meeting ISO auditor standards, that not only we have to have the good stuff in our company practices documentation, we have to be able to prove we are doing the good stuff. We have internal audits by our own people, and we have external audits, and we get report cards that are used to improve our ISO standing towards certain goals. These report cards are understandable to non-technical people. It is self evident to everyone looking at these report cards what it is that is being measured & how good or bad a job we did. Computer security could be done the same way. You do not have to be a technician to understand the reports from outfits like http://www.pentasafe.com Some of us work with a computer platform that CAN be secured, which is to say it is on the directory of the computer systems that have been certified as coming with high security capabilities at http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html That site also lists what is needed to implement this conceivable high security & that stuff does require a computer technician, in my opinion, to figure it out & get it done right. However, if the software does not exist today from places like http://www.pentasafe.com I figure it is only a matter of time until people can get computer security audits based on the high security system data ... Does your enterprise have a high security computer system yes or no ... and has it been implemented to take advantage of the high security capabilities yes or no ... You do not need to be a computer techician to understand that report card ... you do need to be a computer technican to explain WHY the company might have a computer system that is capable of high security but has not in fact been installed that way, and what decisions have been made at the company that mean that it is not practical to fix the security. The usual example, is that the company has made demands that certain software be available for the users, and that software vendor is not a believer in adhering to security standards, so so long as that software vendor is desired by corporate, good security cannot be provided. However, that also is information that might become old news, as security software audit tools advance & can address what we have bought from some software vendor that is anti-security, to evaluate what is doable in the area of modifications so that we can keep the benefits of what that vendor has to offer but at the same time plug the security holes. It is my understanding that http://www.pentasafe.com has a security audit that is BPCS specific ... I have a personal interest in this topic ... this last year I have been agressively cleaning up our BPCS data base to get rid of dead records ... one of the major holes in BPCS software is a lack of clean up of various data when it is no longer relevant, so I have been identifying files that are gluttons for disk space because they have records dating back to 1998 that we no longer need & they will not go away through the vanilla BPCS software unless I make them go away. I have also been focusing on improving performance for my BPCS users, and my radar screen includes improving security. I think BPCS 405 CD is a great stable ERP package & it will be a great shame if & when my employer finally moves to something else. If & when we do, I hope it will be something like http://www.erros.co.uk/ which is reviewed at http://www.400times.co.uk/Documents/ERROS1.htm ... it is apparent that great complexity of major enterprise business rules can be managed with high security at PC prices & quite possibly lower staffing overhead than is standard for the 400 today, so you get the lowest possible operating costs, rock bottom purchase costs, and extremely sophisticated complexity but it is right up against what the users need, without any layers of abstraction that have vulnerabilities for hackers. I do not seriously believe we will go there, because this is thinking so far outside the box that many people might think I am confusing science fiction with reality. Computer security on the 400 is not expensive & it is not a brain buster, it is merely finding the time to get the job done. IBM has a free site where we go with information about our security situation & it makes reccommendations with respect to where our security may be inadequate & what we ought to do about that. http://www.as400.ibm.com/tstudio/secure1/advisor/secwiz.htm That URL might have been changed in the rebranding. Suppose you have seen the FBI list of the 20 most common computer security blunders that enterprises consistently make. If you go to the source, there are links there to get at software that will evaluate your computer network to see if you have any of those exposures & help you plug them. http://www.sans.org/top20.htm There is also a searchable index of known computer security risks at http://cve.mitre.org/cve/ Now the ISO organization does have 9xxx that applies to computer security, but it has not gained the industry wide respect that we have for ISO 9xxx related to actual products & services delivered by companies to other companies. When you looking for information on this kind of topic on the internet, the buzzwords include "Software Quality" and "Computer Security Certification." http://www.iso9000solutions.com/ ... ISO 9000 starting point for links http://www.qualitydigest.com/html/iso9000.html ISO 9000 data base design http://www.sysmod.com/psp.htm software cumulative improvement process http://www.sysmod.com/swdev.htm software quality improvement links http://www.pdmic.com/IPDMUG/IPDMUGfaq.html engineering software quality http://www.iccp.org Institute for Certification of Computing Professionals http://www.ISC2.org Certified Information Systems Security Professional http://nsa1.www.conxion.com/ collection of Security Recommendation Guides from the National Security Agency of the US Government > From: email@example.com (jt) > > Al, > > I think it's a given that people are gonna be the weakest link here. That's > a bug that's never gonna be fixed... > > What I'm looking for is this: if a company (or individual) keeps proper > PHYSICAL security of the system, can it then be protected. > > This would allow companies with some ISO 9xxxx certification of their > physical security, to become trusted. Pairs of these trusted companies can > then do business "relatively" securely, IMV... > > jt > > | -----Original Message----- > | [mailto:firstname.lastname@example.org]On Behalf Of MacWheel99@aol.com > | Subject: Re: Where are all of the /400's going. (was RE: QUSER on ODBC > | requests) > | > ==> But here's the thing: > | > (I'm NOT contradicting you, but just asking the question.) > | > Has it ever been done AND/OR IS it theoretically possible: > | > COULD a 400 machine serial number be hacked...?!? > | > I guess I'm asking if > | > there's ANY WAY CONCEIVABLE? I think this is a key question. > | > | If a 400 is not secure, anything can be hacked. > | > | If a device, that is connected to a secure 400, is itself not secure, then > | that is another possibility. Does corporate culture permit users to have > | their passwords "programmed" into their PC hardware so that they > | do some PLAY KEY combination > | & it gets them where they need to go a lot? > | Are those same > | PCs accessible via PC Anywhere or equivalent system (there's a bunch of > | competitors) & can those same PLAY KEY deals be done remotely? Do those > | users have relatively high levels of security, so they can get into stuff > | like WRKSYSVAL? > | > | Remember when Microsoft got hacked & someone downloaded a lot of > | source code that they had considered confidential? > | An employee with home PC was trusted > | to access Microsoft corporate network. > | The employee home PC did not have the > | latest firewall software protections. > | Hacker broke into employee home PC & > | from there got into Microsoft network. > | 400 site can be equally vulnerable > | to this sort of thing depending on corporate culture. > | > | The kind of thing that worries me is trusted partners. For reasons of > | software licensing, we have given out our hardware serial number > | to several > | vendors, some of which are authorized to dial into our system to provide > | various kinds of tech support ... now suppose one of them is > | hacked ... now all their customers are exposed. MacWheel99@aol.com (Alister Wm Macintyre) (Al Mac)
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.