Re: ISO 9xxx Security (was: Where all /400's going)

[MacWheel99@xxxxxxx]

Summary of LONG post.
==================
We have identified several challenges with computer security in our recent
discussion (archives at midrange dot com) and some of us have stated some
beliefs in reality that others have shown to be false (e.g. extremely
inexpensive nature of reliable backup that crosses platforms).  My position
is that many of the challenges of computer security today do not need to be
that way in perpetuity.  I believe they are easily fixed & that opportunities
exist for computer vendors, some of them on this list, to make a small bundle
bringing that reality to the rest of us.

I took some of the links below from my working document on Computer Security
Myths, which is now up to approx 35 pages, to illuminate my points, if you
wish to pursue the ideas I am sharing.  Anyone who is interested can contact
me off the list to get a copy via e-mail attachment of what I am working on.

JT asked in another post what might be done to persuade the powers that be
that an improvement in computer security is a worth while investment ... well
you know, if one of your employees sends an e-mail to an employee of a
business partner & that e-mail is infected with a computer virus, do you
think that might have a negative impact on the business relationship?  There
might even be legal liabilities ... check out
http://www.mazunetworks.com/radin-toc.html

I believe that many enterprises have invested in computer systems such that
making them secure is not a simple proposition, and what they really need to
do is take security into consideration at the time that they retire their
platform for next generation investments.

I have stated many times that if you get a computer system whose security is
a house of cards & you put a padlock on it, that aint gonna work, you have to
rebuild the house so it is made out of secure stuff ...
http://www.zdmcirc.com/zdmcirc/popups/ewkpop.ht recent series of articles in
e-Week on computer security show exactly how much hassle it is to add
computer security to the house of cards that is what passes for computer
systems that most enterprises buy these days.

A comparable resource is
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

I absolutely agree that many many enterprises have computer systems that can
be made very secure but have not in fact been done so.

I absolutely agree that in most cases the reason why an enterprise has an
insecure computer system is not a technical problem but a people problem.

I absolutely agree that people are in fact a major weak link for computer
security today & in recent history, but things are being done in that
department so this does not always need to be the case.  These things could
be highlighted, such as in computer magazine articles, to help accelerate the
repair process,

My employer has a form of ISO 9xxx quality standards with respect to the
products we make & engineer, so I know something about the subject without
being an expert in it.  Since I first observed ISO 9xxx, the quality industry
has made great strides.

In the beginning, it was merely the notion that a company knew what the heck
it was doing, had documented that, and was in fact adhering to its own
documents.  But ISO 9xxx has advanced to the point that you get higher marks
if your documented procedures include certain things that other companies
expect you to have, that might be standards in some industries.

Now the weak link of people doing unwise practices with respect to corporate
security, could be addressed via this ISO 9xxx standards approach ... there
would be certain things that belong in the company practices document if they
take security seriously, that the ISO auditor could verify they are in fact
doing.

We are now at the stage in meeting ISO auditor standards, that not only we
have to have the good stuff in our company practices documentation, we have
to be able to prove we are doing the good stuff.  We have internal audits by
our own people, and we have external audits, and we get report cards that are
used to improve our ISO standing towards certain goals.  These report cards
are understandable to non-technical people.  It is self evident to everyone
looking at these report cards what it is that is being measured & how good or
bad a job we did.

Computer security could be done the same way.  You do not have to be a
technician to understand the reports from outfits like
http://www.pentasafe.com

Some of us work with a computer platform that CAN be secured, which is to say
it is on the directory of the computer systems that have been certified as
coming with high security capabilities at
http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html

That site also lists what is needed to implement this conceivable high
security & that stuff does require a computer technician, in my opinion, to
figure it out & get it done right.
However, if the software does not exist today from places like
http://www.pentasafe.com I figure it is only a matter of time until people
can get computer security audits based on the high security system data ...

Does your enterprise have a high security computer system yes or no ... and
has it been implemented to take advantage of the high security capabilities
yes or no ...

You do not need to be a computer techician to understand that report card ...
you do need to be a computer technican to explain WHY the company might have
a computer system that is capable of high security but has not in fact been
installed that way, and what decisions have been made at the company that
mean that it is not practical to fix the security.

The usual example, is that the company has made demands that certain software
be available for the users, and that software vendor is not a believer in
adhering to security standards, so so long as that software vendor is desired
by corporate, good security cannot be provided.  However, that also is
information that might become old news, as security software audit tools
advance & can address what we have bought from some software vendor that is
anti-security, to evaluate what is doable in the area of modifications so
that we can keep the benefits of what that vendor has to offer but at the
same time plug the security holes.

It is my understanding that http://www.pentasafe.com has a security audit
that is BPCS specific ... I have a personal interest in this topic ... this
last year I have been agressively cleaning up our BPCS data base to get rid
of dead records ... one of the major holes in BPCS software is a lack of
clean up of various data when it is no longer relevant, so I have been
identifying files that are gluttons for disk space because they have records
dating back to 1998 that we no longer need & they will not go away through
the vanilla BPCS software unless I make them go away.  I have also been
focusing on improving performance for my BPCS users, and my radar screen
includes improving security.

I think BPCS 405 CD is a great stable ERP package & it will be a great shame
if & when my employer finally moves to something else.  If & when we do, I
hope it will be something like http://www.erros.co.uk/ which is reviewed at
http://www.400times.co.uk/Documents/ERROS1.htm ... it is apparent that great
complexity of major enterprise business rules can be managed with high
security at PC prices & quite possibly lower staffing overhead than is
standard for the 400 today, so you get the lowest possible operating costs,
rock bottom purchase costs, and extremely sophisticated complexity but it is
right up against what the users need, without any layers of abstraction that
have vulnerabilities for hackers.  I do not seriously believe we will go
there, because this is thinking so far outside the box that many people might
think I am confusing science fiction with reality.

Computer security on the 400 is not expensive & it is not a brain buster, it
is merely finding the time to get the job done.  IBM has a free site where we
go with information about our security situation & it makes reccommendations
with respect to where our security may be inadequate & what we ought to do
about that.
http://www.as400.ibm.com/tstudio/secure1/advisor/secwiz.htm

That URL might have been changed in the rebranding.

Suppose you have seen the FBI list of the 20 most common computer security
blunders that enterprises consistently make.  If you go to the source, there
are links there to get at software that will evaluate your computer network
to see if you have any of those exposures & help you plug them.
http://www.sans.org/top20.htm

There is also a searchable index of known computer security risks at
http://cve.mitre.org/cve/

Now the ISO organization does have 9xxx that applies to computer security,
but it has not gained the industry wide respect that we have for ISO 9xxx
related to actual products & services delivered by companies to other
companies.  When you looking for information on this kind of topic on the
internet, the buzzwords include "Software Quality" and "Computer Security
Certification."

http://www.iso9000solutions.com/ ... ISO 9000 starting point for links
http://www.qualitydigest.com/html/iso9000.html ISO 9000 data base design
http://www.sysmod.com/psp.htm software cumulative improvement process
http://www.sysmod.com/swdev.htm software quality improvement links
http://www.pdmic.com/IPDMUG/IPDMUGfaq.html engineering software quality
http://www.iccp.org Institute for Certification of Computing Professionals
http://www.ISC2.org Certified Information Systems Security Professional
http://nsa1.www.conxion.com/ collection of Security Recommendation Guides
from the National Security Agency of the US Government

> From: jt@ee.net (jt)
>
>  Al,
>
>  I think it's a given that people are gonna be the weakest link here.
That's
>  a bug that's never gonna be fixed...
>
>  What I'm looking for is this:  if a company (or individual) keeps proper
>  PHYSICAL security of the system, can it then be protected.
>
>  This would allow companies with some ISO 9xxxx certification of their
>  physical security, to become trusted.  Pairs of these trusted companies can
>  then do business "relatively" securely, IMV...
>
>  jt
>
>  | -----Original Message-----
>  | [mailto:midrange-l-admin@midrange.com]On Behalf Of MacWheel99@aol.com
>  | Subject: Re: Where are all of the /400's going. (was RE: QUSER on ODBC
>  | requests)

>  | > ==> But here's the thing:
>  | > (I'm NOT contradicting you, but just asking the question.)
>  | >  Has it ever been done AND/OR IS it theoretically possible:
>  | >  COULD a 400 machine serial number be hacked...?!?
>  | >  I guess I'm asking if
>  | >  there's ANY WAY CONCEIVABLE?  I think this is a key question.
>  |
>  | If a 400 is not secure, anything can be hacked.
>  |
>  | If a device, that is connected to a secure 400, is itself not secure,
then
>  | that is another possibility.  Does corporate culture permit users to have
>  | their passwords "programmed" into their PC hardware so that they
>  | do some PLAY KEY combination
>  | & it gets them where they need to go a lot?
>  | Are those same
>  | PCs accessible via PC Anywhere or equivalent system (there's a bunch of
>  | competitors) & can those same PLAY KEY deals be done remotely?  Do those
>  | users have relatively high levels of security, so they can get into stuff
>  | like WRKSYSVAL?
>  |
>  | Remember when Microsoft got hacked & someone downloaded a lot of
>  | source code that they had considered confidential?
>  | An employee with home PC was trusted
>  | to access Microsoft corporate network.
>  | The employee home PC did not have the
>  | latest firewall software protections.
>  | Hacker broke into employee home PC &
>  | from there got into Microsoft network.
>  | 400 site can be equally vulnerable
>  | to this sort of thing depending on corporate culture.
>  |
>  | The kind of thing that worries me is trusted partners.  For reasons of
>  | software licensing, we have given out our hardware serial number
>  | to several
>  | vendors, some of which are authorized to dial into our system to provide
>  | various kinds of tech support ... now suppose one of them is
>  | hacked ... now all their customers are exposed.

MacWheel99@aol.com (Alister Wm Macintyre) (Al Mac)