|
I doubt the authors need any permission to discuss & draw conclusions from studying audit results. There would be nothing identifying in any of these results.A truly secure org would not give permission for such a report ...
the current picture seems to be that I can not get in anywhere without VPN...We can all recommend best practices, but the actual implementation is never approaching or even close to 100%. Several of my own customers have been warned repeatedly about remote access problems, and because they have not yet (that they know of) been compromised continue with less than vpn. There is also a perception that Win XP Remote Desktop Connection outside a vpn is good enough (after all, MS did call it "Remote Desktop" so it must be good!) I would have to say "the majority" of shops I personally have worked in have weak remote access security. Also the advertised gotomypc that users can implement on their own (if not cut off)
This means the problem is entirely composed of internal users and controllable...
Internal is a big & controllable problem...butSurely you are not saying the problem is only VPN remote access and internal users? Web servers, ftp (not vpn) servers (and clients), i5 email servers, trading partners server access other than vpn...
I do think many i5 shops insecure, but much of the problem I encounter is management perception, not IS - if it's been working, no need to change it....
jim franz----- Original Message ----- From: "Mark Villa" <iseries.4.me@xxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx> Sent: Sunday, November 05, 2006 8:58 AM Subject: Re: iSeries Security in Computerworld
Why would the CE need that access all the time ?Good question. Sounds a little historic. This is my opinion only, not necessarily fact, and I have not read the report only the article. No offense to -anyone- and here is my view: We've all had the math problem about finding the population /distributions of sets - I will leave it at that as far as describing what "I" think is a sample that applies to what I see in the field. Additionally, the audience of such a report contains the best of the best, so I did not think anyone worthy of the responsibility would misinterpret ANYTHING reported. Like so many others, I have scrutinized what is reported for years, you become adept at assimilating real content / value at hand - fast and getting your own facts to continue forward or simply know that it is not your cup of tea. A truly secure org would not give permission for such a report or even run the software for the purpose of outside entity reporting unless for compliance, which was not mentioned. That population may be omitted altogether. Therefore, I conclude that the article is for management fright effect/wake-up call, since no one else cares. Now we have: -CONTEXT. I know this is an emotional topic (and it should not be) but the recent posts about the unreported side of the house are in line with my observations. Excluding vendors with accepted risk boxes for clients, the current picture seems to be that I can not get in anywhere without VPN.This means the problem is entirely composed of internal users and controllable.They sign the employment agreement for responsible behavior with corporate assets. The set of sec issues at risk seemingly will be accidental/lack of knowledge in origin excluding VPN hackers and lost portables. The disgruntled element of risk is enough to justify uniformity of all the systems -yes but it seems we tend to cap the bottle with VPN rather than apply security uniformly. As a side note, I think IBM and ALL OS vendors have done a terrible job at making this an easily managed asset. It is ridiculous that we have to try so hard to see what users might be able to peek at payroll. It has ALWAYS been this way and has not improved much. Of course, we expect a lot sometimes, it's not as simple as a telephone or water meter in the yard and it helps keep people like me busy. Is i5 security simply a matter of internal priorities? And the focus of the article perhaps far too narrow. Would it not be more credible with two sources one being the audit team or enterprise assessment rather than an i5 only audit? Might the real question(s) be: #1 - Is the reason that i5 is neglected because it is not problematic, out of scope - year after year? In that same meeting everyone notes concerns about the weekly Microsoft catastrophe? -Squeaky wheel gets the grease. #2-Is the reason because it is too complex and they have not loaded software to manage the solution? -Hardly, you get what you pay for. -- Mark Villa Summerville, SC --This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing listTo post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.