× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.




Steve,

Risk has been defined in many ways, but when looking at IT governance,
I
like this one: "the threat or probability that an action or event,
will
adversely or beneficially affect an organizations ability to achieve
its
objectives."

IMHO, this definition is only a partial. It does not factor in the cost
associated with an event nor the breadth of the risk - only the
probability of the event.

If one event with a high probability had a very low cost to the
organization, and another event with a low probability could close the
doors, which one should you spend more energy on?

With respect to unencrypted Telnet sessions, the cost of sending
passwords in clear text was demonstrated to be extremely high as
recently as in the TJ Maxx case. You probably recall that it was clear
text passwords sent over a wireless connection that the thief ring
captured and allowed them to penetrate the greater TJ Maxx enterprise.
Ultimately they stole over 44M credit card records. A breach of a
similar nature is certainly plausible in many OS/400 environments.


So, when looking at this from a risk assessment perspective, what is
more
likely to occur on the inside - a rogue user hooking a sniffer up to
the
network and snagging the port 23 clear text passwords, OR someone
accessing another user's desktop while they're temporarily away and
having
the ability to fire up a CA session that doesn't force signon?


I would submit that the best protection point here is the desktop screen
saver, and not the OS/400 clear text QDSIGNON screen - Which brings to
mind a breadth-of-risk measurement. If someone compromised the desktop,
they will have access to a broad range of organizational resources;
Obviously all local files and programs and, if AD is used, then a large
number of server files (including email) and programs, as well as access
to various websites whose passwords were cached in the browser. OS/400
and DB2/400 access is therefore not the primary concern, but rather just
an incremental risk (though you could argue a large increment).
Therefore the focus should be on protecting the desktop session (with
enforced screen locked timeouts, for example) rather than relying on the
clear text QDSIGNON screen to protect against access.

But of course, this is just all MHO. :)

jte



--
John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx




Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.

===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.