Elardus,
Please let me add some information in response to your posting:
There is a difference between a Virus and a System Integrity
Exposure.The System Integrity Exposure is the Root Cause that a Virus
exploits.There may be many Viruses, especially in Windows Systems, which
exploit the same Root Cause.The PC Virus checkers look for the
signatures of Virus code either executing or in directories and then
take action to remove them.The Virus Checkers cannot fix the Root Cause
-- in the case of Windows, only Microsoft can do that.But, it would be
better if Microsoft would fix the Root Cause because then the Virus
programs would become ineffective.
IBM's Statement of Integrity clearly states that if a System Integrity
Vulnerability (the Root Cause) is reported to IBM, they will fix
it.Microsoft does not make this commitment and this is why the z/OS
Operating System is a much more "securable" system than Windows.
However, z/OS is not immune to these threats because it too has system
integrity vulnerabilities.In your posting, you state that there are many
alternatives to our Vulnerability Analysis Product for the "ethical
hacking/penetrating/scanning for defects and exposures."In fact, IBM
purports to provide this capability from their Tivoli zSecure unit.On
their zSecure Audit Website, they state: "Security zSecure Audit
includes a powerful system integrity analysis feature. Reports identify
exposures and potential threats based on intelligent analysis built into
the system."That's a pretty powerful and absolute statement.
But, since Tivoli is part of IBM you can be assured that their Quality
Assurance Unit regularly tests their software against revisions to the
IBM z/OS Operating System and, if any integrity exposures were found,
they would have reported the vulnerabilities to IBM z/OS Development and
Development would have fixed them.That would just be the normal course
of business within IBM.
But, then, how can you reconcile the fact that our VAT product has
located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS
within the last two years.And, our clients have reported them to IBM,
IBM has accepted them as errors, issued APARS for all of them and issued
PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit
package is not catching these errors.And, if IBM, is not catching these
in their own code, what about the ones introduced by the rest of the
Independent Software Vendor products and locally developed or otherwise
obtained code on your system?There is a big vulnerability here that
cannot be ignored.
An exploit of a z/OS (or ISV) system integrity vulnerability would allow
the illegitimate user to obtain control in an authorized state and use
this state to change his security credentials to obtain access and be
able to modify any RACF protected resource on the system with no SMF
journaling of the access.We have found these integrity exposures in code
that is in operation on every z/OS system in existence.That is something
to be concerned about and to act on.
I have no idea of the comparison between the cost of our Vulnerability
Analysis Tool versus the competition.We would be happy to discuss that
with you -- we believe it is inexpensive compared to the benefits which
include not only a reduction of risk and exposure to data loss and
modification which would result in exposure of company secrets, private
information and financial loss, but a reduction of system outages.But,
VAT works and locates the errors that other software/services do not.I
can totally assure you that a manual process just will not work in our
lifetimes.So, an automated process is necessary.And VAT provides that
automation.
And I agree with you that many z/OS Auditors need to be educated on this.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.vatsecurity.com
(312)574-0007
On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote:
Cris Hernandez #9 wrote:
I too have auditors who treat the my mainframe like one those little puters
and I find it best to first educate them before they convince my management
to send me chasing phantoms. Don't assume your auditor won't appreciate a
mainframe education.
Jim Marshall wrote:
Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a
Virus Checker. Anyone has a constructive solution as to one being available or
some verbage which defends the position.
After reading all those good answers, please allow me a reply:
I told my auditors this:
1. There are NO vendors for z/OS antivirus software. Give me one example and
I'm ready to talk with my management. Otherwise we talk about RACF, APF,
etc. as discussed already in this thread.
2. There are Linux and Unix antivirus software, but z/OS itself are immune
against the threats.
3. Some disgruntled employee(s) may place a TROJAN, not a virus. It
happened unfortunately. That is another matter for another rainy day.
4. Depending on RACF accesses, one can write something in any language to
delete or modify datasets. Anyone. It is up to you to protect your z/OS. Read
again that thread in ibmmainframes.com mentioned in this thread for some info.
5. About VAT Security and similar software/service - It looked to me that this
is *ethical* hacking/penetrating/scanning for defects and exposures. That is
the standard (?), but expensive way, for checking out your z/OS. There are
many such software and services available from various vendors.
I'm very sure those auditors are in for a serious *re-education* ;-D
Groete / Greetings
Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
