hi all, i almost missed this discussion. if you are interested in further arguments and details in this field "Vulnerability Analysis and Scan on z" you should also refer to the "it security forum" on our website. we completely solve this problem for over a decade.
best stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com Seestrasse 3a CH-6300 Zug Switzerland Tel. ++41-(0)41-710-4005 www.enterprise-it-security.com ++NEWS++ SF-LoginHood provides state-of-the-art password, phrase and login security for z/OS ++NEWS++ At 14:04 29.01.2011 -0600, you wrote: >Elardus, > >Please let me add some information in response to your posting: > >There is a difference between a Virus and a System Integrity >Exposure.The System Integrity Exposure is the Root Cause that a Virus >exploits.There may be many Viruses, especially in Windows Systems, which >exploit the same Root Cause.The PC Virus checkers look for the >signatures of Virus code either executing or in directories and then >take action to remove them.The Virus Checkers cannot fix the Root Cause >-- in the case of Windows, only Microsoft can do that.But, it would be >better if Microsoft would fix the Root Cause because then the Virus >programs would become ineffective. > >IBM's Statement of Integrity clearly states that if a System Integrity >Vulnerability (the Root Cause) is reported to IBM, they will fix >it.Microsoft does not make this commitment and this is why the z/OS >Operating System is a much more "securable" system than Windows. > >However, z/OS is not immune to these threats because it too has system >integrity vulnerabilities.In your posting, you state that there are many >alternatives to our Vulnerability Analysis Product for the "ethical >hacking/penetrating/scanning for defects and exposures."In fact, IBM >purports to provide this capability from their Tivoli zSecure unit.On >their zSecure Audit Website, they state: "Security zSecure Audit >includes a powerful system integrity analysis feature. Reports identify >exposures and potential threats based on intelligent analysis built into >the system."That's a pretty powerful and absolute statement. > >But, since Tivoli is part of IBM you can be assured that their Quality >Assurance Unit regularly tests their software against revisions to the >IBM z/OS Operating System and, if any integrity exposures were found, >they would have reported the vulnerabilities to IBM z/OS Development and >Development would have fixed them.That would just be the normal course >of business within IBM. > >But, then, how can you reconcile the fact that our VAT product has >located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS >within the last two years.And, our clients have reported them to IBM, >IBM has accepted them as errors, issued APARS for all of them and issued >PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit >package is not catching these errors.And, if IBM, is not catching these >in their own code, what about the ones introduced by the rest of the >Independent Software Vendor products and locally developed or otherwise >obtained code on your system?There is a big vulnerability here that >cannot be ignored. > >An exploit of a z/OS (or ISV) system integrity vulnerability would allow >the illegitimate user to obtain control in an authorized state and use >this state to change his security credentials to obtain access and be >able to modify any RACF protected resource on the system with no SMF >journaling of the access.We have found these integrity exposures in code >that is in operation on every z/OS system in existence.That is something >to be concerned about and to act on. > >I have no idea of the comparison between the cost of our Vulnerability >Analysis Tool versus the competition.We would be happy to discuss that >with you -- we believe it is inexpensive compared to the benefits which >include not only a reduction of risk and exposure to data loss and >modification which would result in exposure of company secrets, private >information and financial loss, but a reduction of system outages.But, >VAT works and locates the errors that other software/services do not.I >can totally assure you that a manual process just will not work in our >lifetimes.So, an automated process is necessary.And VAT provides that >automation. > >And I agree with you that many z/OS Auditors need to be educated on this. > >Ray Overby >Key Resources, Inc. >Ensuring System Integrity for z/Series^(TM) >www.vatsecurity.com >(312)574-0007 > > > >On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote: >> Cris Hernandez #9 wrote: >> >>> I too have auditors who treat the my mainframe like one those little puters >> and I find it best to first educate them before they convince my management >> to send me chasing phantoms. Don't assume your auditor won't appreciate a >> mainframe education. >> >> Jim Marshall wrote: >> >>> Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a >> Virus Checker. Anyone has a constructive solution as to one being available or >> some verbage which defends the position. >> >> >> After reading all those good answers, please allow me a reply: >> >> I told my auditors this: >> >> 1. There are NO vendors for z/OS antivirus software. Give me one example and >> I'm ready to talk with my management. Otherwise we talk about RACF, APF, >> etc. as discussed already in this thread. >> >> 2. There are Linux and Unix antivirus software, but z/OS itself are immune >> against the threats. >> >> 3. Some disgruntled employee(s) may place a TROJAN, not a virus. It >> happened unfortunately. That is another matter for another rainy day. >> >> 4. Depending on RACF accesses, one can write something in any language to >> delete or modify datasets. Anyone. It is up to you to protect your z/OS. Read >> again that thread in ibmmainframes.com mentioned in this thread for some info. >> >> 5. About VAT Security and similar software/service - It looked to me that this >> is *ethical* hacking/penetrating/scanning for defects and exposures. That is >> the standard (?), but expensive way, for checking out your z/OS. There are >> many such software and services available from various vendors. >> >> >> I'm very sure those auditors are in for a serious *re-education* ;-D >> >> Groete / Greetings >> Elardus Engelbrecht >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
