Don't see anything like a "forum" in the sitemap of your web site. J
On Fri, Mar 4, 2011 at 7:21 AM, Dr. Stephen Fedtke < max_mainframe_...@fedtke.com> wrote: > hi all, > > i almost missed this discussion. if you are interested in further arguments > and details in this field "Vulnerability Analysis and Scan on z" you should > also refer to the "it security forum" on our website. we completely solve > this problem for over a decade. > > best > stephen > > > > --- > Dr. Stephen Fedtke > Enterprise-IT-Security.com > > Seestrasse 3a > CH-6300 Zug > Switzerland > Tel. ++41-(0)41-710-4005 > www.enterprise-it-security.com > > > ++NEWS++ SF-LoginHood provides state-of-the-art password, phrase and login > security for z/OS ++NEWS++ > > > > > > > > > At 14:04 29.01.2011 -0600, you wrote: > >Elardus, > > > >Please let me add some information in response to your posting: > > > >There is a difference between a Virus and a System Integrity > >Exposure.The System Integrity Exposure is the Root Cause that a Virus > >exploits.There may be many Viruses, especially in Windows Systems, which > >exploit the same Root Cause.The PC Virus checkers look for the > >signatures of Virus code either executing or in directories and then > >take action to remove them.The Virus Checkers cannot fix the Root Cause > >-- in the case of Windows, only Microsoft can do that.But, it would be > >better if Microsoft would fix the Root Cause because then the Virus > >programs would become ineffective. > > > >IBM's Statement of Integrity clearly states that if a System Integrity > >Vulnerability (the Root Cause) is reported to IBM, they will fix > >it.Microsoft does not make this commitment and this is why the z/OS > >Operating System is a much more "securable" system than Windows. > > > >However, z/OS is not immune to these threats because it too has system > >integrity vulnerabilities.In your posting, you state that there are many > >alternatives to our Vulnerability Analysis Product for the "ethical > >hacking/penetrating/scanning for defects and exposures."In fact, IBM > >purports to provide this capability from their Tivoli zSecure unit.On > >their zSecure Audit Website, they state: "Security zSecure Audit > >includes a powerful system integrity analysis feature. Reports identify > >exposures and potential threats based on intelligent analysis built into > >the system."That's a pretty powerful and absolute statement. > > > >But, since Tivoli is part of IBM you can be assured that their Quality > >Assurance Unit regularly tests their software against revisions to the > >IBM z/OS Operating System and, if any integrity exposures were found, > >they would have reported the vulnerabilities to IBM z/OS Development and > >Development would have fixed them.That would just be the normal course > >of business within IBM. > > > >But, then, how can you reconcile the fact that our VAT product has > >located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS > >within the last two years.And, our clients have reported them to IBM, > >IBM has accepted them as errors, issued APARS for all of them and issued > >PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit > >package is not catching these errors.And, if IBM, is not catching these > >in their own code, what about the ones introduced by the rest of the > >Independent Software Vendor products and locally developed or otherwise > >obtained code on your system?There is a big vulnerability here that > >cannot be ignored. > > > >An exploit of a z/OS (or ISV) system integrity vulnerability would allow > >the illegitimate user to obtain control in an authorized state and use > >this state to change his security credentials to obtain access and be > >able to modify any RACF protected resource on the system with no SMF > >journaling of the access.We have found these integrity exposures in code > >that is in operation on every z/OS system in existence.That is something > >to be concerned about and to act on. > > > >I have no idea of the comparison between the cost of our Vulnerability > >Analysis Tool versus the competition.We would be happy to discuss that > >with you -- we believe it is inexpensive compared to the benefits which > >include not only a reduction of risk and exposure to data loss and > >modification which would result in exposure of company secrets, private > >information and financial loss, but a reduction of system outages.But, > >VAT works and locates the errors that other software/services do not.I > >can totally assure you that a manual process just will not work in our > >lifetimes.So, an automated process is necessary.And VAT provides that > >automation. > > > >And I agree with you that many z/OS Auditors need to be educated on this. > > > >Ray Overby > >Key Resources, Inc. > >Ensuring System Integrity for z/Series^(TM) > >www.vatsecurity.com > >(312)574-0007 > > > > > > > >On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote: > >> Cris Hernandez #9 wrote: > >> > >>> I too have auditors who treat the my mainframe like one those little > puters > >> and I find it best to first educate them before they convince my > management > >> to send me chasing phantoms. Don't assume your auditor won't appreciate > a > >> mainframe education. > >> > >> Jim Marshall wrote: > >> > >>> Auditors came around and wrote up our z/OS V1R10 Sysplex for not > running a > >> Virus Checker. Anyone has a constructive solution as to one being > available or > >> some verbage which defends the position. > >> > >> > >> After reading all those good answers, please allow me a reply: > >> > >> I told my auditors this: > >> > >> 1. There are NO vendors for z/OS antivirus software. Give me one example > and > >> I'm ready to talk with my management. Otherwise we talk about RACF, APF, > >> etc. as discussed already in this thread. > >> > >> 2. There are Linux and Unix antivirus software, but z/OS itself are > immune > >> against the threats. > >> > >> 3. Some disgruntled employee(s) may place a TROJAN, not a virus. It > >> happened unfortunately. That is another matter for another rainy day. > >> > >> 4. Depending on RACF accesses, one can write something in any language > to > >> delete or modify datasets. Anyone. It is up to you to protect your z/OS. > Read > >> again that thread in ibmmainframes.com mentioned in this thread for > some > info. > >> > >> 5. About VAT Security and similar software/service - It looked to me > that > this > >> is *ethical* hacking/penetrating/scanning for defects and exposures. > That is > >> the standard (?), but expensive way, for checking out your z/OS. There > are > >> many such software and services available from various vendors. > >> > >> > >> I'm very sure those auditors are in for a serious *re-education* ;-D > >> > >> Groete / Greetings > >> Elardus Engelbrecht > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > >> Search the archives at http://bama.ua.edu/archives/ibm-main.html > >> > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html