On 28 Mar 2012 08:28:02 -0700, in bit.listserv.ibm-main you wrote: >Ask the auditors, and/or hire an independent research consultant specializing >in mainframe security, to find some published accounts of mainframe >penetration that were NOT due to insiders; e.g., viruses. Print your own copy >of all such accounts. Study them closely to see where the real weakness was. >Over the years I have heard of several mainframe penetrations and usurpations, >but they were all due to insider activity. The first one I heard about, >however, was an outsider who found program listings in a trash can outside of >the data center's building, which had been tossed there by developers inside >the building and/or janitors at night. The listings were not considered worth >securing or shredding. The perp went to prison for a while, then after being >released he turned into a mainframe security consultant. There are many >things to consider besides anti-virus detections; e.g. who has keys to the >data center room, to any of the offices containing terminals, logon pass! w! > ord protection, etc. Maybe the auditors have already checked out all these > other areas, are just trying to be comprehensive, and do not understand that > one size does not fit all.
While z/OS is probably immune to executables being introduced from outside, how vulnerable is a web server to outside attack (Apache, Websphere, etc.)? Java on the server side is effectively executable code. If dynamic SQL is allowed, I understand (but don't know for certain) there are various interesting exploits. There is the story about little Bobby Tables. SQL injection is apparently a problem that I would assume could afflict DB2 under some circumstances. In short, as I understand it, there are some vulnerabilities that do not require machine language executable code. Clark Morris > >Bill Fairchild > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of >Greg Dorner >Sent: Tuesday, March 27, 2012 11:38 AM >To: IBM-MAIN@bama.ua.edu >Subject: Re: Malicious Software Protection > >No,. I'm not serious. But the auditors at PWC are. I'm practicing my >belly-laugh for when they actually want to discuss the issue. You are all >telling me what I already knew, but I just wanted to get the feedback so it >isn't just my understanding of it. > > >Thanks everyone, for all the good quotes, quips, and entertainment! > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, send email to >lists...@bama.ua.edu with the message: INFO IBM-MAIN > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
