I guess a "security mind-set" is necessary at appropriate levels of the organization, and this organization appears to have had no such mind-set.
<BACK patting> Back in the mid 90's I designed and wrote a small system for one of the brokerage houses. This system replaced the then current method of getting "trades" from the brokerage house to a custodian bank, to process the financial aspects of the trade, via FAX. (they actually had a room full of fax machines and a small staff that did nothing but fax trade orders to custodians banks around the world as they came off the printers). Anyway, part of my design included 128 bit encryption security measures and the key changed with each transmission to each custodian bank. If things got of out sync, and they did on occasion (we were using Windows after all), it required human intervention on both ends. When I presented the original design, I had to convince some staff members of the importance of the security that was designed in. Luckily it took all of five minutes with the CIO to convince him and it then filtered down to the rest of the staff. However, the CIO had some trouble convincing his boss. To this day I have no idea why there was reluctance. It didn't "cost" any more to do it the proper way; other than the development and testing time of that section of code. When we presented the system to the board, as the replacement for the FAX method, not one person asked if it was a secure way of doing things. Go figure... </BACK patting> On Wed Apr 25 12:37 , 'McKown, John' <[EMAIL PROTECTED]>sent: >> -----Original Message----- >> From: IBM Mainframe Discussion List >> [EMAIL PROTECTED]','','','')">[EMAIL PROTECTED] On Behalf Of Rick Fochtman >> Sent: Wednesday, April 25, 2007 12:24 PM >> To: [email protected] >> Subject: Re: Not mainframe but the latest in the TJMax fisaco >> >> >> ----------------------------------------------------- >> >> >Because of their lax security measures, they now face >> several lawsuits. >> > > >Yes, amazing how top level management don't even consider the TCO of an >insecure system. And, from what I gather, the main problem shown here is >machine to machine communications "in the clear". I don't entirely know >what to do about this. In my paranoid moments, I would want an encrypted >tunnel from machine "A" to machine "B" for every combination of "A" and >"B" on the LAN who talk to each other. I don't know how much overhead >this would add. But the "tunnel" would be established at "boot" time or >upon "first connect" and stay up until shutdown. > >-- >John McKown >Senior Systems Programmer >HealthMarkets >Keeping the Promise of Affordable Coverage >Administrative Services Group >Information Technology > >The information contained in this e-mail message may be privileged >and/or confidential. It is for intended addressee(s) only. If you are >not the intended recipient, you are hereby notified that any disclosure, >reproduction, distribution or other use of this communication is >strictly prohibited and could, in certain circumstances, be a criminal >offense. If you have received this e-mail in error, please notify the >sender by reply and delete this message without copying or disclosing >it. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
