Rick Fochtman wrote:
<snip />
Sooner or later, you'll have to invest a certain amount of trust in a
selected, and trusted, few employees. If you can keep that to a
minimum, you can minimize the risks of an extended outage because of
"security abuse"; you just have to decide who you trust.
Well.. I know (or at least it, so it appears - since I don't *KNOW* you)
you are indeed a thoughtful "security officer".. (And.. err.. started
tasks bypassing authentication is definitely a solution - yet - doesn't
it give people with access to the console an awful lot of power ? (just
a question.. I'm not a z/OS guy ! maybe I'm getting this all wrong !)..
The message I am sending is that a 'three strikes and you're out'
solution is not a panacea. I wasn't sending the message to you - but
rather - to *everyone* out there who may be confronted with the evil
'know it all' auditor/consultant who is going to *instruct* people to
implement these sort of measures indiscriminately (because that's what
is on his checklist !)... And maybe to those who hadn't thought of some
of implication of such a policy (if it isn't implemented correctly).
Actually a "100 strikes and you're out" (or some quite large number) may
be a possible solution : it avoids brute force attack through some
TN3270 API - yet - someone doing this will be easily detectable - AND it
avoids the CEO with a bad hair day to be locked out - and starting
firing people by the dozen (because eveyone knows the CEO will *have* a
bad hair day[1] on the critical day).
Then again, a script kiddie may be able to lock out people that way..
(but it does lower the risk)..
And about the "password" aging problem and complexity.. My (personal)
recommendation is (mind it, I am NOT a security officer.. just an aging
sysprog) : allow passwords to remain unchanged for a long period of time
- yet - force somewhat complicated passwords : This way : people won't
have to write them down, however, they are hard to crack (through
bruteforce attacks on hashes) and - furthermore - once they are
accustomed to their passwords, they will type them fast at the keyboard
(mitigating the 'over the shoulder' attack). My "usual" password isn't
very long - 8 chars.. but I can type it in a matter of ~500 ms.
--Ivan
[1] Can't blame him.. chances are HIS job is on the line those days !
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
