I think the Logica breach is a perfect example of the problem in many ways. I don't think anyone knows for certain how Gotfridd Warg got into Logica initially. (He has been convicted so I do not have to say "allegedly.") However, it is clear he was not an insider or anything like that. One *possibility* is that he breached a Web server that was associated with the z/OS system, and it turned out that some of the user ID/password combinations were common between the Web server and z/OS.
So you might say "Aha! Told you so! z/OS is perfect. No problem. It's the Web server's fault. End of story. I'm going back to real work now." But the reality is that their z/OS was just as breached as if it had been due to some "statement of integrity" problem with core MVS. I think that if one is responsible for the real-world security of a z/OS system one has to guard against all of the exposures, and frankly, the key exposures are not "MVS integrity" but scenarios such as the above, insider threats, SQL injection, and so forth. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Charles Mills Sent: Sunday, January 11, 2015 12:24 PM To: [email protected] Subject: Re: Young's Black Hat 2013 talk - was mainframe tribute song Do I know about a violation of the statement of integrity that IBM has not addressed? No, of course not. I am not certain that "MVS exposures" versus "lax security" is a black and white dichotomy. It's easy to look after the fact at any breach and say "aha! You should not have done X." I don't think the role of we security practitioners is solely pointing out "exposures" in MVS to IBM. I think helping customers with common less-than-ideal practices is more important. Logica was a professional service bureau with a professionally-maintained z/OS. They got breached. One might infer that other MVS sites, and not just those with "lax" (however defined) security practices, might also be vulnerable. Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
