One would assume that the older z/OS system is important to the
installation. That the data on the system is important, who can review
and update the data is important, as well as the system's availability.
Key Resources, Inc has direct knowledge of vulnerabilities on older,
non-supported z/OS releases (such as z/OS 1.4) that when exploited can
comprise all data as well as the system itself. These vulnerabilities
are exploitable regardless of any ESM (RACF|ACF2|TSS) or z/OS controls
the installation may have in place. Neither z/OS nor your ESM can
identify these vulnerabilities, tell you when they have been exploited,
provide accurate forensic evidence of activities performed after an
exploit, or stop the exploiter from doing what they wish. KRI recommends
that you migrate to the latest supported releases ASAP AND to stay
current on maintenance including INTEGRITY vulnerabilities.
On 7/12/2017 3:25 AM, R.S. wrote:
W dniu 2017-07-12 o 08:40, Timothy Sipples pisze:
Clark Morris wrote:
Running 1.4 on any system that isn't isolated is the equivalent
of running Windows XP.
I think Charles Mills provided some interesting, useful follow-up
remarks.
I wholeheartedly agree that sole reliance on "perimeter" defense no
longer
makes sense, if it ever did. Risk assessments and comparisons are
tricky,
but let me expand on Charles's remarks a bit. In my view, the risks of
being backlevel are probably greater than Clark's analogy suggests.
Windows XP (final Service Pack) reached Microsoft's End of Support on
April
8, 2014, except for certain variants (point of sale/embedded variants,
mainly). z/OS 1.4 can beat that, by several years. z/OS 1.4 reached
its End
of Service date on March 31, 2007. For perspective, that date was before
Apple's first iPhone shipped. That's over a decade of security
improvements
and patches that just aren't available for z/OS 1.4. That's a lot!
IMHO even z/OS 1.4 is worth more trust than i.e. Windows 10
I know some malware for Win10, but I cannot remind any for z/OS 1.4...
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
