[Default] On 30 Oct 2018 16:19:45 -0700, in bit.listserv.ibm-main [email protected] (Arthur) wrote:
>On 30 Oct 2018 07:59:23 -0700, in bit.listserv.ibm-main >(Message-ID:<[email protected]>) >[email protected] (Eric Verwijs) wrote: > >>http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security >> >>What zero-day vulnerabilities would there be? I've not >>heard of unpatched security holes in Z/OS before. > >Note that near the top of the article it says: "In this >eWEEK Data Point article, using industry information from >Ray Overby, President and CEO of Key Resources, Inc." It >was KRI that supposedly found the zero-day vulns. > >I think this is not so much an article as an ad for KRI. As a former MVS systems programmer, I have always been somewhat skeptical about the invulnerability of MVS and its successors. I don't know enough about VM to comment on it. Is there a statement of integrity for VSE, for TPF? What are the ways someone can access the z series if it is connected to the Internet? What are the vulnerabilities posed by trusted users? Given that there are 256 gigabyte USB keys how much information can be stolen by people allowed to log in? Are test systems protected as well as production systems and how many have some version of production data. Building good sets of coordinated test data is an expense that many organizations have been unwilling to incur. I know virtually nothing about KRI but that isn't the only organization that has claimed to successfully penetrate the mainframe. Good security means that people have access only to that which they need to do their jobs and for only as long as is needed. It means that usage is monitored. Security is not simple and authorized people have the ability to cause much harm. Clark Morris > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
