I suggest that you visit the web link section of the CISSP Open Study Guides web site located at http://www.cccure.org, under the web link section there is a category on AS400 and lots of links to good security resources related to the AS400
Clement > -----Original Message----- > From: Mark Wolcenski [mailto:[EMAIL PROTECTED]] > Sent: 28 novembre, 2001 09:36 > To: [EMAIL PROTECTED] > Subject: AS/400 and security assessment > > > > > Greetings, > > I now have my first security client and am conducting an > initial -- and very limited -- security assessment > (< 40 hrs) for an AS/400 based firm. > It's a greatly cutback first part of a complete, > three-part security assurance strategy. > > Background: > This client is about to open up his systems to 3000+ > internet located users. The new web-facing system > will provide hooks, via websphere technology, to > access AS/400 V5R1 databases. This is a very risky > move (albeit absolutely necessary) from a paper based > data (fax) input by local, on site, employee users > to real-time input via internet based users. > > My role: > The initial work is limited to vulnerabilities related to > a few, non-AS/400 elements (results in needed associated > patches/hotfixes/updates and recommended configs,et al); > a limited review of their very short computer > usage/security policy; and lastly, the reason > for this posting, I will be commenting on AS/400 V5R1. > This last item will be in the form of "notes" including a list > recommended security sites and potential activities. > > There will be no vuln/pen testing on this run -- although > I have and will continue to recommend this. > > My question: > Does anyone have any "little" gems of wisdom to pass along > to me regarding the AS/400 piece? > > Thanks! > > PS: In fact, I'll listen to anything anyone cares to pass on. > >
