• Subject: Re: Object Security
  • From: MacWheel99@xxxxxxx
  • Date: Thu, 15 Jun 2000 02:19:35 EDT

SC41-3000 blue cover manual "Tips and Tools for securing your AS/400" should 
have come with your OS/400 - this was the single greatest OS/400 security 
manual I ever saw prior to IBM school on the subject ...it is part of my 
reccommended reading to all new managers that I report to (none of whom have 
looked at it to my knowledge) and to project team members associated with 
upgrades & application development (3 of these folks have studied it) ... 
also check out S6019 student notebook appendix B "AS/400 Security Tips and 
Check Lists"

This blue cover manual makes many types of security meaningful ,,, you can 
see what is very similar to S/36 thinking & what is new to your latest 
reality.  There's examples of various internet & other connections in which 
it spells out the security risks you need to deal with.  However, two 
chapters are missing from this fnine manual.

(1) Balancing what typical software vendors do to us contrary to the spirit 
of IBM security reccommendations, especially those vendors that have the 
strong backing of IBM marketing ... in some cases responsible compromises are 
possible & should be spelled out, instead of the reality of one branch of IBM 
making security suggestions, and another branch of IBM making their 
implementation a joke.

(2) Implications & risks of compounding common management decisions which in 
concert open some security doors & what the degrees of rsik are ... here's 
examples from where I work
We have ERP, that at one time IBM reccommended at the same time as 
reccommending totally contrary security than the practices of that ERP, in 
which all users in a group have ownership privileges to all files in the ERP.
Most users have command line authority.
Many users connect via PCs.
We are on the internet & have PC Anywhere & Carbon Copy & other systems like 
that.
Our ECS line has zero security over & above any physical connections ... it 
had at one time but that was taken away from me ... and several vendors have 
connection protocols in which we have zero knowledge of what kind of security 
practices those vendors might have sharing passwords of their employees 
accessing our system.

I see humongous security exposures in the above story, for which the IBM 
manuals do not address which of the above decisions warrant the most effort 
to secure better, and I do not consider our mixture to be that unique.

PS you cannot dial into our AS/400 from the web site in my sig.
If you go to the customer service page & you happen to know one of our ERP 
end customer item#s, which use the customer part# as our item#, you can get 
at pretty current info on that item, but this data is delivered to web site 
in a way we believe to be satisfactorily hacker proof unless the hacker 
compromises our ISP.

Al Macintyre  ©¿©
http://www.cen-elec.com MIS Manager Programmer & Computer Janitor
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.