Comments on: Reaching for the high hanging fruit http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/ mostly useless crap from me Wed, 19 Nov 2008 22:58:45 +0000 http://wordpress.org/?v=2.6.2 By: Augusto P Barros http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/#comment-16520 Augusto P Barros Thu, 07 Feb 2008 18:10:36 +0000 http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/#comment-16520 Hi, just blogged about your blog. I'm also doing some research about mainframe security, specially on cases where legacy applications are being used by new apps on other platforms. I have seen some huge security holes on how people are doing that integration, like screen scraping systems, direct CICS Sockets access and so on. Good to see more people talking about it. Regards, Augusto Hi,

just blogged about your blog. I’m also doing some research about mainframe security, specially on cases where legacy applications are being used by new apps on other platforms. I have seen some huge security holes on how people are doing that integration, like screen scraping systems, direct CICS Sockets access and so on. Good to see more people talking about it.

Regards,

Augusto

]]> By: Mark Nadir http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/#comment-16262 Mark Nadir Wed, 09 Jan 2008 17:59:21 +0000 http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/#comment-16262 ACF2 and RACF are both excellent facilities for securing access control as well as the auditing of said access control to resources residing on mainframes. As with everything else, the trick is the proper configuration and use of these facilities. However, these facilities don't address the other concerns you mentioned in this article, especially in the areas of batch data transfers that may use cleartext protocols, batches with no integrity and no accountability controls, and so on. Having conducted a few security and compliance initiatives for two large retailers in North America, this is a key area for improvement. Not only that, but the auditors are also taking note, especially for PCI. I've seen cases where FTP was used to transfer critical information for a few reasons: either it was the only protocol available, or it was the easiest way to do things. Added to that was the skill sets and experience levels of the mainframe administrators who may or may not know how to secure said transfers. This is a fascinating field. Some things that environments can do to immediately help with this are: 1. Understand what data is sensitive to their mainframe environments. A true understanding of this data can help companies decide on what measures they can deploy that can provide the best value to mitigate risk and balance operational efficiencies; 2. Isolate the mainframe environment from the actual web processing environment, ensuring that only the bare minimum of information flow happens between the two. If possible, use a data abstraction layer between the two separated environments; 3. Understand how to secure protocols, including the clear text protocols such as FTP. Easy ways of securing FTP are Secure FTP (FTP/s) and SSH FTP (SFTP). Use FTP servers that fully audit activities; 4. Consolidate the logs of all these different systems, processes and subsystems into a centralized log management solution such as a SIEM. Utilize any correlation and analysis capabilities of said solution. I've had great success with the RSA enVision solution for this. These are some of the things companies can do, that can realize immediate benefits to them. ACF2 and RACF are both excellent facilities for securing access control as well as the auditing of said access control to resources residing on mainframes. As with everything else, the trick is the proper configuration and use of these facilities.

However, these facilities don’t address the other concerns you mentioned in this article, especially in the areas of batch data transfers that may use cleartext protocols, batches with no integrity and no accountability controls, and so on.

Having conducted a few security and compliance initiatives for two large retailers in North America, this is a key area for improvement. Not only that, but the auditors are also taking note, especially for PCI.

I’ve seen cases where FTP was used to transfer critical information for a few reasons: either it was the only protocol available, or it was the easiest way to do things. Added to that was the skill sets and experience levels of the mainframe administrators who may or may not know how to secure said transfers.

This is a fascinating field.

Some things that environments can do to immediately help with this are:

1. Understand what data is sensitive to their mainframe environments. A true understanding of this data can help companies decide on what measures they can deploy that can provide the best value to mitigate risk and balance operational efficiencies;

2. Isolate the mainframe environment from the actual web processing environment, ensuring that only the bare minimum of information flow happens between the two. If possible, use a data abstraction layer between the two separated environments;

3. Understand how to secure protocols, including the clear text protocols such as http://FTP. Easy ways of securing FTP are Secure FTP (FTP/s) and SSH FTP (SFTP). Use FTP servers that fully audit activities;

4. Consolidate the logs of all these different systems, processes and subsystems into a centralized log management solution such as a SIEM. Utilize any correlation and analysis capabilities of said solution. I’ve had great success with the RSA enVision solution for this.

These are some of the things companies can do, that can realize immediate benefits to them.

]]> By: dre http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/#comment-16052 dre Mon, 24 Dec 2007 02:57:28 +0000 http://www.greebo.net/2007/12/21/reaching-for-the-high-hanging-fruit/#comment-16052 http://isbn.nu/0131738569/ http://isbn.nu/0131738569/

]]>