|
|
|
Special letter to Ecometry users |
|
NEW!!! Do you need to comply with CISP security standards? |
|
Dear Ecometry System Manager: The simple fact is that anyone can gain full control of your data. Here are some of the basic issues (taken from a standard HP3000 environment MIS audit) and VESOFT's solution: 1) Logon
passwords should be unique to each individual 2) Automatic
password expiration 3) Password
integrity enforcement 4) Modems need
protecting 5) Access to
system prompt should be restricted 6) Inactivity
lockout 7) Lockout after 3 unsuccessful attempts - VESOFT enforces 8) Desirable
to have accompanying audit package to analyze security 9) Should log
and report attempted security violations and successful access 10) Forbid concurrent sessions under same logon ID optional with VESOFT A
peculiarity of Ecometry standard configuration adds a security wrinkle: many
users are granted, by default, PM (Privileged Mode) capability. A user with
PM capability and the system colon prompt can acquire SM (System Manager)
capability and have full control over the system. Security/3000 offers a
solution so that MACS users can perform required functions without colon
prompt access.Also, there are many loopholes that are standard to HP3000s -
for example: There are several additional critical issues, such as: 1)
Batch security - embedded passwords in job streams are a serious breach of
system security ( they can be visible to unauthorized users) 2) Database security - VESOFT's VEOPEN 3) Network logons - See Security/3000 manual: REMOTE ACCESS:NETWORK SECURITY LOOPHOLES 4) File security (addressed by MPEX) Also, how many SM/PM users do you have? How many without passwords? Did you know that a PM user with colon prompt access can acquire SM? VEAUDIT will show all SM/PM users (often easy to guess) and which ones are unpassworded! Below is a recent endorsement from a MACS/VESOFT user : I'll repeat the recommendation for VESoft's security package as well as their MPEX utility if you don't already have it. If your MACS installation was anything like ours, do yourself a big favor and be sure to get their VEAudit package and run a full audit right off the bat. We're STILL cleaning up security issues after 4 months of working on them. Between the userids without passwords, users with OP capability all over, massive groups of released files, globally allowed operator commands, and lack of supplemental security for dial-in ports, getting your system to an "auditable" state can be quite a bit of work. VEAudit does an excellent job of finding these issues for you however. Implementing the supplemental passwords, enforcing password aging and length/pattern rules, and perhaps putting a front-end menu on the system using features in Security/3000 can go a long way towards protecting the integrity of your system (and your peace of mind). If anyone would like to see an example of a Security/3000 front-end menu used with MACS I'd be happy to provide an example (we use a menu that adds some custom options to certain users, allows ALL users to change their own MPE passwords, allows them access to MACS, some users to MACS POS, and most importantly, isolates users from the CI prompt). -Chris Bartram Please
let me know if you have any questions. |
