[Info-vax] IS everyone waiting?

Fri Oct 21 09:58:44 EDT 2016

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of David Froble via Info-vax
> Sent: 20-Oct-16 5:58 PM
> To: info-vax at rbnsn.com
> Cc: David Froble <davef at tsoft-inc.com>
> Subject: Re: [Info-vax] IS everyone waiting?
> 
> Simon Clubley wrote:
> > On 2016-10-20, David Froble <davef at tsoft-inc.com> wrote:
> >> Simon Clubley wrote:
> >>> What if a security issue is discovered next year which
affects
> Alpha
> >>> VMS as well ?
> >> Hmmm ....  "discovered" sort of implies that it's always
been
> there,
> >> and is now "discovered".  I'm guessing that regardless, the
> Alphas
> >> and VMS will still do what they did pre-discovery?  Perhaps
> remedial
> >> steps could be taken to avoid discovered security issues?
> >>
> >
> > Situation 1:
> >
> > A flaw is discovered in a network stack (whether it's TCP/IP,
LAT
> or
> > DECnet doesn't matter) which allows someone to take down a
> VMS system
> > remotely at will by exploiting this flaw in the stack without
> > requiring any authentication. This network stack is required
for
> your
> > production operations however and cannot be disabled.
> >
> > What do you do ?
> 
> I'll adopt Jan-Erik's attitude, first, let's see such a flaw.
> 

I also agree with this. 

Between VSI and HPE, I am confident that if some future security
issue did arise with OpenVMS, the issue would get resolved.

> Note, not all internal networks need to be accessible from the
> internet.

This is not the right way to approach security and server
patching.

Something we all need to keep in mind - the biggest worry by most
company security folks these days is not being compromised via
the Internet, but rather via various internal threats.

The reason? 

While disgruntled employees is one internal threat, there is an
even bigger concern - all those employee owned internal cell
phones, notebooks, PDA's, IoT devices (watches, FitBit etc).
These devices are all simply big PC's with next to zero security
/ FW protection on them. These devices regularly transition from
internal networks to public networks (coffee shops, conferences,
airports etc) and then back to internal networks.

All a bad person has to do is hack one of these employee portable
devices with some malware that essentially spins looking for
specific unpatched servers with known vulnerabilities, and when
it finds one or more, send the appropriate info back to the
mother ship.

Point is that a good security policy does not rely solely on a an
external Internet firewall to protect the companies sensitive
data. It not only needs to keep its servers current with security
patches, but also have a policy of somehow protecting internal
company resources from end user devices. This is not an easy task
given today's proliferation of devices.

> 
> Frankly, I'm sure I'd devise some way to keep the bad guys away
> from that system.
> 
> And, if you have HP support, are you confident they could fix
the
> problem?  Or are you just looking for someone to sue?
> 
> > Situation 2:
> >
> > A flaw is discovered within the VMS kernel or privileged
utilities
> > which allows a local unprivileged user to elevate their
privileges
> at will.
> >
> > What do you do ?
> 
> If I cannot trust my employees, assuming that's who might be
> interactive users on the system, then I got a bigger problem.
And
> any employees who do something they shouldn't are out the
> door, immediately.
> 

Security folks will also state by the time you find out someone
has been leaking data, it is usually too late.  You can fire that
person, but the damage is done e.g. Cust contact / financial data
/ emails etc. is in the wild. Also, what if that internal person
is based in some other country? Or if that person is part of a
strong union? You would need rock solid evidence.

The bad person will be gone, but the blame for a company security
breach will come down big time on the SysAdmin if it is found
servers are not running the latest patches available to known
vulnerabilities. For commodity OS's, the SysAdmin can complain
that there are simply too many monthly security patches to keep
up, but that argument will be lost when the CEO and lawyers are
looking to place a finger on someone.

> Again, if you have HP support, are you confident they could fix
> the problem?

As stated above - Between VSI and HPE, I am confident that if
some future security issue did arise with OpenVMS, the issue
would get resolved.

Regards,

Kerry Main
Kerry dot main at starkgaming dot com