[Info-vax] Should VSI create a security bug bounty program for VMS ?

[Kerry Main]

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On
> Behalf Of Phillip Helbig undress to reply via Info-vax
> Sent: 01-Sep-16 4:58 PM
> To: info-vax at rbnsn.com
> Cc: Phillip Helbig undress to reply
> <helbig at asclothestro.multivax.de>
> Subject: Re: [Info-vax] Should VSI create a security bug
> bounty program for VMS ?
> 
> In article <mailman.2.1472673255.26953.info-
> vax_rbnsn.com at rbnsn.com>,
> "Kerry Main" <kemain.nospam at gmail.com> writes:
> 
> > > > Well, OpenVMS runs some of the biggest financial
> > > environments on the
> > > > planet (e.g. Shanghai Stock Exchange, German Stock
> > > Exchange, big banks)
> > > > so that in itself should be motivation enough.
But, as
> far
> > > as I know,
> > > > this has not happened.
> > >
> > > At least these days, VMS at these places is only on
> internal networks.
> > > If someone who shouldn't has access to the internal
> > > networks, then there
> > > are much bigger problems to worry about.
> >
> > Most security groups will state that their biggest
worry
> > is not the Internet, but rather internal threats.
> 
> True, but usually not exploiting some security hole, but
> rather someone
> doing something they shouldn't.
> 

That is only a part of it. 

http://blog.eiqnetworks.com/blog/internal-vs.-external-sec
urity-threats-why-internal-is-worse-than-you-expected-and-
what-you-can-do-about-it

http://www.eweek.com/small-business/businesses-bedeviled-b
y-internal-security-incidents.html

>From 2009 - but messages from an experienced security pro
is valid today as well i.e. Old style companies still
wrongly differentiate between "internal" and "external"
threats.:
http://informationsecurityformanagers.blogspot.ca/2009/03/
again-internal-security-threat.html 
" The answer is actually simple; the technology that
builds today's security architecture does not do the job.
Most solutions are built around the notion of the
existence of an inside and an outside. Please repeat after
me...there is no difference between the inside and the
outside anymore. Security solutions has to be built
according to a model where users only have access
information "on a need to know basis" REGARDLESS of where
they happen to be for the moment (and according to how
secure the device is etc etc). Today's IT environment is
far too complex and users to mobile for an inside/outside
model."

http://www.darkreading.com/vulnerabilities---threats/repor
ts-security-pros-shift-attention-from-external-hacks-to-in
ternal-threats/d/d-id/1130530?cid=nl_dr_weekly_t

> > Not just disgruntled employees, but cell phones,
> > notebooks, and laptops all regularly traverse public /
> > home networks and then reconnect to wireless / hard
> > connections to internal networks in the office and/or
via
> > VPN.
> 
> And if the production VMS systems are on the same
> network, then the
> security policies need to be changed.  (Reminds me of
the
> old joke: when
> the unix sysadmin talks about security, he means that of
> his job.)
> 
> > And of course, cell phones/notebooks are really just
big
> > fat PC's with big storage and little to zero security
> > monitoring SW on them.
> 
> Right, which is why they have no business on a
production
> network.
> 

While servers may be on a different VLAN than users, due
to internal FW zoning complexities and historical old time
security views, companies think they only need to worry
about external threats. Unfortunately, creative Trojans /
worms that make their way to laptops and cell phones via
external networks can then easily poke around on internal
networks looking for systems with known vulnerabilities
that have not been patched.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com