Sujet : Re: Upcoming time boundary events
De : news (at) *nospam* cct-net.co.uk (Chris Townley)
Groupes : comp.os.vmsDate : 02. Jun 2025, 14:17:16
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <101k88s$38hp2$1@dont-email.me>
References : 1 2 3 4 5 6 7 8 9
User-Agent : Mozilla Thunderbird
On 02/06/2025 13:58, Simon Clubley wrote:
On 2025-05-31, Arne Vajhøj <arne@vajhoej.dk> wrote:
On 5/31/2025 6:23 AM, Marc Van Dyck wrote:
>
Other advantage is that most OPenVMS installations today are used in
environments that must be certified, and external audit people usually
know nothing about DECnet. They are mostly just interested in which IP
ports are opened. Since for DECnet you just need a few, it's easily
justified. They couldn't be possibly bothered about what DECnet object
is enabled. They will complain about rlogin or telnet, but see nothing
wrong with set host. FTP ? God forbid. But FAL ? just fine... You can't
imagine how easy it was for me to get OpenVMS systems pass audits with
flying colors, while my open systems colleagues suffered...
>
:-)
>
That's not something which is funny Arne.
The auditors should know enough to be able to properly audit these
systems especially in the high-critical environment I get the impression
that Marc works in.
When I was involved in audits of VMS systems then the auditors did have
VMS checklists and checked stuff like DECnet default access.
>
And for as long as an organisation has such systems, then the auditors
should know how to audit them. If they don't, then they are not doing the
job they were paid to do (and which they may even have legal liability
for not doing it properly).
An attacker doesn't care if their entry point is currently fashionable
or not. They only care that they have an entry point they can exploit.
That doesn't just apply to VMS BTW as it applies to every single device,
system, or protocol that an organisation has in use. If there is something
that can be compromised, then the organisation's auditors should know how
to evaluate it.
Simon.
I wouldn't disagree, but the demonstrable experiences I have seen belie that. When I first got involved with external IT audits, they were all over our VMS systems - they had automated tools that they didn't understand. After a coupe of tears we changed external auditors, and the new lot just ignored VMS, but jumped on our AS/400 - which ran a single, internal task.
Rarely did I see anything worthwhile come from them, except where I tipped them off to something I knew about but was not allowed to fix/ That changes after their report.
-- Chris
Upcoming time boundary events
Re: Upcoming time boundary events