SlideShare ist ein Scribd-Unternehmen logo

Safety Review of a NonStop Data Center

Peter Haase
Peter Haase

Lessons learned from a safety review last year are combined with some new ideas on how to protect NonStop applications against malware and spyware - presented at the International GTUG/Connect Conference April 2014

Technologie
1 von 14
Safety Review of a NonStop Data Center by Peter Haase
Summary  Lessons learned from a safety review last year are combined with some new ideas on how to protect NonStop applications against malware and spyware.
“Safety Review of a NonStop Data Center”  „NonStop Data Center“  „Review“  „Safety“  Review Procedure  Review Checklist  Audit Trail Analysis  Risk: Denial of Service  Risk: Malware  Risk: Spyware  References
NonStop Data Center  Unit with several NonStop Systems  Guardian, Pathway, TMF, Enscribe, SQL/MP  Operated by an infrastructue-as-a-service supplier
Review  Part of an Audit on a banking application  Control of outsourced data processing  8 Items to control according to German Law  Access control on building and rooms  Access control on hardware and operating system  Access rights  Data transmission and transport  Data entry  Contractor  Availability  Data Separation
Safety  Availability  NonStop and RDF  Replication tools for non-audited files  Emergency planning  The Denial-of-Service problem  Integrity  TMF and audited files  Audit trail analysis  Confidentiality  Guardian Security and SAFEGUARD  SECOM ID mapping and command level security  Protection against Malware and Spyware
Review Procedures  Project Management  Before Start of Review  Guidelines for Documentation  Tools for Checking and Auditing  Checklists and Standards  Start of Review  Charts of involved organisations  Available Documentation  Past issues / Special risks  Review  Design  Operation
Review Checklists Availability Integrity Confidentiality Emergency Planning Inventory HW, SW, Subsystems, Data files SW version, Data Dictionary PROGID, LICENSE, system interfaces Planning Monitoring HW, SW, critical events Audited DB, Audit Trail Analysis, Runtime Lib, ENSCRIBE data Session log, 4-eyes, SAFEGUARD audit, SECOM log Tests and Training Control Performance and Tuning, DoS Risk System and subsystem configuration, Malware Risk Deleted data files, Backup data, Users: super.* and *.super, Spyware Risk Confidential data
Audit Trail Analysis  Find Long-running transactions  Find transactions that have damaged a database  Locate specific data field/column changes  Detect bugs in applications  Search for unauthorized transactions
Risk: Denial of Service  Compiler, Binder, Debugger on Production System  TAL examples:  corrupting a cpu  ?Source $system.system.extdecs0 (alter_priority_) Proc Test Main; Begin While 1 do begin alter_priority_(199); End;  corrupting a volume  ?Source $system.system.extdecs0 (file_create_) Proc Test Main; Begin String .system[0:35] := „$system“; Int Len := 7; While 1 do begin file_Create_(SYSTEM:36,Len); End  But, same effects possible by TACL programming
Risk: Malware  Security for files belonging to functional user  Data and program files  Especially: *CSTM and *LOCL and *CTL files  Default: no echo from FUP  Command „Password“ in TACLCSTM deletes current password  User and security setting for PATHWAY Management  SET PATHWAY OWNER <group>, <user>  SET PATHWAY SECURITY “<O or U>"
Risk: Spyware  LINKMON server class access security SET SERVER OWNER <group>, <user> SET SERVER SECURITY “<O or U>"  But, access to server processes is still possible.  Default: Any process can open a process and send a message.  Possible Solutions  Adding logic to server program for checking requestors  SAFEGUARD ACLs on the process name  SAFEGUARD active and tool PS-Shell
References  Product CS-TP-SPY (Audit Trail Analysis) of CS-Software Gmbh Dr. Werner Alexi Schiersteiner Straße 31, 65187 Wiesbaden, Germany E-Mail: info@cs-software-gmbh.de  Ideas and Tools of GreenHouse Software & Consulting Ingenieurbuero Karl-Heinz Weber Heinrichstrasse 12, 45711 Datteln-Horneburg, Germany E-Mail: info@greenhouse.de  My list of 117 Greenhouse Tools as a give-away
Peter Haase  Peter Haase Programmer, Trainer, Consultant for HP NonStop since 1981  D-56820 Mesenich/Moselle , Kirchstr. 12  +49-2673-98600  +49-171-8442242  info@peterhaase.de  www.peterhaase.de

Empfohlen

Actuarial Resume_update
Actuarial Resume_updateActuarial Resume_update
Actuarial Resume_updateChelsey Ezell
 
Doodling On-Line
Doodling On-LineDoodling On-Line
Doodling On-Linejmori
 
dhaha new2
dhaha new2dhaha new2
dhaha new2Dhana sekar
 
Describing Matter Day 1
Describing Matter Day 1Describing Matter Day 1
Describing Matter Day 1jmori
 
Facebook Marketing - São Paulo 24 e 26/11
Facebook Marketing - São Paulo 24 e 26/11Facebook Marketing - São Paulo 24 e 26/11
Facebook Marketing - São Paulo 24 e 26/11Priscilla Saldanha
 
Conventions
ConventionsConventions
Conventionsconkin2
 
8c
8c8c
8ceric vila
 
Dealing With Rudeness
Dealing With RudenessDealing With Rudeness
Dealing With RudenessSadashiv Borgaonkar
 

Empfohlen

Actuarial Resume_update
Actuarial Resume_updateActuarial Resume_update
Actuarial Resume_updateChelsey Ezell
 
Doodling On-Line
Doodling On-LineDoodling On-Line
Doodling On-Linejmori
 
dhaha new2
dhaha new2dhaha new2
dhaha new2Dhana sekar
 
Describing Matter Day 1
Describing Matter Day 1Describing Matter Day 1
Describing Matter Day 1jmori
 
Facebook Marketing - São Paulo 24 e 26/11
Facebook Marketing - São Paulo 24 e 26/11Facebook Marketing - São Paulo 24 e 26/11
Facebook Marketing - São Paulo 24 e 26/11Priscilla Saldanha
 
Conventions
ConventionsConventions
Conventionsconkin2
 
8c
8c8c
8ceric vila
 
Dealing With Rudeness
Dealing With RudenessDealing With Rudeness
Dealing With RudenessSadashiv Borgaonkar
 
An introduction to customer panels
An introduction to customer panelsAn introduction to customer panels
An introduction to customer panelsCathy Whitehead McIntyre
 
Foreground検知
Foreground検知Foreground検知
Foreground検知takaharu kato
 
O Mundo 2020 visto em 2004 - Dossier Marketeer
O Mundo 2020 visto em 2004 - Dossier MarketeerO Mundo 2020 visto em 2004 - Dossier Marketeer
O Mundo 2020 visto em 2004 - Dossier MarketeerLuis Rasquilha
 
Anatomía radiológica del tórax. rev chil enf respir 2012
Anatomía radiológica del tórax. rev chil enf respir 2012Anatomía radiológica del tórax. rev chil enf respir 2012
Anatomía radiológica del tórax. rev chil enf respir 2012Cirugias
 
Exhibit m email satish to kyko re inalytix and ibs ownership 031113
Exhibit m email satish to kyko re inalytix and ibs ownership 031113Exhibit m email satish to kyko re inalytix and ibs ownership 031113
Exhibit m email satish to kyko re inalytix and ibs ownership 031113mh37o
 
Sos Piracy Short Lr 2011
Sos Piracy Short Lr 2011Sos Piracy Short Lr 2011
Sos Piracy Short Lr 2011laurentftcom
 
Curso de Verano. Los delitos tecnológicos.
Curso de Verano. Los delitos tecnológicos.Curso de Verano. Los delitos tecnológicos.
Curso de Verano. Los delitos tecnológicos.Fernando Tricas García
 
me me me take me!
me me me take me!me me me take me!
me me me take me!Anna Grochulska
 
Acepto o no acepto
Acepto o no aceptoAcepto o no acepto
Acepto o no aceptoalegna301
 
Jll2013 l’évolution du passionné des logiciels libres de débutant à expert
Jll2013 l’évolution du passionné des logiciels libres de débutant à expertJll2013 l’évolution du passionné des logiciels libres de débutant à expert
Jll2013 l’évolution du passionné des logiciels libres de débutant à expertLinuQ
 
Digitalisierung - Datenschutz - IT-Sicherheit
Digitalisierung - Datenschutz - IT-SicherheitDigitalisierung - Datenschutz - IT-Sicherheit
Digitalisierung - Datenschutz - IT-SicherheitPeter Haase
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationPeter Haase
 
Sicherheitsprüfung für HP NonStop Systeme
Sicherheitsprüfung für HP NonStop SystemeSicherheitsprüfung für HP NonStop Systeme
Sicherheitsprüfung für HP NonStop SystemePeter Haase
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development toolsPeter Haase
 
Mod05 application migration
Mod05 application migrationMod05 application migration
Mod05 application migrationPeter Haase
 
Mod04 debuggers
Mod04 debuggersMod04 debuggers
Mod04 debuggersPeter Haase
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and acceleratingPeter Haase
 
Mod02 compilers
Mod02 compilersMod02 compilers
Mod02 compilersPeter Haase
 
Mod01 tns e overview
Mod01 tns e overviewMod01 tns e overview
Mod01 tns e overviewPeter Haase
 
Mod00 introduction
Mod00 introductionMod00 introduction
Mod00 introductionPeter Haase
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Weitere ähnliche Inhalte

Andere mochten auch

O Mundo 2020 visto em 2004 - Dossier Marketeer
O Mundo 2020 visto em 2004 - Dossier MarketeerO Mundo 2020 visto em 2004 - Dossier Marketeer
O Mundo 2020 visto em 2004 - Dossier MarketeerLuis Rasquilha
 
Anatomía radiológica del tórax. rev chil enf respir 2012
Anatomía radiológica del tórax. rev chil enf respir 2012Anatomía radiológica del tórax. rev chil enf respir 2012
Anatomía radiológica del tórax. rev chil enf respir 2012Cirugias
 
Exhibit m email satish to kyko re inalytix and ibs ownership 031113
Exhibit m email satish to kyko re inalytix and ibs ownership 031113Exhibit m email satish to kyko re inalytix and ibs ownership 031113
Exhibit m email satish to kyko re inalytix and ibs ownership 031113mh37o
 
Sos Piracy Short Lr 2011
Sos Piracy Short Lr 2011Sos Piracy Short Lr 2011
Sos Piracy Short Lr 2011laurentftcom
 
Curso de Verano. Los delitos tecnológicos.
Curso de Verano. Los delitos tecnológicos.Curso de Verano. Los delitos tecnológicos.
Curso de Verano. Los delitos tecnológicos.Fernando Tricas García
 
Acepto o no acepto
Acepto o no aceptoAcepto o no acepto
Acepto o no aceptoalegna301
 
Jll2013 l’évolution du passionné des logiciels libres de débutant à expert
Jll2013 l’évolution du passionné des logiciels libres de débutant à expertJll2013 l’évolution du passionné des logiciels libres de débutant à expert
Jll2013 l’évolution du passionné des logiciels libres de débutant à expertLinuQ
 

Andere mochten auch (10)

An introduction to customer panels
An introduction to customer panelsAn introduction to customer panels
An introduction to customer panels
 
Foreground検知
Foreground検知Foreground検知
Foreground検知
 
O Mundo 2020 visto em 2004 - Dossier Marketeer
O Mundo 2020 visto em 2004 - Dossier MarketeerO Mundo 2020 visto em 2004 - Dossier Marketeer
O Mundo 2020 visto em 2004 - Dossier Marketeer
 
Anatomía radiológica del tórax. rev chil enf respir 2012
Anatomía radiológica del tórax. rev chil enf respir 2012Anatomía radiológica del tórax. rev chil enf respir 2012
Anatomía radiológica del tórax. rev chil enf respir 2012
 
Exhibit m email satish to kyko re inalytix and ibs ownership 031113
Exhibit m email satish to kyko re inalytix and ibs ownership 031113Exhibit m email satish to kyko re inalytix and ibs ownership 031113
Exhibit m email satish to kyko re inalytix and ibs ownership 031113
 
Sos Piracy Short Lr 2011
Sos Piracy Short Lr 2011Sos Piracy Short Lr 2011
Sos Piracy Short Lr 2011
 
Curso de Verano. Los delitos tecnológicos.
Curso de Verano. Los delitos tecnológicos.Curso de Verano. Los delitos tecnológicos.
Curso de Verano. Los delitos tecnológicos.
 
me me me take me!
me me me take me!me me me take me!
me me me take me!
 
Acepto o no acepto
Acepto o no aceptoAcepto o no acepto
Acepto o no acepto
 
Jll2013 l’évolution du passionné des logiciels libres de débutant à expert
Jll2013 l’évolution du passionné des logiciels libres de débutant à expertJll2013 l’évolution du passionné des logiciels libres de débutant à expert
Jll2013 l’évolution du passionné des logiciels libres de débutant à expert
 

Mehr von Peter Haase

Digitalisierung - Datenschutz - IT-Sicherheit
Digitalisierung - Datenschutz - IT-SicherheitDigitalisierung - Datenschutz - IT-Sicherheit
Digitalisierung - Datenschutz - IT-SicherheitPeter Haase
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationPeter Haase
 
Sicherheitsprüfung für HP NonStop Systeme
Sicherheitsprüfung für HP NonStop SystemeSicherheitsprüfung für HP NonStop Systeme
Sicherheitsprüfung für HP NonStop SystemePeter Haase
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development toolsPeter Haase
 
Mod05 application migration
Mod05 application migrationMod05 application migration
Mod05 application migrationPeter Haase
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and acceleratingPeter Haase
 
Mod01 tns e overview
Mod01 tns e overviewMod01 tns e overview
Mod01 tns e overviewPeter Haase
 
Mod00 introduction
Mod00 introductionMod00 introduction
Mod00 introductionPeter Haase
 

Mehr von Peter Haase (10)

Digitalisierung - Datenschutz - IT-Sicherheit
Digitalisierung - Datenschutz - IT-SicherheitDigitalisierung - Datenschutz - IT-Sicherheit
Digitalisierung - Datenschutz - IT-Sicherheit
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
Sicherheitsprüfung für HP NonStop Systeme
Sicherheitsprüfung für HP NonStop SystemeSicherheitsprüfung für HP NonStop Systeme
Sicherheitsprüfung für HP NonStop Systeme
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development tools
 
Mod05 application migration
Mod05 application migrationMod05 application migration
Mod05 application migration
 
Mod04 debuggers
Mod04 debuggersMod04 debuggers
Mod04 debuggers
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and accelerating
 
Mod02 compilers
Mod02 compilersMod02 compilers
Mod02 compilers
 
Mod01 tns e overview
Mod01 tns e overviewMod01 tns e overview
Mod01 tns e overview
 
Mod00 introduction
Mod00 introductionMod00 introduction
Mod00 introduction
 

Kürzlich hochgeladen

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Kürzlich hochgeladen (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Safety Review of a NonStop Data Center

  • 1. Safety Review of a NonStop Data Center by Peter Haase
  • 2. Summary  Lessons learned from a safety review last year are combined with some new ideas on how to protect NonStop applications against malware and spyware.
  • 3. “Safety Review of a NonStop Data Center”  „NonStop Data Center“  „Review“  „Safety“  Review Procedure  Review Checklist  Audit Trail Analysis  Risk: Denial of Service  Risk: Malware  Risk: Spyware  References
  • 4. NonStop Data Center  Unit with several NonStop Systems  Guardian, Pathway, TMF, Enscribe, SQL/MP  Operated by an infrastructue-as-a-service supplier
  • 5. Review  Part of an Audit on a banking application  Control of outsourced data processing  8 Items to control according to German Law  Access control on building and rooms  Access control on hardware and operating system  Access rights  Data transmission and transport  Data entry  Contractor  Availability  Data Separation
  • 6. Safety  Availability  NonStop and RDF  Replication tools for non-audited files  Emergency planning  The Denial-of-Service problem  Integrity  TMF and audited files  Audit trail analysis  Confidentiality  Guardian Security and SAFEGUARD  SECOM ID mapping and command level security  Protection against Malware and Spyware
  • 7. Review Procedures  Project Management  Before Start of Review  Guidelines for Documentation  Tools for Checking and Auditing  Checklists and Standards  Start of Review  Charts of involved organisations  Available Documentation  Past issues / Special risks  Review  Design  Operation
  • 8. Review Checklists Availability Integrity Confidentiality Emergency Planning Inventory HW, SW, Subsystems, Data files SW version, Data Dictionary PROGID, LICENSE, system interfaces Planning Monitoring HW, SW, critical events Audited DB, Audit Trail Analysis, Runtime Lib, ENSCRIBE data Session log, 4-eyes, SAFEGUARD audit, SECOM log Tests and Training Control Performance and Tuning, DoS Risk System and subsystem configuration, Malware Risk Deleted data files, Backup data, Users: super.* and *.super, Spyware Risk Confidential data
  • 9. Audit Trail Analysis  Find Long-running transactions  Find transactions that have damaged a database  Locate specific data field/column changes  Detect bugs in applications  Search for unauthorized transactions
  • 10. Risk: Denial of Service  Compiler, Binder, Debugger on Production System  TAL examples:  corrupting a cpu  ?Source $system.system.extdecs0 (alter_priority_) Proc Test Main; Begin While 1 do begin alter_priority_(199); End;  corrupting a volume  ?Source $system.system.extdecs0 (file_create_) Proc Test Main; Begin String .system[0:35] := „$system“; Int Len := 7; While 1 do begin file_Create_(SYSTEM:36,Len); End  But, same effects possible by TACL programming
  • 11. Risk: Malware  Security for files belonging to functional user  Data and program files  Especially: *CSTM and *LOCL and *CTL files  Default: no echo from FUP  Command „Password“ in TACLCSTM deletes current password  User and security setting for PATHWAY Management  SET PATHWAY OWNER <group>, <user>  SET PATHWAY SECURITY “<O or U>"
  • 12. Risk: Spyware  LINKMON server class access security SET SERVER OWNER <group>, <user> SET SERVER SECURITY “<O or U>"  But, access to server processes is still possible.  Default: Any process can open a process and send a message.  Possible Solutions  Adding logic to server program for checking requestors  SAFEGUARD ACLs on the process name  SAFEGUARD active and tool PS-Shell
  • 13. References  Product CS-TP-SPY (Audit Trail Analysis) of CS-Software Gmbh Dr. Werner Alexi Schiersteiner Straße 31, 65187 Wiesbaden, Germany E-Mail: info@cs-software-gmbh.de  Ideas and Tools of GreenHouse Software & Consulting Ingenieurbuero Karl-Heinz Weber Heinrichstrasse 12, 45711 Datteln-Horneburg, Germany E-Mail: info@greenhouse.de  My list of 117 Greenhouse Tools as a give-away
  • 14. Peter Haase  Peter Haase Programmer, Trainer, Consultant for HP NonStop since 1981  D-56820 Mesenich/Moselle , Kirchstr. 12  +49-2673-98600  +49-171-8442242  info@peterhaase.de  www.peterhaase.de