Greetings,
I now have my first security client and am conducting an
initial -- and very limited -- security assessment
(< 40 hrs) for an AS/400 based firm.
It's a greatly cutback first part of a complete,
three-part security assurance strategy.
Background:
This client is about to open up his systems to 3000+
internet located users. The new web-facing system
will provide hooks, via websphere technology, to
access AS/400 V5R1 databases. This is a very risky
move (albeit absolutely necessary) from a paper based
data (fax) input by local, on site, employee users
to real-time input via internet based users.
My role:
The initial work is limited to vulnerabilities related to
a few, non-AS/400 elements (results in needed associated
patches/hotfixes/updates and recommended configs,et al);
a limited review of their very short computer
usage/security policy; and lastly, the reason
for this posting, I will be commenting on AS/400 V5R1.
This last item will be in the form of "notes" including a list
recommended security sites and potential activities.
There will be no vuln/pen testing on this run -- although
I have and will continue to recommend this.
My question:
Does anyone have any "little" gems of wisdom to pass along
to me regarding the AS/400 piece?
Thanks!
PS: In fact, I'll listen to anything anyone cares to pass on.
