> I agree that inherent OS features have much to do with their > security, but must observe that OSs like VMS and OS/400 have > very few security issues <snip> Agreed, I believe OS/400 may be the most secure out-of-the-box system out there. But never underestimate a lousy vendor. My last audit was for a HIPAA client that had all patient records on an AS/400. I thought I didn't have a chance in heck of touching them. On the AS/400 side that was true, with extremely granular access, allowing only certain users to certain data that was unreachable otherwise. However their main application happened to create a world readable/writeable windows share of the records. I simply plugged my laptop into an empty wall socket, browsed the ip network (not even logged into anything) and saw, copied, and wrote to any record of my choosing. I was so shocked it took me a few minutes to realize I just hit a grand slam. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
<<attachment: winmail.dat>>