Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
fhs
Volume 4, Number 42 -- October 19, 2004

PowerTech Security Survey Says Most IT Departments Could Do Better


by Dan Burger


Maybe your idea of bad security is leaving the front gate open at San Quentin. Although the prison guard responsible would likely get a harsh reprimand for such an error, there are iSeries and AS/400 security failures that are the equivalent of leaving the prison gate open 24/7. And if you think it doesn't happen very often, you might want to read a white paper just released from PowerTech Group that was based on survey information collected during the past 18 months.

How bad is security on the iSeries? Let's just say it's not a pretty story. But it's not a story about a machine with security weaknesses; it's a story about people who are not locking the gate.

Would you be surprised to learn that, of the systems tabulated in the PowerTech report, 87 percent of the total database libraries reviewed allow any user on the system to change the contents of those libraries?

Here are a few other statistics that are ominously alarming:

  • Seventy four percent of systems do not monitor or control data access through common network access points such as FTP, ODBC, and Remote Commands.

  • Eight four percent of systems had more than 10 users with *ALLOBJ (super user) privilege.

  • Eighteen percent of users on each system had default passwords (the password name is the same as the user name).

You might as well be tossing the warden's car keys to the scary-looking guy in cell block 13. Okay, enough of the prison security analogies.

Although PowerTech and other third-party security vendors, as well as IBM, have been raising the collective consciousness of iSeries users for several years, this survey and subsequent white paper illustrate how most shops have yet to make security a high priority. If you feel like you're all alone by not covering your bases, you're not.

When it comes to monitoring changes to individual records, most shops don't have tools in place. And most couldn't identify who is reading sensitive data. Your customer files, for instance, could be copied without a trace.

Here's one example from the PowerTech files that John Earl, chief technology officer at PowerTech, related. An insurance company became suspicious that someone inside the company was taking the company's policy files. In case after case when customer policies were coming due, the same competitor was always in the right place at the right time talking to the customer. The competitor always new what day the policy expired and how much the customer was paying, and it was using this advantage to steal the customer. At first it seemed coincidental, but it eventually became clear there was a pattern that went beyond the fortuitous efforts of a super salesperson.

The insurance company wanted to know if it could trace who downloaded the files, when it was done, and who was trading the information. Without the proper security tools in place in advance, Earl noted, there was no way to go back a get that kind of information.

"This is the type of thing that can fire up a company to get its security issues in check," says Brendan Patterson, product manager at PowerTech.

When access to information is not guarded, and particularly when there is no exit program in place, there's no way of knowing how often people inappropriately access or change data.

As this study shows, many companies have too many users with too much power and unchecked access to the system. When users have a lot of power, a lot of knowledge, and no accountability, because no one in the organization is set up to monitor security, you have the potential for abuse. The survey statistics reveal four systems in which more than 100 users had all-object (*ALLOBJ), or what is also called "super user," authority. Can you imagine the potential for harm?

"Some people have powerful authorities without reason, Earl says. "These people could, for instance, delete an entire production database. It could happen by mistake or by malicious intent."

Another survey statistic that Earl mentions is that only one third of the companies implemented exit points. "Companies that have exit points in place have at least put some adequate controls," Earl says. "With exit point security they could identify people changing the data and people reading the data. If everyone has access to the data, and there is no effective blockade in front of network exit points, then you are inviting a problem."

"The fact that 33 percent of the people in the survey are using exit points is actually higher than what we thought it would be," Patterson says. "We think that statistic indicates people are getting the message about security and are putting exit point programs in place."

Patterson also believes compliancy mandates such as the Sarbanes-Oxley Act are responsible for raising awareness about exit point security. "The regulatory environment has put a new light on security issues," Patterson says. "Auditors are scrutinizing the boxes and writing reports about security deficiencies. Without exit point security, companies will not pass the audit."

This type of monitoring can be done with tools that are available on the iSeries, and additional controls can be put into place with third-party software, which PowerTech and other vendors develop and sell.

Sarbanes-Oxley does not specifically address IT security. It does require adequate internal controls over a financial reporting system. Of course, IT plays a key role in the reporting infrastructure. So financial controls means having good IT controls.

"There needs to be a framework in place to assess and measure controls," Patterson says. "And the controls need to be compliant with 'best practices,' which are a published and approved framework. Most of the large audit firms use COBIT as that framework. COBIT is a benchmark that can be applied, and companies know it will pass audit."

"You could say our study is the state of the iSeries security," Earl says. "It shows that most iSeries installations would not pass an audit for Sarbanes-Oxley. From our studies, the number of companies that could pass an audit would be less than 10 percent, and probably far less than 10 percent."

Even though Sarbanes Oxley mandates compliance for publicly traded companies, the controls it puts on those companies are also being applied by private companies wanting to get their financial ship in order and understanding that business-critical documents could be at risk.

"Sarbanes-Oxley talks about proper controls being in place to prevent tampering or misstatement of financial data, but if almost everyone in the organization has access to that data, and could hook up an Excel spreadsheet to the accounting books and modify it, now you have Enron-kind of fraud possibilities," Earl says.


Although serious as a heart attack, some of the security issues are fairly humorous as well. For instance, the number of systems using default passwords is laughable. The study shows 24 systems--each with more than 200 users--using default passwords. "That means, if my user ID is John, my password is John," Earl says. "That's not that hard to guess," Earl notes. "Anyone who accesses that system over the Internet or by walking in and sitting down at a workstation can probably log on just by guessing."

Another password faux pax that the study uncovered was one-character passwords. "That's probably worse than accepting the default password, because someone actually had to go in and set up that password." Earl says.

To get a copy of the PowerTech white paper that explains the survey results in their entirety, go to www.powertech.com.

Sponsored By
LAKEVIEW TECHNOLOGY

Turn Your Downtime into Prime Time

FREE Availability Destination Planner!

Imagine your productivity in sixth gear. MIMIX Express Solutions' easy-to-handle products for HA, disaster recovery and network optimization are designed for your size business. Move your mid-sized business into the information availability fast lane today.

MIMIX. Where Choices are
Highly Available.
www.MIMIX.com/ExpressSolutions

Editor: Alex Woodie
Managing Editor: Shannon Pastore
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

THIS ISSUE
SPONSORED BY:

Lakeview Technology
iTera
California Software
Profound Logic Software
RJS Software Systems


BACK ISSUES

TABLE OF
CONTENTS
PowerTech Security Survey Says Most IT Departments Could Do Better

Curbstone Native OS/400 Credit Card Software Makes Debut

PeopleSoft Rolls Out a Host of New EnterpriseOne Applications

GST Targets IBM with Internal AIT Tape Drives for i5 and p5

News Briefs and Product Shorts


The Four Hundred
IBM Completes i5 Squadrons with 64-Way Model 595

IBM Revamps Midrange, High-End Storage Arrays

New IxS and Other i5-Related Announcements

Four Hundred Guru
Anatomy of a P-Field

Use System Naming Convention and Library List with .NET Managed Provider

Handling Oversized Numbers Gracefully

Four Hundred Monitor


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement