PowerTech Issues Third Annual State of i5/OS Security Report
November 6, 2006 Timothy Prickett Morgan
The security of any system is only as good as the methods companies use to implement access to applications, data, and operating system resources. Anyone with a PC on his or her desktop knows this intuitively these days, with the maelstrom of malware and viruses that are attacking us. But, according to the third annual state of security on the i5/OS and OS/400 platform put out by security software maker The PowerTech Group, some System i shops are not being diligent about the security of their systems.
Part of the problem that i5/OS and OS/400 shops are facing is that even after a decade of commercialized Internet computing, the people at many companies–including upper management as well as those employees who manage the data centers and the applications running on all manner of machines in those centers–still think of the i5/OS and OS/400 platforms they use to run their mission-critical applications as being a silo with its own security. The security of IBM’s mainframe platforms for large enterprises and its AS/400, iSeries, and System i5 platforms for midrange companies is, of course, legendary. But these machines have been opened up with Unix-style capabilities such as SSH, FTP, and Web serving, open database protocols such as ODBC and JDBC, not to mention hosting a Windows-style file system (the Integrated File System). The System i also supports Linux and AIX within partitions that can be virtually and physically linked to i5/OS partitions, and Linux and Windows can run on inboard and outboard X86 and X64 servers that plug right into the system bus of the iSeries and System i5 hardware. Security through obscurity does not work any more, but in many cases, companies seem to be behaving as if the box were still a closed, disconnected server sitting in the corner of the room, only serving up host-based RPG and COBOL applications to dumb green screens.
According to the PowerTech report, which you can get by clicking here, security projects on the i5/OS and OS/400 platform “often take a back seat to Windows and Unix platform security, either because the AS/400 is assumed to already be secure, or because the security professionals in an organization are unsure how to assess the AS/400.”
The study is based on survey results from 177 i5/OS and OS/400 sites. Over the past three years, according to John Earl, chief technology officer at PowerTech, the company has assessed the security on over 600 unique machines at more than 500 companies that span small, medium, and large enterprise sizes–including some Fortune 100 companies. The companies surveyed span the usual gamut of industries–financial services, healthcare, telecommunications, education, and transportation. The sample is not random, but rather is based on companies who came to PowerTech to have its experts do a high-level security audit. So these results come from companies that were worried about i5/OS and OS/400 security.
“In a lot of cases, companies are just not paying attention,” says Earl. “The changes in the study from year to year have been so slight.”
In the 177 sites that were surveyed for the latest System i security report, PowerTech found that the average site had 759 users and 369 libraries. However, on average, 60 users had the all-powerful *ALLOBJ authority granted to them on these machines. PowerTech has recommended to customers that no more than 10 users per system should have *ALLOBJ authority. In the survey, only five sites had fewer than 10 such users on their machines.
In the same machine pool, an average of 20 users had *SECADMIN security administrator profiles, 142 users had *SPLCTL full report access, and an average of nearly 140 users had *JOBCTRL system operator access. From what we have been told about the System i platform, the machine should have a very small number of operators. But roughly 18 percent of end users have what amounts to system administrator access to the i5/OS and OS/400 servers. This is not a good security practice.
End user authentication is also a big security hole, and on the user name and password front, the shops assessed by PowerTech have an average of nearly 92 enabled by inactive profiles (meaning, they have not been used in the past 30 days) and nearly another 100 of inactive profiles that have been disabled but are still lurking in the system. Shockingly, over half of the systems examined have more than two user profiles with the default profiles provided by IBM, and in total, the systems polled had more than 100 profiles with default passwords; nearly 60 of these profiles were actually active. A large number of shops also have users who are setting their passwords equal to their user names–which is just ridiculously foolish. Any hacker that can guess the naming scheme for users can try this trick, and on an i5 box connected to a network, they are into the system at that point.
On the data front, about 52 percent of the users on the systems have the ability to change data on the system, with only 22 percent having read-only access and 10 percent having no access to data. Some 12 percent of users have the ability to do whatever they want to the data, the * PUBLIC *ALL access in i5/OS and OS/400.
The good news is that 75 percent of the systems had audit journals turned on, so they can track down who has access to what resources and when they were accessed by what user. The bad news is that 25 percent of them did not have audit journals turned on. Only 7 percent of the systems surveyed had tools to make sense of what is in the audit journals, which means that security officers are either ignoring these journals or are sifting through them by hand when something goes wrong rather than using the journals to detect when something has just gone wrong and cope with it immediately.
The problem is not that the System i platform does not have great security, but that the company security officers are forgetting about the platform in their data centers or that system administrators, who are burdened with so many tasks, are only getting around to security in their spare time. Some of the issue also has to do with education.
“For a long time, IBM has been trying to modernize the System i programmers, getting them to adopt ILE RPG, Java, and now PHP,” explains Earl. “We need to modernize the skill sets of system administrators and security officers, too. I firmly believe that IBM and its third party security software partners have put the tools in place to make the System i as secure as or more secure than as any Unix, Linux, or Windows box–and do it more easily and for less cost. But it doesn’t happen magically.”