System i Security: Lots of Room for Improvement
March 10, 2008 Timothy Prickett Morgan
System i security software supplier PowerTech hosted its first iNSIGHT 2008 security and compliance conference in Las Vegas a few weeks ago, and one of the main events at the show was the fifth annual State of System i Security report that the company put together to give people an understanding of the real security issues that real AS/400, iSeries, and System i shops are coping with in their production environments.
As my first grade teacher explained in my report cards, there is lots of room for improvement and you just need to apply yourself.
The data behind the 2008 edition of the report, which you can download here, comes from security assessments that PowerTech has performed on behalf of real OS/400 and i5/OS shops as part of its sales pitch for products and services for system security and regulatory compliance relating to security and system access issues. The data in the 2008 report is based on security assessments that PowerTech performed on 217 systems at 200 companies that spanned a wide range of company sizes and industries. The one thing that they all had in common, of course, is that applications running in OS/400 and i5/OS are at the heart of their businesses and the people responsible for systems and possibly security at these companies were compelled by whatever their situation is to seek a security assessment from PowerTech.
Just like studies from past years, the companies seeking an assessment are not currently PowerTech customers and they have not done assessments in the past so information about the state of the security of their AS/400, iSeries, and System i machines is not in past editions of the study. In this way, PowerTech can consistently take the pulse of the OS/400 and i5/OS base at a point where they are at least thinking about security above and beyond giving out passwords and setting the overall security level on OS/400 and i5/OS. The State of the System i Security reports are not, therefore, to be taken as a guide to best practices, but rather as a warning about common practices that can lead companies into security exposures that they may not be aware of and that run counter to the “legendary security” mythology about the OS/400 platform.
As part of its assessment, PowerTech examines a number of things in the systems examines on behalf of prospective customers. The assessment looks at user profiles, user and password management, data access, network access control and auditing, system auditing, and system security values. Looking out across all 217 machines in the assessment survey pool from 2007, the average number of users on the machines was 751 and the average number of libraries on the systems was 370. The median user was less than half that (320 users) because some very large systems pulled up the average, and the median library count was 283.
Consistent with past surveys, this year’s pool of OS/400 and i5/OS shops have far too many users that have root access to the machine, the *ALLOBJ authority in OS/400 and i5/OS that allows a user to view, change, and delete any file or program on the system. A stunning 9 percent of users in the pool across those 217 machines had *ALLOBJ authority. This is astounding given the fact that the typical AS/400, iSeries, or System i shop has one to four programmers who usually do double duty as system administrators and dozens to thousands of users. PowerTech says its general rule of thumb is that no more than 10 users on any system should have *ALLOBJ authority, but the average was closer to 68 users in the survey data. Another 3 percent of users were given the *SECADM security administrator authority, 11 percent had full report access (*SPLCTRL), and 15 percent were set up with *JOBCTRL system operator authority. It doesn’t take a genius to figure out that there should not be so many people able to change security settings in the box or operate jobs on the system.
On the user name and password front, the average number of inactive profiles on the system–meaning accounts that had not been accessed for 30 days or more–was 109 in the survey pool, or 14 percent of total users. The bigger machines in the pool, which had lots more users, were the worst offenders of this particular security exposure; the median number of inactive profiles was about a third this level. The most stunning thing in the State of System i Security report was that a large number of user profiles–in this case, 10 percent of all users across the 217 systems–had default system passwords. I mean, why bother turning on security? OS/400 and i5/OS shops are doing a better job using longer passwords, generally speaking, with 120 of the systems in the pool requiring six characters and another 40 systems requiring even longer passwords. But a fair number of systems in the pool allowed shorter passwords, and a bunch of machines, if you believe it or not, allowed single-character passwords. (OK, so that is kinda funny even if it is inane.) About 58 percent of the machines in the pool did not require a numerical digit in the password, 32 percent allowed the new password on the system to be the same as the previous one, and 32 percent of machines did not expire passwords, allowing end users to keep them indefinitely.
One of the great things about the OS/400 and i5/OS operating systems is that the relational database management system is integrated into the operating system itself. You have access to the operating system and that means you have access to the database. It is all smooth, seamless. Of course, this is not necessarily a good thing in terms of system security. On Windows, Unix, and Linux boxes, the operating system is distinct from the database, and both have their own user name and password access. “The hard thing for us to get across sometimes is that auditors have to stop looking at the System i like it is a Windows box,” explains John Earl, PowerTech’s vice president and chief technical officer. While the security software embedded in OS/400 and i5/OS allows for sophisticated access control to resources, allowing for fine-grained control, the fact remains that it is different from the way Windows, Unix, and Linux systems work.
On the data access front, which is the slipperiest issue in some ways for OS/400 and i5/OS shops to cope with, 23 percent of libraries on the 217 machines surveyed had *USE access, while 58 percent had *CHANGE access to data. Another 10 percent had *ALL access–meaning they can do anything they want in terms of adding, updating, or deleting data. In terms of network access, only 32 percent of the machines in the pool had exit programs that could log and control access to network resources on the AS/400, iSeries, or System i machines, and on average, only 19 percent of the network access points in the systems studied had exit programs being monitored.
Looking back over the past five editions of the State of the System i Security reports, you begin to wonder if the base is learning about security and improving. “The System i community is getting incrementally better in a few areas, but this appears to be the result of outside forces more than heightened security in the IT department,” says Earl. For instance, starting with OS/400 V3R7 back in 1996, IBM kicked the default security level up from 30 to 40 in the base configuration of the operating system, and over the years, the number of machines at level 40 and higher in the assessment pool behind the PowerTech reports has been creeping up. “Improvements are also being driven many times by outside auditors,” says Jon Scott, PowerTech’s president and chef executive officer. “Some outside vendors are also putting exit programs into their software, too.” Another factor that is driving the adoption of slightly more stringent security in the OS/400 and i5/OS installed base is when breaches happen, of course, or when auditors “come in and kick machines around,” as Earl puts it. In fact, disappointing auditors by not having security and access controls in place has been helping drive PowerTech’s business for the past 18 months, according to Scott. “We are seeing more large companies come to us and ask us to do a pre-audit for them. They are trying to head off a negative audit at the pass,” he says.
The perimeter of most corporate networks is pretty secure, and Scott cites statistics from Gartner that indicate that 80 percent of security breaches are inside jobs, done inside the firewall. “The perimeter is secure,” says Earl. “But companies need to start working on segmentation of duties and limiting information access to that which people need to get their work done. I think that historically, the System i has been so open in terms of data access and that when you start restricting it, companies initially get some pretty unhappy end users.”
The other issue to deal with is self-perception. When asked how many security administrators they have on their machinery, IT managers and system administrators will undoubtedly say they only have a few, but when you do the audit and check, it always ends up being many times more than they think they have. Knowing this, it comes as no surprise that the State of the System i Security 2008 edition indicates that 30 percent of the machines in the pool are not using the system security auditing tools built into OS/400 and i5/OS. Interestingly, 70 percent of the machines in the pool had audit journals turned on. As for security level, 74 machines in the pool were still at security level 30 or lower (34 percent of the boxes), while 140 machines were at security level 40 (64.5 percent). Only a few boxes were set at security level 50, where OS/400 and i5/OS are locked down as tightly as possible.