PowerTech Says AS/400 Shops Still Flying in Security Danger Zone
May 19, 2009 Dan Burger
Security negligence is the great equalizer. It doesn’t matter if your IT projects are leading edge or whether IT has been in status quo mode since Frank Soltis was a pup. Security flaws can bring you to your knees quicker than plugging in an electric fan while standing a bucket of water. And the difference between being security smart and security stupid is just about as obvious. It’s not the IBM AS/400. It’s the way you use it.
The way you don’t use it more accurately describes this appalling level of carelessness. Apparently there are no questions on the IT employee job evaluation forms that relate to security policies and whether they are being monitored or met. At least that’s the way it appears to be in far too many organizations.
And, the funny thing is that it is not particularly expensive or time consuming to lock the doors to a great many potential security threats. You already have one of the most secure servers on the planet. It’s operator error that puts your business at risk.
Yes, there’s a lot of finger-pointing going on in these first three paragraphs. After reading the recently released edition of “The State of the System i” report, you might be shocked to know what you didn’t know before, or maybe you’ll remember what you didn’t want to forget after reading the previous report.
i OS security software developer PowerTech has made this annual report a wake-up call for quite a few years. It’s based on audits and security data–compiled during 2008 in this report–from companies that requested PowerTech’s assistance. That removes the randomness of these results and skews it toward a degree of security-risk awareness that probably makes this report sound more favorable than it would if it included companies that weren’t involved in security audits. It’s bad enough as it is with only companies that are somewhat security conscious participating.
A quick comparison of the PowerTech survey shows a few areas where changes are occurring as security issues continue to plague organizations. At the top of the list is a redirection of focus from internal risks to external risks.
“There’s a lot of conversations taking place about organized crime having entered the cyber crime area,” says John Earl, an independent security consultant who until recently worked for PowerTech. “There are big rewards and a lower chance of being caught and a lesser penalty in terms of prison time than other crime. It has tipped the balance to outside threats . Phishing programs can be purchased on the Internet for about $300. There are various hacker newsgroups. There are many people involved who are outside the grasp of law enforcement because of the international aspect of the Internet.”
The latest PowerTech report is the first to include information on the size of the servers that the participants are using, which gives a pretty good balance across the sever lineup. For instance, 37 percent of the boxes were 520s, 19 percent were 570s, 17 percent were 550s, 9 percent were 525s, and 8 percent were 810s, leaving 10 percent to fill the “other” category.
As a general rule, companies with 550 models or larger boxes are more likely to be dealing with regulatory compliance issues where security is emphasized. These are companies that can’t allow security-related issues to slide any longer.
“I think compliance has had a great effect on bringing security issues to light,” Earl says.. “System administrators are in two broad camps when it comes to security. Those folks who know it’s the right thing to do and want to do it anyway. and those who consider security to be a hindrance. Where compliance fits in is that, if you think security is a hindrance, compliance will force you to do it whether you like it or not. What compliance has done is given some system administrators the lever to say, ‘Hey, we have to do this. Let’s get it done. Let’s do it right. Let’s do it now.'”
There are six areas of concern identified in this security exposure report: powerful user profiles; user and password management; data access; network access control and auditing; system auditing; and system security values. This is the basic outline for company inspection and probably some type of remediation.
To begin with, companies are lax in controlling special authorities that not only allow unrestricted views to every file and program in the system, but that also leave the door open to far too many people to change and delete files and programs. If you want a great place to begin reducing risk, start by minimizing users with unrestricted access.
An easy way into many unprotected systems is provided by the lazy use of default passwords. Using default passwords makes it less likely that users will forget them, but someone who wants into your system for nefarious purposes will try this way first. The most secure passwords include a mix of numbers and letters at least eight characters in length. Passwords should also be changed periodically. If you don’t have a password policy, particularly on sensitive files and programs, your risks are a lot higher than you think they are.
Average users should not be able to log in to the system and get a catalog of all objects, access to any objects, or add, delete, or change objects. Far too many systems allow too many users access to too much information. It’s not difficult to control your data, unless you compare it to doing nothing at all. Nothing is easier than that, but the pain of being bitten in the butt isn’t so easy to take. When more than 50 percent of system users have the capability to change data, that’s not security–it’s insecurity.
It’s highly likely that access to your AS/400 can be gained from other machines, most likely PCs. Users with profiles on those systems, and authority to the objects, can get to corporate data on The Four Hundred. Does this concern you? It should if you have a permissive attitude toward object-level authority. Open access is an invitation to disaster. The capability to monitor and restrict network access is built into the AS/400, but as the PowerTech survey points out, it doesn’t get used 66 percent of the time.
Another built-in security feature of the AS/400 is its system auditing functionality that tracks security-related events. If you want to know who deleted a file or who gave a user the special authority to access a file or program, the information is available. But only 18 percent of the survey participants are using this tool.
That sounds like a security oversight of monumental proportions, but there is a fairly good reason of this one. Using the security audit journal is like drinking out of a fire hose–sorry, too much information. So security violations often go undetected because few people have the time to pour over these audits. However, software is available to manage this job, and if you are being audited by a regulatory compliance agency, buying third-party software will save you time and money.
The final area of security concern is configuring the level of overall system security. The AS/400 has five security level settings: Level 10, 20, 30, 40, and 50. IBM recommends that this setting should be at level 40 or higher because there are several well-known exposures at security level 30, but the survey shows almost one-third of the companies have settings that are less than the IBM recommendation.
When IT department responsibilities are tied to business success, a company has usually put together a strategic and proactive plan that increases its competitive advantage and lowers its risk. But there is a reason security ranks high on the side of controlling risk. And, as this survey underscores, there’s a lot to be accomplished by no longer ignoring what you’ve ignored for so long.
“Security is the enemy of convenience and convenience is the enemy of security,” Earl says when talking about why it is ignored by so many companies. Anytime I tell you that your password has to be longer or more complex, that makes your life just a little more complicated and less convenient. That’s why some people view it as a hindrance. It’s one more thing you have to do and often it does not get connected to the bottom line.”
These are the highlights of the “State of the System i” report. The full report is available here on the PowerTech Web site.