State Of IBM i Security Remains Poor, PowerTech Says
May 21, 2012 Alex Woodie
IBM i shops are still failing to enact basic security safeguards to prevent unauthorized access of the data in their systems, according to PowerTech, which issued its annual State of IBM i Security report this month. Even when it comes to basic security concepts, like changing default passwords, minimizing user permissions, and monitoring exit points, the average IBM i shop fails spectacularly. The upshot is that most shops are gambling with their data, with a heavy bet placed on “security through obscurity.”
If it was a video conference, PowerTech director of security technologies Robin Tatam would have been seen shaking his head. “In the nine years we’ve done it, we’re still dealing with the same basic issues,” Tatam told IT Jungle last week. “People are still immune to the fact that the system is vulnerable. Based on the promotion of it being a secure system, they don’t think it’s such a big deal.”
But of course, it is a big deal. It’s a big deal because no IBM i server is “secure” when it’s unpacked from its box. While the operating system model is secure, it takes the work of a trained administrator to configure a specific system to be truly “secure.” This situation is made worse by the default settings that every system is equipped with when it leaves the IBM factory (there is no word yet on whether the default user password on the new PureSystems servers will be the same as the user ID, as is the case with IBM i. Maybe there’s a “pattern” for that).
IBM i security has never been particularly good, as measured by PowerTech’s annual security report, which uses data gathered from 120 customers and prospects using the company’s security assessment tool. But in comparing the 2012 report to past reports, security seems to be getting even worse on the IBM i platform.
Passwords, Profiles, and Libraries, Oh My!
Take default passwords. In this year’s study, the average shop had an average of 60 active profiles with default passwords. That compares with 42 in 2010 and 35 in last year’s study. “It’s still a little eye opening to be running into shops with a hundred-plus profiles with default passwords,” Tatam says. “These are just rudimentary configuration settings and weaknesses that can easily be remediated.” (Tatam warned against drawing conclusions from the year-to-year changes in the reports, since different respondents participate each time. This is not a scientific survey, but it does point to general trends.)
Inactive user profiles is another source of security concern. In terms of inactive profiles that are enabled, the average IBM i shop had 44 in 2010, 128 in 2011, and 170 this year. That’s not a good thing, because the profiles can potentially be hijacked by nefarious users to hide their tracks. Overall inactive profiles (active and inactive) went from 147 in 2010 to 321 last year to 289 this year.
The distribution of powerful user profiles is pretty much the same as in past years, which is to say that users are being granted way too much authority based on what they need to do their jobs. *JOBCTL remained the most commonly used powerful authority, while *AUDIT and *SERVICE were the least prevalent. The average number of users with *ALLOBJ authority went from 52 in the 2011 study to 58 in the current study–a step backwards.
User access to libraries is another area where IBM i shops have some work to do. Of the IBM i libraries that PowerTech analyzed in its study, 56 percent of them allowed anybody with *PUBLIC access to change data. Only 23 percent of the libraries restricted general users to viewing database libraries. None of them used authorization lists to protect the object, which is consistent with past reports.
IBM i shops should pay special attention to their user profiles, their special authorities, and the permissions they grant, due to the specific threat that insiders pose on the IBM i server, and peculiarities of IBM i security controls, Tatam says. Insiders (including disgruntled employees, rogue consultants, and well-placed criminals resulting from a well-executed social engineering schemes) are the IBM i platform’s biggest threat, due to the fact that most IBM i servers sit behind network firewalls, which effectively keeps them out of the reach of hackers.
“We still get people telling us, ‘Mary has worked for us for 30 years, and Mary would never do something like that,'” Tatam says. “The reality, unfortunately, is far different. For me, outside the exit point discussion, which is still pertinent, the biggest vulnerability on the i platform is typically overly powerful users. We don’t have a separate database password. We don’t have a separate application password. You give a user their user credentials, and they can sign in, and according to IBM shipped defaults, they can get at anything they want. Once you’re inside the network it’s pretty much a free for all for most shops.”
The Dawn of the Exit Point
IBM i security vendors like PowerTech have been talking about the necessity of exit programs to monitor points for well over a decade. The exit programs are necessary because IBM i’s security model never envisioned anybody accessing DB2/400 or DB2 for i through anything but a 5250 green screen. The exit points were added in after the fact to enable access through modern protocols like TCP/IP, FTP, and ODBC. But unless an organization has an exit program in place to monitor the exit point, there’s no way to control access through those modern access methods.
Unfortunately, the use of exit programs has dropped off compared to previous years, according to PowerTech’s study. In 2010, 43 percent of shops reported using at least one exit point, followed by 46 percent in 2011. This year, however, the percentage dropped to 34 percent. In 2010, 28 percent of the exit points were monitored by an exit program. This year, that percentage dropped to 22 percent, which means there are a lot of unsecured FTP and ODBC ports leading into IBM i servers out there.
Tatam says some shops may be under the impression that they don’t need to monitor exit points if they’re using object-level security. But that doesn’t fly for several reasons. First, it appears that few shops are actually implementing object-level security. There is also no auditing of network transactions in the operating system without an exit program in place. Also, an exit program (such as the one sold by PowerTech and other IBM i security software vendors) enables organizations to give users different levels of access depending on how they’re accessing the system (i.e., via 5250, FTP, ODBC, or Excel). That level of granularity simply doesn’t exist in the operating system itself, according to Tatam.
Tatam marvels that he still runs into users who are learning for the first time about the importance of exit programs to monitor exit points, and the huge security hole they fill on the IBM i platform. “We figured at one time it was old hat, but we’ve kind of circled around again,” he says. “We still need to keep preaching the simple things, so that we’re not focused just on PCI and more modern things that are driving a lot of the discussion.”
While PCI is causing a lot of IBM i shops to think about security, they don’t appear to be taking one of critical first steps required to achieve compliance: turning on IBM i auditing. In 2010, 82 percent of shops reported using auditing, rising to 87 percent in 2011. This year, however, only 76 percent of shops say they are using auditing. Despite the fact that customers are overwhelmed with reporting needs for items like SOX and PCI DSS, “it appears that very few of them take advantage of the tools that are available to automate and simplify reporting tasks,” PowerTech says.
IBM i shops are taking unnecessary risks with their data. They’re gambling that the IBM i server is so different and foreign compared to other systems that an intruder wouldn’t know how to get the data if they got into the system in the first place. But IBM i shops are putting too much faith in “security through obscurity.”
Tatam says the poor security showing is in part the result of the bad economy. “It comes down to dollars and sense and where do I invest the IT budget,” he says. “There were a lot of people let go when economy went down, so now they’ve got to do more with less. Unfortunately security vulnerability and risk potentially increases during those periods, because we have a lot more chances of disgruntled employees, and we have less staff to manage the security environment.”
Getting organizations to take security seriously is a challenge. “Companies don’t always want to spend the money because it’s not a widget machine that they can see a direct return on investment,” Tatam says. “It’s part of my job to keep talking about the investment that companies need to make. It’s kind of like insurance. It’s not necessarily that it adds to your bottom line. But it protects somebody from taking away from the bottom line.”
Copies of the State of IBM i Security 2012 can be downloaded from the PowerTech website. The company will also be holding a webinar on the study on May 30.