• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • The 10-Year Security Itch Needs Scratching

    May 20, 2013 Alex Woodie

    In 2004, PowerTech unveiled its first report on the state of security for the iSeries server, as the IBM i platform was then called. The report uncovered major problems at iSeries shops involving passwords, remote access, and user profiles. Fast forward to April 2013 and PowerTech’s 10th annual report, which uncovered systemic problems with–you guessed it–passwords, remote access, and powerful user profiles.

    If you think back to 2004, computer security issues were just beginning to grab headlines. Microsoft was under daily threat from hackers seeking to expose vulnerabilities in its products, which it would patch every month on “Patch Tuesday.” The biggest security threats came from relatively simple computer viruses and worms. Major incidents of data loss were still rare, and were about to blossom as cyber criminals upped their game in the coming years. Companies were scrambling to implement major provisions of the Sarbanes-Oxley Act. PCI was just a gleam in an eager auditor’s eye.

    “A lot of water has flowed under the bridge in the last 10 years,” says Robin Tatum, director of security technologies for PowerTech. “It’s hard to do a year-to-year analysis because, of course, we have different data sets each year. But after 10 years, you can see a trend there. When we average that out, it’s pretty consistent with regards to the state of the general configuration.”

    And that security configuration is generally and consistently poor among IBM i shops.

    PowerTech first waved the security flag and warned of the wide-open access that many iSeries users have back in that first state of security report in 2004. In that report, 84 percent of the iSeries shops surveyed had more than 10 users with super-user privileges, such as *ALLOBJ and *SECADM authorities. Best practices call for no more than 10 users with such privileges. In the most recent survey of 101 IBM i servers, PowerTech found that the IBM i shops surveyed had, on average, 65 users with *ALLOBJ authority, 31 with *SECADM authority, 123 with *JOBCTL authority, and 156 with *SPLCTL authority.

    Passwords are another recurring problem for IBM i shops (although the data indicates that IBM i shops probably don’t even know they have a problem). Back in 2004, PowerTech found that 18 percent of users had default passwords, where the password is the same as the user ID. Fast forward to 2013, and only 4 percent of enabled user profiles have default passwords. However, 50 percent of the shops had more than 30 user profiles with default passwords.

    Exit programs are an important element for guarding against unauthorized access from remote computers through unprotected network access points, such as ODBC and FTP. In 2004, PowerTech found that 74 percent of those surveyed had no exit programs in place to monitor or control remote access through these network exit points. In 2013, we see improvement: only 69 percent of those surveyed had no exit programs in place. (That’s a 5 percent gain; break out the bubbly!)

    Tatum long ago gave up being utterly and completely flabbergasted by such flagrant disregard for basic security provisions among IBM i shops. “The exit point piece, even after all this time, is a massive play,” he tells IT Jungle. “It’s surprising to me that, at this point, we talk to customers, and they have no awareness that users can come in through PC tools and circumvent menus and circumvent command line restrictions and go directly against the database. When I was first hired by PowerTech, I wasn’t big on that conversation. Surely everybody knows that by now. But it became quickly apparent that was not the case.”

    In fact, the lack of exit point controls may best exemplify how organizations think about their IBM i servers, and how they can justify leaving them unprotected. The thinking goes like this: Since the IBM i server is a back-office machine that isn’t placed directly on the Internet, it doesn’t require the same level of security, care, or concern as a Windows or a Linux machine exposed directly on the Internet. It’s an internal facing machine, and external users can’t get access to it.

    “There’s still a lot of belief that because the servers are internal, inside the infrastructure, that they don’t pose the same target or risk as a server that may be on the perimeter side,” Tatum says. “From the customer’s standpoint, it’s still an acceptance thing. Since it is inside the firewall, so they don’t put as much credence into it as they might on other platforms.”

    While there may be some truth to that, it doesn’t change the fact that most IBM i shops appear to be disregarding good security practices for locking down those internal users. “The biggest control that we have in our world, based on what we see, quite honestly is a user ID and password. Once a user gains those credentials, too frequently they have full blown access to pretty much whatever they want,” Tatum says.

    There’s one area where IBM i security has improved substantially according to the survey numbers, and that’s security level. More than 55 percent of IBM i shops surveyed by PowerTech were using IBM i security level 40, the minimum security level recommended by IBM. About 35 percent were at security level 30, while about 10 percent were at security level 50. However, even this slight glimmer of hope has a silver lining, because several years ago IBM stopped shipping servers at security level 10 and started shipping them at security level 40.

    “So who’s to say that was a concerted effort by organizations to get to a better security level, or the fact that IBM changed the default and they didn’t change it to anything else?” Tatum asks.

    IBM i security has an aura of impenetrability about it, much like the mainframe, which also has security controls integrated into the operating system. While the two platforms are routinely locked down to protect the data of the biggest companies, organizations, and governments in the world, they don’t ship out of the box that way. It takes time to understand and implement the controls that IBM has provided. Too often in the IBM i world, those controls are ignored.

    “IBM i has always had this great reputation for being extremely robust, and I think that that is not just heresy. It was well designed. It was created correctly from the ground up and integrated into the OS layer. When folks at IBM talk about it being a world class operating system infrastructure, then I am totally on board that bus,” Tatum says. “But we’re seeing continued ambivalence, for want a better word, of the importance of deploying security controls.”

    PowerTech’s 2013 State of IBM i Security Study can be downloaded from the company’s website at www.powertech.com.

    RELATED STORIES

    State Of IBM i Security Remains Poor, PowerTech Says

    PowerTech: IBM i Security Still Needs Work

    i/OS Security Warnings: Like Talking to a Brick Wall

    PowerTech Says AS/400 Shops Still Flying in Security Danger Zone

    System i Security: Lots of Room for Improvement

    Security Still an Issue in 2007 for System i5 Shops

    PowerTech Issues Third Annual State of i5/OS Security Report

    PowerTech Security Survey Says Most IT Departments Could Do Better



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    ARCAD Software

    Embrace VS Code for IBM i Development

    The IBM i development landscape is evolving with modern tools that enhance efficiency and collaboration. Ready to make the move to VS Code for IBM i?

    Watch this webinar where we showcase how VS Code can serve as a powerful editor for native IBM i code and explore the essential extensions that make it possible.

    In this session, you’ll discover:

    • How ARCAD’s integration with VS Code provides deep metadata insights, allowing developers to assess the impact of their changes upfront.
    • The role of Git in enabling seamless collaboration between developers using tools like SEU, RDi, and VS Code.
    • Powerful extensions for code quality, security, impact analysis, smart build, and automated RPG conversion to Free Form.
    • How non-IBM i developers can now contribute to IBM i projects without prior knowledge of its specifics, while ensuring full control over their changes.

    The future of IBM i development is here. Let ARCAD be your guide!

    Watch the replay now!

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Adding A Job Queue To A Batch Subsystem Fresche Legacy Discusses Three IBM i Modernization Cases

    Leave a Reply Cancel reply

Volume 23, Number 19 -- May 20, 2013
THIS ISSUE SPONSORED BY:

Infinite Corporation
SEQUEL Software
BCD
Townsend Security
WorksRight Software

Table of Contents

  • Making Hadoop Elephants Drink From Silverlake
  • ISV Advisory Council: Untold Secrets And Free Advice
  • COMMON Europe Cancels Its June Conference
  • As I See It: To Ad Or Not To Ad
  • The 10-Year Security Itch Needs Scratching
  • IBM i Involved In Ticket Fixing
  • IBM Adds Power7+ Servers To Long-Running Rebate Deals
  • Third Time A Charm For Maxava iFoundation Grants, Like Times One And Two
  • Manta Announces New RDP Training Series
  • Learning, Problem Solving, Collaboration, and MITEC

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • POWERUp 2025 –Your Source For IBM i 7.6 Information
  • Maxava Consulting Services Does More Than HA/DR Project Management – A Lot More
  • Guru: Creating An SQL Stored Procedure That Returns A Result Set
  • As I See It: At Any Cost
  • IBM i PTF Guide, Volume 27, Number 19
  • IBM Unveils Manzan, A New Open Source Event Monitor For IBM i
  • Say Goodbye To Downtime: Update Your Database Without Taking Your Business Offline
  • i-Rays Brings Observability To IBM i Performance Problems
  • Another Non-TR “Technology Refresh” Happens With IBM i TR6
  • IBM i PTF Guide, Volume 27, Number 18

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle