The 10-Year Security Itch Needs Scratching
May 20, 2013 Alex Woodie
In 2004, PowerTech unveiled its first report on the state of security for the iSeries server, as the IBM i platform was then called. The report uncovered major problems at iSeries shops involving passwords, remote access, and user profiles. Fast forward to April 2013 and PowerTech’s 10th annual report, which uncovered systemic problems with–you guessed it–passwords, remote access, and powerful user profiles.
If you think back to 2004, computer security issues were just beginning to grab headlines. Microsoft was under daily threat from hackers seeking to expose vulnerabilities in its products, which it would patch every month on “Patch Tuesday.” The biggest security threats came from relatively simple computer viruses and worms. Major incidents of data loss were still rare, and were about to blossom as cyber criminals upped their game in the coming years. Companies were scrambling to implement major provisions of the Sarbanes-Oxley Act. PCI was just a gleam in an eager auditor’s eye.
“A lot of water has flowed under the bridge in the last 10 years,” says Robin Tatum, director of security technologies for PowerTech. “It’s hard to do a year-to-year analysis because, of course, we have different data sets each year. But after 10 years, you can see a trend there. When we average that out, it’s pretty consistent with regards to the state of the general configuration.”
And that security configuration is generally and consistently poor among IBM i shops.
PowerTech first waved the security flag and warned of the wide-open access that many iSeries users have back in that first state of security report in 2004. In that report, 84 percent of the iSeries shops surveyed had more than 10 users with super-user privileges, such as *ALLOBJ and *SECADM authorities. Best practices call for no more than 10 users with such privileges. In the most recent survey of 101 IBM i servers, PowerTech found that the IBM i shops surveyed had, on average, 65 users with *ALLOBJ authority, 31 with *SECADM authority, 123 with *JOBCTL authority, and 156 with *SPLCTL authority.
Passwords are another recurring problem for IBM i shops (although the data indicates that IBM i shops probably don’t even know they have a problem). Back in 2004, PowerTech found that 18 percent of users had default passwords, where the password is the same as the user ID. Fast forward to 2013, and only 4 percent of enabled user profiles have default passwords. However, 50 percent of the shops had more than 30 user profiles with default passwords.
Exit programs are an important element for guarding against unauthorized access from remote computers through unprotected network access points, such as ODBC and FTP. In 2004, PowerTech found that 74 percent of those surveyed had no exit programs in place to monitor or control remote access through these network exit points. In 2013, we see improvement: only 69 percent of those surveyed had no exit programs in place. (That’s a 5 percent gain; break out the bubbly!)
Tatum long ago gave up being utterly and completely flabbergasted by such flagrant disregard for basic security provisions among IBM i shops. “The exit point piece, even after all this time, is a massive play,” he tells IT Jungle. “It’s surprising to me that, at this point, we talk to customers, and they have no awareness that users can come in through PC tools and circumvent menus and circumvent command line restrictions and go directly against the database. When I was first hired by PowerTech, I wasn’t big on that conversation. Surely everybody knows that by now. But it became quickly apparent that was not the case.”
In fact, the lack of exit point controls may best exemplify how organizations think about their IBM i servers, and how they can justify leaving them unprotected. The thinking goes like this: Since the IBM i server is a back-office machine that isn’t placed directly on the Internet, it doesn’t require the same level of security, care, or concern as a Windows or a Linux machine exposed directly on the Internet. It’s an internal facing machine, and external users can’t get access to it.
“There’s still a lot of belief that because the servers are internal, inside the infrastructure, that they don’t pose the same target or risk as a server that may be on the perimeter side,” Tatum says. “From the customer’s standpoint, it’s still an acceptance thing. Since it is inside the firewall, so they don’t put as much credence into it as they might on other platforms.”
While there may be some truth to that, it doesn’t change the fact that most IBM i shops appear to be disregarding good security practices for locking down those internal users. “The biggest control that we have in our world, based on what we see, quite honestly is a user ID and password. Once a user gains those credentials, too frequently they have full blown access to pretty much whatever they want,” Tatum says.
There’s one area where IBM i security has improved substantially according to the survey numbers, and that’s security level. More than 55 percent of IBM i shops surveyed by PowerTech were using IBM i security level 40, the minimum security level recommended by IBM. About 35 percent were at security level 30, while about 10 percent were at security level 50. However, even this slight glimmer of hope has a silver lining, because several years ago IBM stopped shipping servers at security level 10 and started shipping them at security level 40.
“So who’s to say that was a concerted effort by organizations to get to a better security level, or the fact that IBM changed the default and they didn’t change it to anything else?” Tatum asks.
IBM i security has an aura of impenetrability about it, much like the mainframe, which also has security controls integrated into the operating system. While the two platforms are routinely locked down to protect the data of the biggest companies, organizations, and governments in the world, they don’t ship out of the box that way. It takes time to understand and implement the controls that IBM has provided. Too often in the IBM i world, those controls are ignored.
“IBM i has always had this great reputation for being extremely robust, and I think that that is not just heresy. It was well designed. It was created correctly from the ground up and integrated into the OS layer. When folks at IBM talk about it being a world class operating system infrastructure, then I am totally on board that bus,” Tatum says. “But we’re seeing continued ambivalence, for want a better word, of the importance of deploying security controls.”
PowerTech’s 2013 State of IBM i Security Study can be downloaded from the company’s website at www.powertech.com.