• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • State Of IBM i Security? Dismal As Usual, PowerTech Says

    May 19, 2014 Alex Woodie

    Organizations are taking unnecessary risks by neglecting to properly secure their IBM i environments, according to PowerTech‘s 2014 State of IBM i Security report, which it released last week. While PowerTech spotted all kinds of security shortcomings–ranging from too many powerful profiles to using lax security levels–the most glaring problem may have to do with poor password management.

    Bad password hygiene leaves IBM i shops open to external hackers and internal threats, PowerTech says. You are not going to find Heartbleed-level password problems, where billions of once-trusted passwords instantly became vulnerable overnight. But considering the level of fine-tuning that’s available through IBM i operating system facilities and settings–such as the ability to force users to adopt strong passwords and to resets their passwords at certain intervals–it’s really a shame that passwords aren’t more secure than they are.

    Consider these statistics pulled from PowerTech’s study. The company found that 53 percent of systems had more than 30 users with default passwords. One system analyzed by PowerTech had 1,823 user profiles with default passwords, out of 1,935 total users. Not every user profile is going to provide a path to the crown jewels, but keeping default passwords around is extremely bad form. Every rookie hacker knows the default password on IBM i systems is the user ID, so it’s unacceptable to have any default passwords, let alone a great number of them.

    Changing default passwords is a good first step, but it doesn’t guarantee Fort Knox-like access control, either. On nearly three out of ten systems surveyed by PowerTech, users were never required to change their passwords, while on 40 percent of the systems, numbers aren’t required to be used in passwords. (Using numbers and other characters in passwords is considered good password management.)

    PowerTech put more emphasis on analyzing password practices in this study, its 11th annual study, says Robin Tatam, PowerTech director of security technologies and author of the study. “What we realize is there’s not enough in the background to protect the database once the users are on the system, so it’s more critical that we take control of the mechanisms that many of us are putting your eggs into, which is the basket of making sure that credentials valid,” he tells IT Jungle.

    The company also looked at authority failures, or when somebody or some application uses the wrong password to log onto the server. Good security practices dictate that a user profile is deactivated after a certain number of failures. But IBM i shops don’t always follow good security practices (you might have detected a theme here).

    At one shop, PowerTech recorded 2 million authority failures over the course of the year. In this particular case, it was likely the result of a broken application. But hackers are also known to use automated bots to gain unauthorized access to servers too.

    “What’s more concerning to me as a security person is I’m the one telling them that it’s happening,” Tatam says. “They don’t have any awareness that this has been going on. That to me is one of the biggest red flags of unauthorized activity that exists on the system. The invalid sign-on attempt is one of the thing that the IBM i server has to be able to say ‘Help! Somebody is trying to get in who shouldn’t be.'”

    PowerTech found that 12 percent of its survey respondents did not have the QAUDJRN turned on. And while that number is down from recent years, it still represents a serious security problem. “Even if you’re not interested in buying a commercial solution, I tell customers to turn the collection on,” Tatam says. “It’s like a camera in a bank. If somebody comes in and robs the bank, I can go back and rewind the tape and look at it.”

    A lack of basic understanding about network exit points continues to plague the IBM i platform, PowerTech finds. Tatam might have understood if IT pros were not worried about exit points because they had already taken steps to secure them, or perhaps had implemented object-level security, which affords some protection. “It’s that they’re completely unaware that exit points exist!” he says. “So their FTP and ODBC traffic is potentially exposed.”

    According to PowerTech’s survey, 66 percent of the systems had zero exit point programs in place. Of the third who did have exit programs, the majority of them were covering the popular protocols, like FTP and ODBC. Only 6 percent of the respondents had coverage for all 27 IBM i exit points.

    Monitoring the exit points is critical because the operating system (and its menu-based security approach) was designed before FTP, ODBC, and SQL were in in widespread use. Without a product or a program to guard the exit points, there is no oversight or control over the activity conducted using those protocols.

    Another common problem is using an IBM i security level that’s lower than what IBM recommends. IBM recommends using security level 40 or higher, but 27 percent of the systems studied by PowerTech were running security level 30 or 20. Anything less than security level 40 is very likely to lead to a failed PCI audit. But that’s only if you’re lucky (or unlucky?) enough to have an auditor who actually knows how to spell IBM i on Power Systems.

    “I’ve seen customer who’s been audited on things that are not important in the i world because of the nature of the beast, but the auditor completely overlooks the fact that FTP is unlocked,” Tatam says. “If you’re struggling to achieve compliance–that’s the minimum you need to be doing. If you’re not self-policing very well, we’re going to tell you what you have to do. If you can’t reach that level, what does that say about the security of the environment? Because compliance should be easier if you’re secure.”

    Tatam will be presenting the results of the survey in an upcoming webinar. In the meantime, to download the full report, go to PowerTech’s webpage at www.ibmisecurity.com/index.php?source=ptcom_homepage_banner.

    RELATED STORIES

    The 10-Year Security Itch Needs Scratching

    State Of IBM i Security Remains Poor, PowerTech Says

    PowerTech: IBM i Security Still Needs Work

    i/OS Security Warnings: Like Talking to a Brick Wall

    PowerTech Says AS/400 Shops Still Flying in Security Danger Zone

    System i Security: Lots of Room for Improvement

    Security Still an Issue in 2007 for System i5 Shops

    PowerTech Issues Third Annual State of i5/OS Security Report

    PowerTech Security Survey Says Most IT Departments Could Do Better



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Raz-Lee Security

    Protect Your IBM i and/or AIX Servers with a Free Virus Scan

    Cyber threats are a reality for every platform, including IBM i and AIX servers. No system is immune, and the best defense is prompt detection and removal of viruses to prevent costly damage. Regulatory standards across industries mandate antivirus protection – ensure your systems are compliant and secure.

    Get My Free Virus Scan

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware Profound UI 5 Expands What i Can Do

    Leave a Reply Cancel reply

Volume 24, Number 18 -- May 19, 2014
THIS ISSUE SPONSORED BY:

PowerTech
New Generation Software
BCD
Essextec
WorksRight Software

Table of Contents

  • We’re Integrated, We’re A Platform, Let’s Catch The Wave
  • IBM i Shops Pay The Power8 Hardware Premium
  • State Of IBM i Security? Dismal As Usual, PowerTech Says
  • As I See It: The Wheeler Dealer
  • ‘Power First’ As IBM Exits X86 Servers
  • IBM i: It’ll Shine When It Shines
  • App Dev Team Sees Innovation Rewarded
  • Companies Capitalize on Talent at OCEAN Tech Conference
  • More Vintage Power Systems Feature Withdrawals
  • Reader Feedback On Power8 Processing Power And What Matters

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • POWERUp 2025 –Your Source For IBM i 7.6 Information
  • Maxava Consulting Services Does More Than HA/DR Project Management – A Lot More
  • Guru: Creating An SQL Stored Procedure That Returns A Result Set
  • As I See It: At Any Cost
  • IBM i PTF Guide, Volume 27, Number 19
  • IBM Unveils Manzan, A New Open Source Event Monitor For IBM i
  • Say Goodbye To Downtime: Update Your Database Without Taking Your Business Offline
  • i-Rays Brings Observability To IBM i Performance Problems
  • Another Non-TR “Technology Refresh” Happens With IBM i TR6
  • IBM i PTF Guide, Volume 27, Number 18

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle