Popping The IBM i Security Bubble
May 27, 2014 Alex Woodie
As an IBM i professional, you feel safe knowing that your organization has entrusted its data to the most secure business server on the planet. You watch as other companies–Target, eBay, victims of Chinese hackers–scramble into spin-control mode following a breach, confident that will never happen at your shop. If this sounds familiar, you’ve succumbed to a dangerous condition known as “IBM i security bubble-itis.” Let us help you pop it.
The first step in overcoming this debilitating condition is admitting you have a problem. Like the security blanket your kid won’t give up, your mistaken faith in the inherent superior security of the IBM i platform affords only imaginary protection against evil forces. What you don’t know about IBM i security can very definitely hurt you. You eventually got rid of your kid’s tattered wubbie, and likewise, you eventually must get rid of your misplaced assumptions about IBM i security.
If your IBM i shop is like most we’ve seen over the years, the inadequacies of your security controls run deep and wide. Some of the most common IBM i security problems include:
Nearly all of these problems can be traced to an initial failure to properly configure the IBM i security settings and system values, and an ongoing failure to keep the box secure. Security experts will tell you that the keys to achieving good security are the three Ps of policy, process, and procedure. Give or take, 90 percent of the security battle is establishing a good policy up front and then following the processes and procedures necessary to maintain the requisite level of control.
The three Ps are all well and good. But perhaps the biggest security hurdle that IBM i shops face is the Big A, as in Awareness.
IBM i professionals have grown accustomed to thinking of the server as secure, but that kind of thinking is misplaced and dangerous. The yawning lack of awareness of the basics of IBM i security (You never changed your default user passwords? Really? You never thought to guard the FTP exit point? Really?? You don’t even know what an FTP exit point is? Really???) would be slightly amusing if it weren’t so downright scary.
The consequences of a data breach are high, and getting higher every year. According to a Ponemon Institute study of 315 breaches released by IBM this month, the average cost of a data breach has increased by 15 percent this year to $3.5 million per breach. The average cost per lost or stolen record increased by 9 percent to $145 per record. The costs are even higher in the U.S. (this was a global study).
The size and number of data breaches appears to be growing, driven by the increasing sophistication of cybercriminals who launch targeted attacks, or “advanced persistent threats,” that use multiple attack vectors and are designed to evade traditional defenses.
Just last week, eBay reported that hackers stole information on 145 million people, including email addresses, passwords, birth dates, and mailing addresses, but no credit card or PayPal information, according to Privacy Rights Clearinghouse. If true, that would be the largest data breach in history–bigger than the 2009 breach of Heartland Payment Systems, which compromised records on 130 million people.
But it’s the Target breach of 110 million people’s data in December 2013 that has security experts jumpy. There were red flags in that data breach, which was conducted by somebody (allegedly a Russian hacker) who stole the sign-on credentials of a third-party vendor who worked on Target’s systems and then compromised the point of sale system. But nobody was paying attention to the flags.
The key failure in Target’s case appears to be a breakdown of process. According to a March story in BusinessWeek, Target’s security officers assumed that the flurry of activity generated by a new FireEye intrusion detection systems were false positives. In fact they were true positives.
“It’s unfortunate for Target. They had the controls in place. I talked to those guys and their security is phenomenal,” says Robin Tatam, director of security technologies at PowerTech, which recently released its 11th annual State of IBM i Security Report. (Spoiler alert: it still sucks).
“Target had a significant impact in business awareness because it was the first big box retailer to be hit by something so dramatic,” Tatam continues. “It’s giving people the idea that if it can happen to Target, it can happen to us.”
Don’t be surprised if there are more breaches like Target’s in the near future. Not only do companies and other organizations have to worry about rouge cybercriminal elements, but well-funded attacks from government-backed cyberwarriors as well. The Chinese military, in particular, is seen as the perpetrator behind many attacks against the commercial interests of American corporations, the United States Department of Justice alleged in a lawsuit last week.
If the specter of Russian hackers and Chinese cyberspies getting access to your servers and data isn’t enough to scare you, then you’re not paying attention. Yorgen Edholm, the CEO of secure file sharing software firm Accellion, wonders what’s next. “Cyber warfare is giving the enterprise community a rude awakening, and organizations are just now starting to learn the lessons from attacks on Target, eBay, and others,” he tells IT Jungle. “There is now an industry built solely for the purpose of targeting vulnerable organizations, so IT needs to boost its efforts with the proper security investments and tools.”
For you IBM i pros, the key message is that the magical cloak of invisibility (i.e. security through obscurity) that you intentionally or unintentionally relied on is getting thinner every year. It’s true that you wear a lot of different hats–programmer, administrator, operator, analyst, chief bottle washer, security officer–and that IT budgets don’t allow you to hire the expertise you need. But just becoming aware of the potential problems that stem from having extremely poor security is a good first step to eventually fixing it.
“The IBM i organizations have not traditionally taken it seriously because the reputation of the box is that it’s secure, as opposed to securable. And there’s a big different between the definitions of those two words,” Tatam says. “We’re still not doing what we need to do. [The results of the study] still tells me there’s a general lack of awareness in the i space.”