State of IBM i Security? Still Horrible, After All These Years
May 18, 2015 Alex Woodie
When you talk to IBM about the IBM i-on-Power platform, the word “security” is used extensively, and appears frequently next to other power words like “reliability” and “availability.” But when you talk to the security software vendor PowerTech about the state of IBM i security, you might be surprised to hear words like “wide open” and “breach fatigue.” Then again, if you have been an IT Jungle reader for very long, you may not.
Last month, PowerTech released its 12th annual State of IBM i Security Study. The 25-page report, which you can download from the company’s website, is based on security configuration analyses ran against more than 100 IBM i servers during 2014. PowerTech’s director of security technologies, Robin Tatam, who personally conducted many of the analyses and wrote the report, got on the phone with IT Jungle last week to talk about the results.
“Sadly it’s much of the same,” Tatam says. “Even though people are starting to wake up to the idea that they need to do something, they haven’t done it yet.”
Tatam agrees that IT security as a topic seems to be trickling up into the consciousness of not just CIOs but everyday Americans, thanks to the string of massive data breaches–from Target to Anthem to Home Depot to JPMorgan Chase. However, the more breaches we have, the less CIOs may be inclined to do anything about it, Tatam says.
“It’s shocking when it first happened. When TJ Maxx got hit, that was the first big breach,” he says. “At this point the longevity of the shock value is shrinking. Somebody the other day said it’s six months, then the brand recovers. People are so used to hearing ‘What breach is it today?’ they get to the point where they say, ‘Oh it’s inevitable. Why spend money on defenses, are we better off just acknowledging that most likely it’s going to happen at some point and redirecting those expenses to mitigation cost?'”
While there are headwinds to improving security, Tatam isn’t ready to give up the fight (at least not yet).
Pssst, What’s the Password, Buddy?
Weak passwords are one of Tatam’s peccadillos. While regulations like PCI generally require passwords to be at least seven characters long, there are many shops using passwords as short as a single character. And while everybody (even hackers) know that default passwords are the same as the user ID on the IBM i platform, more than half of the systems had 30 or more user profiles with default passwords.
Overuse of special authorities also keeps Tatam awake at night. According to the study, the average shop has more than 75 user profiles with ALLOBJ authority, which gives the user access to large swaths of the machine and is complete overkill for most users. This has been a well-documented risk in IBM i security configurations, and yet nobody seems to be doing anything about it.
This is part of the IBM i legacy that one should not be proud of. “Nobody cares that we had ALLOBJ authority 20 years ago, but we don’t go back and remove it because we’re terrified we’re going to break this core application,” Tatam says. “We assume they have ALLOBJ for a reason and we’re scared if we take it away something is going to break. Who creates user profiles from scratch anymore? They duplicate them from another user, or reload them from the old box. Nobody is creating configurations from get-go.”
The overall lack of monitoring rates as one of Tatam’s top three security annoyances, with 22 percent of the systems surveyed did not have an audit journal repository, and more than 50 percent of IBM i systems had no exit programs in place to monitor or control access to network services such as FTP, Telnet, and ODBC.
Tatam travels around the country a lot, talking to IBM i shops; tonight, he will be in Atlanta to speak with a SunGard user group. One of the common refrains he hears from IBM i professionals is “thank goodness we haven’t been breached.” His typical response is “How do you know?”
“You have no idea,” he says. “We had a system this year with 87,000 invalid sign-on attempts against one of the profiles. Last year we had one with more than 16,000,000. What’s scary is not the number–it’s the fact that they’re not monitoring it and they didn’t know it.”
For years, it was assumed the IBM i platform was immune to viruses and malware. But today we know better. Or do we? According to the PowerTech survey, only 20 percent of IBM i shops are scanning IFS files when they’re opened. While the IBM i OS itself is immune to the Windows viruses, they can live in the Windows-like IFS file system, enabling the Power Systems server to pull a “Typhoid Mary” and infect Windows clients it connects to.
Having and running antivirus software is a requirement for passing the PCI regulations. “But a lot of people getting free passes because the auditors are subject to the same misinformation,” Tatam says. “They think the IBM i server can’t scan for viruses, therefore it’s not something to conform too. People are starting to wake up to the fact that it’s something we can do.” (Sales of the StandGuard Antivirus software from PowerTech’s sister company Bytware have increased substantially over the past 12 to 18 months, he says).
Into The Great Wide Open
There’s a lot more detail in the PowerTech survey, including sections on IBM i security levels, object security, the use of *PUBLIC access to libraries, responses to invalid sign-on attempts, inactive profiles, and more password deficiencies. Needless to say, none of it is very positive from a security point of view. For Tatam, who has been doing these annual State of Security reports for the better part of 10 years, seeing the same security configuration mistakes year after year has to be a bit disconcerting.
“I’ve seen a couple of systems in last few weeks that were very well configured, which really stood out,” he says. “What’s interesting to me is, give or take one to three percent of these systems, they’re almost cookie-cutter to one another. I’ve never put my finger on why that is. Certainly the default settings in the operating system are somewhat at fault, if you will. But it always amazes me when folks are loading applications or writing own code, and ten years’ worth of configuration changes, they all end up within a few percentage points of each other. You’d think it would be scattered all over the board, and it’s not.”
“I would say the average system is wide open,” Tatam continues. “If you have a user ID and a password, it’s easy to breach most IBM i environments. The hardest thing is getting to the box. That’s why the insider threat is typically much bigger because they can do that legitimately.”
So what can IBM i shops do about it? For starters, forget about the advance stuff, like object security and row and column access control. Those are for the big boys, and you, dear IBM i reader, are most likely not working for one of them. “I’m a big proponent of doing something,” Tatam says. “The security problem is not going to go away overnight. But every little thing you do is going to work toward the greater good.”
Tatam’s list of low-hanging security fruit starts with (you guessed it) the passwords. “You start out with making passwords count,” he says. “A lot us are pushing for two-factor authentication or biometrics. But at the end of the day, if we don’t have decent passwords, it’s so easy [to breach the system]. How many have profiles have default passwords? We have password lengths with one or two or three characters. Once they get onto the box, they have ALLOBJ special authority. They’re not monitoring FTP or ODBC. It’s almost to the point where, if you can get to the device, you’re good to go, so the only thing we’re protecting ourselves with is physical security. And with the advent of the Internet, that just doesn’t work anymore.”
Got Security Modernization?
Application modernization is a huge deal in the IBM i space these days. But according to Tatam, security modernization should be on the list, too.
“I’ve talked to Trevor Perry and gotten on his bandwagon about we gotta stop calling it the AS/400. It’s not the same box, and I buy into that completely,” he says. “But the reality is we can still take that AS/400 code and load it in an IBM i Power server environment and not only will it run, but it runs at the full capability of the box you loaded it on. That’s a phenomenal capability–there’s no other server that can do something like that.”
“But from a security standpoint, we just keep migrating the same crap from 1993 forward to each generation of the machine without ever going back and saying, ‘Why do they need job control special authority?’ Nobody knows how to answer those questions, so they just keep propagating the issue forward with each new generation of the machine.”
Sometimes, Tatam wonders if IBM shouldn’t emulate Microsoft and force IBM i programmers to adopt newer technology. “Although I know how unpopular this approach would be, it would almost be nice to take a Microsoft and say, ‘Let’s start with a clean slate.’ We’re at the mercy of a legacy application environment that quite honestly is horrible from a security standpoint.”