Keeping Up With Security Threats To IBM i
July 27, 2015 Alex Woodie
When it comes to security, the IBM i server is a different beast, as you well know. It’s not subject to the same sorts of malware attacks that afflict Windows, Linux, and Unix systems. But thanks to its unique architecture, it has its own peccadillos when it comes to security, and understanding those strengths and weaknesses is critical for keeping up with security on the platform. A new tool from Skyview Partners should ease the work.
In most organizations, the IBM i server runs the application of record, and as such stores the organization’s most vital data. This fact, in of itself, makes the server a juicy target for any criminal looking to turn data into dollars. However, while the IBM i server and its databases are critical, few shops put them on the network in front of the firewall. You’re much more likely to find a Windows or Linux box hosting a website or serving as a file or print server. This makes just getting a sign-on screen much harder, let alone trying to steal data.
The IBM i server’s role as a back-office workhorse means it’s subject to different threats. While the front-end Windows and Linux servers are much more likely to be poked and prodded by hackers arriving over the Internet, the IBM i server is more susceptible to internal threats. Chinese and Russian superhackers get the headlines, but the fact is that three out of four security breaches are perpetrated by disgruntled employees and other credentialed workers. This puts the IBM i server directly into the danger zone.
IBM i security expert Robin Tatam warns companies not to take the internal threat lightly. “The big threat is from those people who have already obtained what is in essence the gold standard of what every hacker is after, which is a set of credentials that work,” the PowerTech director of security technologies recently told IT Jungle. “We’ve already handed those to employees, typically during the first few days of their hiring.”
Some of the biggest security breaches of late were perpetrated by hackers who got their hands on legitimate user IDs and passwords. For example, the massive data breach at Target in late 2013 was the result of a cybercrimnal operation that used an email phishing scheme to steal sign-on credentials from a heating, ventilation and air conditioning (HVAC) subcontractor that regularly worked at Target and had access to its internal network.
The combination of social hacking skills, poor security awareness of subcontractors, and well-disguised malware placed into point of sale (POS) systems proved deadly for Target, which lost card data for tens of millions of customers and suffered losses of hundreds of millions of dollars (not to mention the ouster of its CEO). Since then, we’ve heard of breaches at many other large companies, including Home Depot, Anthem, JP Morgan Chase, and the Office of Personnel Management (OPM), which maintained detailed histories of every federal employee who’s ever received security clearances from the government.
While the news is dour, Tatam warns not to succumb to breach fatigue. “People are so used to now hearing, ‘OK what breach is it today?'” he says. “There’s a risk that they become complacent.” With the shock value of the breaches wearing off, some companies are considering the momentary bad publicity that their brand suffers just another cost of doing business. As a result, they may not invest as much time and resources into bolstering security.
Breach fatigue may be real, but companies across many industries are getting plenty of motivation not to become complacent thanks to stringent new regulations governing IT security, such as the Payment Cardholder Industry Data Security Standard, or PCI DSS.
If the prospect of an auditor poring through your internal systems to judge compliance with PCI DSS doesn’t strike fear into your IBM i administrator’s heart, then he probably isn’t paying attention. IBM i shops report an uptick in visits by auditors, for PCI DSS and other regulations.
To address the need for better preparation for PCI DSS audits, Skyview Partners, which was recently bought by HelpSystems and is a sister company to PowerTech, recently launched a new release of its Risk Assessor software designed to help IBM i shops survive an audit by improving their security posture (or at least becoming more aware of it).
Risk Assessor 2.5 also brings new capabilities for investigating permissions that users have on the IBM i platform. The advent of role and column access control (RBAC) is a powerful new security feature in IBM i 7.2 that restricts what data users can see, but figuring out who can see what may not be as straightforward as auditors would like. (Things rarely are straightforward for auditors who are investigating IBM i shops; they’re much more used to Windows and Linux systems).
SSL on IBM i
Secure Sockets Layer (SSL) has taken hits over past year as critical vulnerabilities have been exposed in the popular encryption technology. IBM i shops haven’t borne the full brunt of the problems, thanks to IBM staying on top of the situation and being proactive in the move to TLS, the successor to SSL. But IBM i shops haven’t been completely shielded either, because many third-party software vendors have not yet moved beyond SSL.
Skyview says its updated tool adds a new report that makes it easier to examine and remedy settings related to recently exposed vulnerabilities in SSL. The company says the new reports are timely, as the most recent version of PCI DSS (version 3) requires organizations to eliminate use of SSL.
According to Skyview co-founder Carol Woodbury, the new reports should help customers examine IBM i security settings in greater detail, with the goal of surviving a PCI DSS audit.
“Security is a top priority for many CIOs, but it’s a target that’s constantly shifting,” says Woodbury, the former OS/400 security architect for IBM and currently vice president of global security services for HelpSystems. “We delivered these new reports based on strong customer requirements that we stay current with the latest laws and regulations. Risk Assessor 2.5 makes it possible for organizations to respond to changing compliance requirements and leverage IBM i’s evolving security capabilities.”