Keeping Up With Security Threats To IBM i

July 27, 2015 Alex Woodie

When it comes to security, the IBM i server is a different beast, as you well know. It’s not subject to the same sorts of malware attacks that afflict Windows, Linux, and Unix systems. But thanks to its unique architecture, it has its own peccadillos when it comes to security, and understanding those strengths and weaknesses is critical for keeping up with security on the platform. A new tool from Skyview Partners should ease the work.

In most organizations, the IBM i server runs the application of record, and as such stores the organization’s most vital data. This fact, in of itself, makes the server a juicy target for any criminal looking to turn data into dollars. However, while the IBM i server and its databases are critical, few shops put them on the network in front of the firewall. You’re much more likely to find a Windows or Linux box hosting a website or serving as a file or print server. This makes just getting a sign-on screen much harder, let alone trying to steal data.

The IBM i server’s role as a back-office workhorse means it’s subject to different threats. While the front-end Windows and Linux servers are much more likely to be poked and prodded by hackers arriving over the Internet, the IBM i server is more susceptible to internal threats. Chinese and Russian superhackers get the headlines, but the fact is that three out of four security breaches are perpetrated by disgruntled employees and other credentialed workers. This puts the IBM i server directly into the danger zone.

IBM i security expert Robin Tatam warns companies not to take the internal threat lightly. “The big threat is from those people who have already obtained what is in essence the gold standard of what every hacker is after, which is a set of credentials that work,” the PowerTech director of security technologies recently told IT Jungle. “We’ve already handed those to employees, typically during the first few days of their hiring.”

HVAC Matters

Some of the biggest security breaches of late were perpetrated by hackers who got their hands on legitimate user IDs and passwords. For example, the massive data breach at Target in late 2013 was the result of a cybercrimnal operation that used an email phishing scheme to steal sign-on credentials from a heating, ventilation and air conditioning (HVAC) subcontractor that regularly worked at Target and had access to its internal network.

The combination of social hacking skills, poor security awareness of subcontractors, and well-disguised malware placed into point of sale (POS) systems proved deadly for Target, which lost card data for tens of millions of customers and suffered losses of hundreds of millions of dollars (not to mention the ouster of its CEO). Since then, we’ve heard of breaches at many other large companies, including Home Depot, Anthem, JP Morgan Chase, and the Office of Personnel Management (OPM), which maintained detailed histories of every federal employee who’s ever received security clearances from the government.

While the news is dour, Tatam warns not to succumb to breach fatigue. “People are so used to now hearing, ‘OK what breach is it today?'” he says. “There’s a risk that they become complacent.” With the shock value of the breaches wearing off, some companies are considering the momentary bad publicity that their brand suffers just another cost of doing business. As a result, they may not invest as much time and resources into bolstering security.

Regulation Nation

Breach fatigue may be real, but companies across many industries are getting plenty of motivation not to become complacent thanks to stringent new regulations governing IT security, such as the Payment Cardholder Industry Data Security Standard, or PCI DSS.

If the prospect of an auditor poring through your internal systems to judge compliance with PCI DSS doesn’t strike fear into your IBM i administrator’s heart, then he probably isn’t paying attention. IBM i shops report an uptick in visits by auditors, for PCI DSS and other regulations.

To address the need for better preparation for PCI DSS audits, Skyview Partners, which was recently bought by HelpSystems and is a sister company to PowerTech, recently launched a new release of its Risk Assessor software designed to help IBM i shops survive an audit by improving their security posture (or at least becoming more aware of it).

Risk Assessor 2.5 also brings new capabilities for investigating permissions that users have on the IBM i platform. The advent of role and column access control (RBAC) is a powerful new security feature in IBM i 7.2 that restricts what data users can see, but figuring out who can see what may not be as straightforward as auditors would like. (Things rarely are straightforward for auditors who are investigating IBM i shops; they’re much more used to Windows and Linux systems).

SSL on IBM i

Secure Sockets Layer (SSL) has taken hits over past year as critical vulnerabilities have been exposed in the popular encryption technology. IBM i shops haven’t borne the full brunt of the problems, thanks to IBM staying on top of the situation and being proactive in the move to TLS, the successor to SSL. But IBM i shops haven’t been completely shielded either, because many third-party software vendors have not yet moved beyond SSL.

Skyview says its updated tool adds a new report that makes it easier to examine and remedy settings related to recently exposed vulnerabilities in SSL. The company says the new reports are timely, as the most recent version of PCI DSS (version 3) requires organizations to eliminate use of SSL.

According to Skyview co-founder Carol Woodbury, the new reports should help customers examine IBM i security settings in greater detail, with the goal of surviving a PCI DSS audit.

“Security is a top priority for many CIOs, but it’s a target that’s constantly shifting,” says Woodbury, the former OS/400 security architect for IBM and currently vice president of global security services for HelpSystems. “We delivered these new reports based on strong customer requirements that we stay current with the latest laws and regulations. Risk Assessor 2.5 makes it possible for organizations to respond to changing compliance requirements and leverage IBM i’s evolving security capabilities.”

Sponsored By
ARCAD SOFTWARE

Future-proof your IBM i applications with ARCAD Software. . .

ARCAD Software develops and supplies the industry's leading Application Lifecycle Management (ALM) products for the IBM Power platform, including Rational Certified solutions that seamlessly integrate with Rational Team Concert (RTC) and Rational Developer for i (RDi).

Taken together, the ARCAD solution range for ALM offers a proven, repeatable process to update your applications - from the user request, right through to the delivery to target platforms - on IBM i, Windows, UNIX and Linux platforms.

Each ARCAD solution is modular and can be implemented separately, and thanks to a common and open architecture, is easily integrated with your existing tools.

ARCAD solutions also help modernize your applications and development environment. New developers can rapidly understand existing applications with graphical diagramming tools, automatically convert RPGLE to Free Format RPG, and make code changes more efficiently via the powerful RDi IDE. ARCAD's DDS to DDL (SQL) conversion tools accelerate the migration to a fully relational database. And by using RTC for source code management, all teams can share the same repository, dashboard and reporting tools, whether they develop in RPG, COBOL, Java, PHP or .NET. Team collaboration is easy even when developers are situated in different geographical locations.

ARCAD supports continuous integration and delivery, so teams can use agile methods efficiently and deliver value to customers faster. Real-time collaboration and DevOps help development and operations work closely together and smoothly manage an accelerated delivery schedule.

The ARCAD solution range caters for all IBM i environments - offering the following modules:

>> IBM i code Audit and Restructuring: (ARCAD-Audit)
Cleans (and archives) any anomalies or redundant code in your IBM i applications

>> Application Analysis: (ARCAD-Observer)
Analyzes your existing apps, to discover business rules, database relationship model, dependencies, and generate documentation in HTML

>> Ticketing: (ARCAD-Customer)
Web-based Request Tracking based on ITIL - interfacing with RTC, Jira, Remedy, Sharepoint. . .

>> IBM i Refactoring Tools: (ARCAD-Transformer)
Transforms applications and databases automatically - after an increase in field size, or a move to Unicode, or to convert from RPGLE to Free Format RPG, or to convert from DDS to DDL (SQL). . .

>> IBM i Software Configuration Management: (ARCAD-Skipper)
Easy-to-use development workbench for change management of IBM i components (RPG, COBOL, CLP, SQL, ILE, CASE tools...)

>> Rational Developer for i: (RDi)
Graphical IDE for IBM i - visual development tools, Eclipse-based and multi-language

>> Rational Team Concert: (RTC)
Multi-platform Software Configuration Management - with integrated planning, project tracking, dashboards and agile support

>> Build Management:(ARCAD-Builder)
100% Build automation - including recompilation of all dependencies (inc. SQL and ILE) and database upgrades

>> Third Party Vendor Reception: (ARCAD-Integrater)
Reception of new releases of vendor packages, with impact analysis on local customized code

>> Data Configuration Management: (ARCAD-Datachanger)
Configuration management of critical Data - secure, automated transfer to production of critical data values, with traceability of changes

>> Regression Testing: (ARCAD-Verifier)
Easy-to-use Regression Test automation - for any type of interface, detecting differences in UI, database, and spool files

>> Test Data Extraction: (ARCAD-Extract)
Extracts subsets of test data from production, with referential integrity (and optional scrambling of sensitive data)

>> Data Anonymization: (ARCAD-Anonymizer)
Protects against data leaks by anonymizing sensitive or confidential data, ready for use in testing

>> Release Management: (ARCAD-Deliver)
Automated, secure application Deployment and Rollback - to multiple platforms (IBM i, Windows, UNIX/AIX/Linux), in a single process

For details on the full range of ARCAD solutions and Packs, please check out an overview here. . .

Or please drop a line to your local ARCAD sales office on:
sales-eu@arcadsoftware.com,
sales-us@arcadsoftware.com, or
sales-asia@arcadsoftware.com.

How Much Temporary Storage Is In Use And Who Is Using It? An Introduction To Processing XML With RPG, Part 1: The Basics

Table of Contents

Recent Posts

Subscribe

Pages

Search