Study Identifies Disturbing IBM i Security Weaknesses
May 2, 2016 Dan Burger
Security threats–data breaches with bruising economic consequences that are triggered from within organizations, not outside–are beginning to grab the attention businesses formerly passive about the risks of status quo unpreparedness. Could be just in the nick of time. “We’d be lying if we said breaches were only happening to a small percentage of IBM i systems,” says Robin Tatam, director of security technologies at HelpSystems and the author of 2016 State of IBM i Security Study.
This is the 13th year for the annual security report that identifies mistakes in system configurations that open the door to a smorgasbord of sensitive data and most organizations remain blithely unaware.
“When systems are so poorly configured that they can be described as ‘wide open,’ and the major source of breaches in 2015 was misconfiguration, there’s a correlation and that puts a face on risk. Selling fear is not what we want to do, but underselling risk is also not what we want to do. People need to be awakened to vulnerabilities within their perimeters and be aware that internal threats exceed external threats,” Tatam says.
The still-common use of default passwords and other easy access points to the system allows quick and easy access to systems without creating much of an audit trail. Without a focus on security and with barely a trace of an audit trail, those who believe they’ve never been breached don’t really know if that’s true.
In the 2016 Security Report, user profiles with a default password (a password that’s the same as the user name), 28 percent of systems had more than 100 user profiles with default passwords. One system had 2,199 user profiles with default passwords.
This is just the tip of the iceberg. No skill is required to fix password security lapses, just some attention to details.
Security skills do take on greater importance when the overall security picture begins to take shape and best practices are taken into account. The inability to fix security weaknesses is common.
One of the practices that Tatam repeatedly finds is what he calls the legacy mistake. It compounds itself with each system upgrade because new systems don’t get configured from scratch.
A tape is taken from the previous system and it is loaded on the new system. It carries profiles, system values, and authorities from one generation of machines to the next. And that previous system was configured the same way. So the mirroring of a system that ran maybe 20 or more years ago finds new life in a vastly different environment.
“We don’t circle back around after an upgrade because the urgency and understanding is not there,” Tatam says. “It’s not something that people want to take care of during system upgrades. When something breaks during the upgrade, it’s not immediately known if the upgrade caused it or configuration changes are responsible.”
The urgency is starting to be recognized, but the understanding of how to secure the system is mostly missing.
Without security skills on staff, companies are more likely to contract hire those skills from companies that possess the skills.
“It’s one of the reasons we got into security services,” says HelpSystems CEO Chris Heim. “We have an ongoing monthly service that evaluates security settings with some of our customers and we do remediation on a contract basis. That way you don’t have to be a security expert, but you do take care of security.”
The services side of HelpSystems security business took a giant step forward with the acquisition of SkyView Partners in June 2015. As a result of the acquisition, HelpSystems’ security services business shows a 92 percent increase in customers during the past six months.
“Services are still a relatively new effort for us,” Heim notes.
Application security is complex. It takes a three-pronged effort to achieve success. For its part, IBM has developed tools at the operating system level and the database levels that help lock down security. At the OS level, it just introduced a feature called authority collection in i 7.3. It was designed to assist security administrators and application developers in tightening object-level security. This support will help ensure the object authority is set to the most secure value while still allowing an application to run successfully.
Application vendors are being encouraged by IBM to use authority collection to configure their applications with more attention to security. The vendors are taking some heat for paying little mind to this in the past. Shops developing in-house applications are also being warned to get a handle on security. The vendors and the end users are the other two prongs on the three-prong security strategy. Weakness in any single area means weakness overall.
Tatam says there are far too many applications–commercial and home-grown–created with the security model set at ALL OBJECTS. End users of applications rarely need that kind of authority. Applications that continue to side step security are creating security risks, Tatam says. In some cases, applications are preventing organizations from being compliant with regulatory mandates. As end users become more knowledgeable about security, they are expected tighten their own development processes and to push back on vendors to create more secure apps.
“It’s not all bad,” Tatam says. “We see applications that are very well secured. In those cases, the responsibility for not being secured (in a real world environment) is shared between the customer and the vendor. This is not a dumb terminal and twin-ax world anymore. People need help architecting security models that start with risk assessments and include a remediation plan. Home-grown apps are easier to remediate because it’s easier for companies to make adjustments compared to working with a third-party vendor, but a commercial vendors need to be competitive.”
Although authority collection has simplified the identification of excessive authority to users who do not require it, don’t take that as a statement that application security is simple now. It is, however, more efficient and more effective than before.
It will take a couple years before IBM i 7.3 is being used by even 20 percent of the installed base. And authority collection will run up against the lack of skills to use it as it is intended. It’s like row and access control–not something that most people can learn to use quickly and without training.
Authority collection is going to be a huge benefit to services teams in helping organizations architect new security models.
“There is a lot that can be done to secure the system without touching the core applications,” Heim says. “One thing our study shows is that no matter if it is password policy or a hundred other areas, there are a lot of vulnerabilities people need to address. Fixing one area doesn’t mean you can ignore the others.”
The 2016 State of IBM i Security Study focuses on seven areas of security:
Findings that you should hope don’t apply to you include failure to follow best practices for overall system security as recommended by IBM and independent experts; too many user profiles with unnecessarily powerful authorities; user access to view, change, and/or delete data beyond demonstrated need; and a lack an efficient strategy for monitoring and interpreting security data.
An examination of the most common and dangerous IBM i security exposures can be found by downloading the study at this link.
“We are still battling the misnomer that IBM i is inherently secure, as opposed to securable,” Tatam says. “But, I think we are making inroads. Security seminar and webinar attendance is increasing, and the State of IBM i Security Study is an ongoing exercise in awareness.”