Study Identifies Disturbing IBM i Security Weaknesses

May 2, 2016 Dan Burger

Security threats–data breaches with bruising economic consequences that are triggered from within organizations, not outside–are beginning to grab the attention businesses formerly passive about the risks of status quo unpreparedness. Could be just in the nick of time. “We’d be lying if we said breaches were only happening to a small percentage of IBM i systems,” says Robin Tatam, director of security technologies at HelpSystems and the author of 2016 State of IBM i Security Study.

This is the 13th year for the annual security report that identifies mistakes in system configurations that open the door to a smorgasbord of sensitive data and most organizations remain blithely unaware.

“When systems are so poorly configured that they can be described as ‘wide open,’ and the major source of breaches in 2015 was misconfiguration, there’s a correlation and that puts a face on risk. Selling fear is not what we want to do, but underselling risk is also not what we want to do. People need to be awakened to vulnerabilities within their perimeters and be aware that internal threats exceed external threats,” Tatam says.

The still-common use of default passwords and other easy access points to the system allows quick and easy access to systems without creating much of an audit trail. Without a focus on security and with barely a trace of an audit trail, those who believe they’ve never been breached don’t really know if that’s true.

In the 2016 Security Report, user profiles with a default password (a password that’s the same as the user name), 28 percent of systems had more than 100 user profiles with default passwords. One system had 2,199 user profiles with default passwords.

This is just the tip of the iceberg. No skill is required to fix password security lapses, just some attention to details.

Security skills do take on greater importance when the overall security picture begins to take shape and best practices are taken into account. The inability to fix security weaknesses is common.

The study demonstrates authority is granted to users in unacceptably high numbers.

One of the practices that Tatam repeatedly finds is what he calls the legacy mistake. It compounds itself with each system upgrade because new systems don’t get configured from scratch.

A tape is taken from the previous system and it is loaded on the new system. It carries profiles, system values, and authorities from one generation of machines to the next. And that previous system was configured the same way. So the mirroring of a system that ran maybe 20 or more years ago finds new life in a vastly different environment.

“We don’t circle back around after an upgrade because the urgency and understanding is not there,” Tatam says. “It’s not something that people want to take care of during system upgrades. When something breaks during the upgrade, it’s not immediately known if the upgrade caused it or configuration changes are responsible.”

The urgency is starting to be recognized, but the understanding of how to secure the system is mostly missing.

Without security skills on staff, companies are more likely to contract hire those skills from companies that possess the skills.

“It’s one of the reasons we got into security services,” says HelpSystems CEO Chris Heim. “We have an ongoing monthly service that evaluates security settings with some of our customers and we do remediation on a contract basis. That way you don’t have to be a security expert, but you do take care of security.”

The services side of HelpSystems security business took a giant step forward with the acquisition of SkyView Partners in June 2015. As a result of the acquisition, HelpSystems’ security services business shows a 92 percent increase in customers during the past six months.

“Services are still a relatively new effort for us,” Heim notes.

Application security is complex. It takes a three-pronged effort to achieve success. For its part, IBM has developed tools at the operating system level and the database levels that help lock down security. At the OS level, it just introduced a feature called authority collection in i 7.3. It was designed to assist security administrators and application developers in tightening object-level security. This support will help ensure the object authority is set to the most secure value while still allowing an application to run successfully.

Application vendors are being encouraged by IBM to use authority collection to configure their applications with more attention to security. The vendors are taking some heat for paying little mind to this in the past. Shops developing in-house applications are also being warned to get a handle on security. The vendors and the end users are the other two prongs on the three-prong security strategy. Weakness in any single area means weakness overall.

Tatam says there are far too many applications–commercial and home-grown–created with the security model set at ALL OBJECTS. End users of applications rarely need that kind of authority. Applications that continue to side step security are creating security risks, Tatam says. In some cases, applications are preventing organizations from being compliant with regulatory mandates. As end users become more knowledgeable about security, they are expected tighten their own development processes and to push back on vendors to create more secure apps.

“It’s not all bad,” Tatam says. “We see applications that are very well secured. In those cases, the responsibility for not being secured (in a real world environment) is shared between the customer and the vendor. This is not a dumb terminal and twin-ax world anymore. People need help architecting security models that start with risk assessments and include a remediation plan. Home-grown apps are easier to remediate because it’s easier for companies to make adjustments compared to working with a third-party vendor, but a commercial vendors need to be competitive.”

Although authority collection has simplified the identification of excessive authority to users who do not require it, don’t take that as a statement that application security is simple now. It is, however, more efficient and more effective than before.

It will take a couple years before IBM i 7.3 is being used by even 20 percent of the installed base. And authority collection will run up against the lack of skills to use it as it is intended. It’s like row and access control–not something that most people can learn to use quickly and without training.

Authority collection is going to be a huge benefit to services teams in helping organizations architect new security models.

“There is a lot that can be done to secure the system without touching the core applications,” Heim says. “One thing our study shows is that no matter if it is password policy or a hundred other areas, there are a lot of vulnerabilities people need to address. Fixing one area doesn’t mean you can ignore the others.”

The 2016 State of IBM i Security Study focuses on seven areas of security:

Basic System Security Levels
Powerful Users
Securing Passwords and Users
Data Access
Network Access Control and Auditing
System Auditing
Anti-Virus Controls

Findings that you should hope don’t apply to you include failure to follow best practices for overall system security as recommended by IBM and independent experts; too many user profiles with unnecessarily powerful authorities; user access to view, change, and/or delete data beyond demonstrated need; and a lack an efficient strategy for monitoring and interpreting security data.

An examination of the most common and dangerous IBM i security exposures can be found by downloading the study at this link.

“We are still battling the misnomer that IBM i is inherently secure, as opposed to securable,” Tatam says. “But, I think we are making inroads. Security seminar and webinar attendance is increasing, and the State of IBM i Security Study is an ongoing exercise in awareness.”

RELATED STORIES

IBM i 7.3: High Time For High Security

Testing For Security Inadequacies

Clearing Up IBM i Security Confusion

State of IBM i Security? Still Horrible, After All These Years

IBM i 7.2 Tightens Data Access And Security

Tags:

Best Practices for Doing IBM i Cloud Backup & DRaaS Right

In the technology business for 30+ years including more than a decade in cloud backup and disaster recovery, we’ve learned a few things along the way. Here are best practices to follow – and land mines to avoid.

RELIABILITY. Up to 71% of restores from tape contain failures.

BEST PRACTICE: Use disk-to-disk technology for backups.

With disk-to-disk technology, your backup data resides on disk drives, proven to be far more reliable than tapes. When your backup completes, you know the data is secure and accessible on the disk drive. With tapes you never really know if your data is usable until you try to restore it, at which point it’s too late.

BREADTH OF OFFERING. Choice in product and service offerings meet your business’ needs.

BEST PRACTICE: Don’t settle for less than what you need.

Vendor offerings vary widely. Some are designed primarily for consumers and others for enterprise data centers. Choose a solution that scales and offers the features you need to provide the level of service you expect. De-duplication and delta-block technologies will improve performance, reduce your data footprint and save you money. Find out if their de-duplication offering is at the file level or the block level. Make sure the solution can back up servers, PCs, and laptops as well your applications.

SECURITY. 60% of organizations using tapes don’t encrypt their backups.

BEST PRACTICE: End-to-end encryption with no “back door.”

Using encryption with tape makes backups run slowly and often takes too long to fit within a backup window. As a result, most people simply turn encryption off, creating a security risk. Even with the physical safety of disk-to-disk backup, encryption is essential. Look for 256-bit AES. Find a solution that encrypts your data during transmission and storage. Make certain there isn’t a “back door” that would let someone else view your data.

ACCESSIBILITY. Companies waste thousands of hours waiting on tapes.

BEST PRACTICE: Ensure that you can get your data back with minimal delay.

You should have direct access to your backups, with no time spent on physical transport (no trucks, no warehouses). Restores should take minutes, not hours or days. Set yourself up to work with your data, not wait for it. Make sure your solution provider can meet your Return-to-Operations (RTO) and Recovery Point Objectives (RPO) which determine how quickly you can recover your data and maintain business continuity. Inquire about onsite and offsite replication that provide both improved performance and a solid disaster recovery strategy.

CYBER SECURITY. More than 80 percent of U.S. companies have been successfully hacked, according to a Duke University/CFO Magazine Global Business Outlook Survey.

BEST PRACTICE: Regular cyber security training and phishing tests for all employees using company email are essential to your organization.

Your end-users are the weak link in your network security. Today, your employees are frequently exposed to advanced phishing attacks. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack. Be sure your vendor of choice includes cyber security training as part of their backup and DR package.

SCALABILITY. Some backup systems can’t scale readily.

BEST PRACTICE: Invest in a data protection architecture that can grow with your business.

You should be able to back up your data no matter how large it grows. Starting small? Look for an option that handles your backups automatically. Then, as you grow, gives you tools to manage complex environments. Look for “changes-only” and compression technologies to speed backups and save space. And insist on bandwidth throttling to balance traffic and ensure network availability for your other business applications. Make sure that their solution offerings rely on common technology to scale easily as your business––and data––grow.

COST-EFFECTIVENESS

BEST PRACTICE: Calculate the true total cost of tape-based back up.

A 2019 Server OS Reliability Survey found that one hour of downtime costs at least $100K for 98% of companies to over $5 million for 34% of surveyed companies. When you do the math, the dollars make sense: Go with disk-to-disk. Unlike tape, there are close to zero handling costs—no rush deliveries, loading, accessing, locating, or repeated steps. And there’s one benefit you can’t factor directly: Reputation. Reliability and security can make an incalculable difference with just one avoided breach or failure.

COMPLIANCE. Most companies have problems satisfying privacy, security, and data retention regulations.

BEST PRACTICE: Choose a data protection partner who has deep know-how about compliance, and the technology to ensure it.

Disaster Recovery. Most companies lack a comprehensive, tested plan for disasters.

BEST PRACTICE: Find a vendor that delivers a complete DR solution.

You can’t say your data protection is complete until you have a disaster recovery plan that is itself complete and tested. Your backup vendor should have both the product mix and professional services team to help you prepare for a worst-case scenario. Make sure they can help configure your backups so you rebound quickly. Best bet: A vendor who can train you to deal with disasters confidently, based on your company’s actual configuration.

EASE OF USE. Some companies don’t —or can’t—manage their backups from one place.

BEST PRACTICE: Get control and reporting you can use anywhere, with ease. Managing your backup environment should be simple, and the software you use should eliminate any guesswork that could lead to lost data. You should know at all times if your data is protected across your entire network—including remote offices—by simply looking at a dashboard. The software should be simple to configure using wizards, yet powerful enough to meet your specific needs with customizable views, job propagation, and roles-based security.

OPERATING SYSTEM AND PLATFORM SUPPORT. Most backup vendors support a limited range of OS, server types, and applications.

BEST PRACTICE: Look for broad and deep technology that supports your complete environment. Your backup solution should accommodate your environment, not vice versa.

CUSTOMER SUPPORT. Backup vendors’ product support varies widely.

BEST PRACTICE: Find a vendor whose support is passionate, maybe even slightly obsessed. Customer support should be one of your vendor’s main selling points. You shouldn’t have to wonder if they’ll be there to help when you need them most. Do they offer phone support or email only, and who exactly are you talking to when you call that 800 number? Find a vendor that will treat your data as if it were their own.

REPUTATION. Does your backup vendor have a quality reputation and the financial resources to stay in business for the long haul?

BEST PRACTICE: Find a vendor with strong financial backing and customer references. There are a lot of vendors that have come and gone. When you consider a service provider, look for one that has strong financial backing, a solid business plan and the ability to be in business as long as your data needs to be stored. Ask for customer references and case studies as their customers are the best validation you can get.

Visit VAULT400.com/proposal to receive a FREE analysis and proposal

DOWNLOAD SOLUTIONS BRIEF:
Best Practices for IBM i Cloud Backup & Recovery

DURING THIS UNPRECEDENTED TIME, DON’T WAIT FOR YOUR BUSINESS
TO SUFFER A DISASTER TO TAKE ACTION.

Serving the US, Canada, & Latin America

VAULT400 Cloud Backup & DRaaS is an IBM Server Proven Solution.

800.211.8798 | info@ucgtechnologies.com| ucgtechnologies.com/cloud

To the First Responders serving on the front-lines during the COVID-19 pandemic,
we extend our heartfelt gratitude.