• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Study Identifies Disturbing IBM i Security Weaknesses

    May 2, 2016 Dan Burger

    Security threats–data breaches with bruising economic consequences that are triggered from within organizations, not outside–are beginning to grab the attention businesses formerly passive about the risks of status quo unpreparedness. Could be just in the nick of time. “We’d be lying if we said breaches were only happening to a small percentage of IBM i systems,” says Robin Tatam, director of security technologies at HelpSystems and the author of 2016 State of IBM i Security Study.

    This is the 13th year for the annual security report that identifies mistakes in system configurations that open the door to a smorgasbord of sensitive data and most organizations remain blithely unaware.

    “When systems are so poorly configured that they can be described as ‘wide open,’ and the major source of breaches in 2015 was misconfiguration, there’s a correlation and that puts a face on risk. Selling fear is not what we want to do, but underselling risk is also not what we want to do. People need to be awakened to vulnerabilities within their perimeters and be aware that internal threats exceed external threats,” Tatam says.

    The still-common use of default passwords and other easy access points to the system allows quick and easy access to systems without creating much of an audit trail. Without a focus on security and with barely a trace of an audit trail, those who believe they’ve never been breached don’t really know if that’s true.

    In the 2016 Security Report, user profiles with a default password (a password that’s the same as the user name), 28 percent of systems had more than 100 user profiles with default passwords. One system had 2,199 user profiles with default passwords.

    This is just the tip of the iceberg. No skill is required to fix password security lapses, just some attention to details.

    Security skills do take on greater importance when the overall security picture begins to take shape and best practices are taken into account. The inability to fix security weaknesses is common.

    The study demonstrates authority is granted to users in unacceptably high numbers.

    One of the practices that Tatam repeatedly finds is what he calls the legacy mistake. It compounds itself with each system upgrade because new systems don’t get configured from scratch.

    A tape is taken from the previous system and it is loaded on the new system. It carries profiles, system values, and authorities from one generation of machines to the next. And that previous system was configured the same way. So the mirroring of a system that ran maybe 20 or more years ago finds new life in a vastly different environment.

    “We don’t circle back around after an upgrade because the urgency and understanding is not there,” Tatam says. “It’s not something that people want to take care of during system upgrades. When something breaks during the upgrade, it’s not immediately known if the upgrade caused it or configuration changes are responsible.”

    The urgency is starting to be recognized, but the understanding of how to secure the system is mostly missing.

    Without security skills on staff, companies are more likely to contract hire those skills from companies that possess the skills.

    “It’s one of the reasons we got into security services,” says HelpSystems CEO Chris Heim. “We have an ongoing monthly service that evaluates security settings with some of our customers and we do remediation on a contract basis. That way you don’t have to be a security expert, but you do take care of security.”

    The services side of HelpSystems security business took a giant step forward with the acquisition of SkyView Partners in June 2015. As a result of the acquisition, HelpSystems’ security services business shows a 92 percent increase in customers during the past six months.

    “Services are still a relatively new effort for us,” Heim notes.

    Application security is complex. It takes a three-pronged effort to achieve success. For its part, IBM has developed tools at the operating system level and the database levels that help lock down security. At the OS level, it just introduced a feature called authority collection in i 7.3. It was designed to assist security administrators and application developers in tightening object-level security. This support will help ensure the object authority is set to the most secure value while still allowing an application to run successfully.

    Application vendors are being encouraged by IBM to use authority collection to configure their applications with more attention to security. The vendors are taking some heat for paying little mind to this in the past. Shops developing in-house applications are also being warned to get a handle on security. The vendors and the end users are the other two prongs on the three-prong security strategy. Weakness in any single area means weakness overall.

    Tatam says there are far too many applications–commercial and home-grown–created with the security model set at ALL OBJECTS. End users of applications rarely need that kind of authority. Applications that continue to side step security are creating security risks, Tatam says. In some cases, applications are preventing organizations from being compliant with regulatory mandates. As end users become more knowledgeable about security, they are expected tighten their own development processes and to push back on vendors to create more secure apps.

    “It’s not all bad,” Tatam says. “We see applications that are very well secured. In those cases, the responsibility for not being secured (in a real world environment) is shared between the customer and the vendor. This is not a dumb terminal and twin-ax world anymore. People need help architecting security models that start with risk assessments and include a remediation plan. Home-grown apps are easier to remediate because it’s easier for companies to make adjustments compared to working with a third-party vendor, but a commercial vendors need to be competitive.”

    Although authority collection has simplified the identification of excessive authority to users who do not require it, don’t take that as a statement that application security is simple now. It is, however, more efficient and more effective than before.

    It will take a couple years before IBM i 7.3 is being used by even 20 percent of the installed base. And authority collection will run up against the lack of skills to use it as it is intended. It’s like row and access control–not something that most people can learn to use quickly and without training.

    Authority collection is going to be a huge benefit to services teams in helping organizations architect new security models.

    “There is a lot that can be done to secure the system without touching the core applications,” Heim says. “One thing our study shows is that no matter if it is password policy or a hundred other areas, there are a lot of vulnerabilities people need to address. Fixing one area doesn’t mean you can ignore the others.”

    The 2016 State of IBM i Security Study focuses on seven areas of security:

    • Basic System Security Levels
    • Powerful Users
    • Securing Passwords and Users
    • Data Access
    • Network Access Control and Auditing
    • System Auditing
    • Anti-Virus Controls

    Findings that you should hope don’t apply to you include failure to follow best practices for overall system security as recommended by IBM and independent experts; too many user profiles with unnecessarily powerful authorities; user access to view, change, and/or delete data beyond demonstrated need; and a lack an efficient strategy for monitoring and interpreting security data.

    An examination of the most common and dangerous IBM i security exposures can be found by downloading the study at this link.

    “We are still battling the misnomer that IBM i is inherently secure, as opposed to securable,” Tatam says. “But, I think we are making inroads. Security seminar and webinar attendance is increasing, and the State of IBM i Security Study is an ongoing exercise in awareness.”

    RELATED STORIES

    IBM i 7.3: High Time For High Security

    Testing For Security Inadequacies

    Clearing Up IBM i Security Confusion

    State of IBM i Security? Still Horrible, After All These Years

    IBM i 7.2 Tightens Data Access And Security

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    ARCAD Software

    WEBINAR
    Unit Test Automation: Secure Application Quality on IBM i
    April 15, 12 p.m. EDT, 5 p.m. BST

    Unit testing is arguably the most effective element of your testing strategy, driving the quality of your application as it is being developed.  Yet how can unit testing benefit legacy applications on IBM i – and especially those containing ‘monolithic’ sections of code?

    In this Webinar we will demonstrate how specialized unit test automation can safeguard application quality and generate reusable test assets for both modular and monolithic code.

    You will learn how to automate the IBM i unit testing process within a standard DevOps stack., including RDi, JUnit and Jenkins.

    Using ARCAD iUnit, you’ll see:

    • Automated test creation for modules, programs and service programs
    • Code coverage results
    • Mock capability – simulates key components like data, files programs
    • Test execution history
    • Version control with Git

    Register today and secure the quality of your IBM i application.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    COMMON:  2016 Annual Meeting & Expo, May 15 - 18, in New Orleans! Great Power Systems event!
    NGS :  Webinar: Realizing the Power of IBM i with NGS-IQ. May 11. RSVP now!
    Profound Logic Software:  'i on the Enterprise' Worldwide Virtual Event. June 8. Register Now!

    IBM i Scalability Stays The Same With 7.3 Why Node.js?

    Leave a Reply Cancel reply

Volume 26, Number 20 -- May 2, 2016
THIS ISSUE SPONSORED BY:

BCD Software
ProData Computer Services
Rocket Software
HiT Software
WorksRight Software

Table of Contents

  • Making The Case For Flash Over Disk In Power Systems
  • Study Identifies Disturbing IBM i Security Weaknesses
  • IBM Bolsters HyperSwap to Protect IBM i Against Downtime
  • Mad Dog 21/21: The Mainframe Was The Message
  • Good IBM i Ideas From Wisconsin

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • When Cloud Meets DevOps on IBM i
  • JD Edwards Roadmap Reveals Decisions To Be Made
  • IBM Completes Migration of Knowledge Center to IBM Documentation
  • Four Hundred Monitor, April 7
  • Crazy Idea Number 615: Variable Priced Power Systems Partitions
  • Do The Math When Looking at IBM i Hosting For Cost Savings
  • Guru: Web Services, DATA-INTO and DATA-GEN, Part 1
  • Oracle Versus Rimini Slogs On In Second Decade
  • HCI Is The Dominant Converged System, Probably For Good
  • Skytap To Expand IBM i Cloud Offering

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2021 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.