• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Reporting Elevated IBM i Privileges to SIEM

    December 7, 2016 Alex Woodie

    Why work hard to find a back door when you can go through the front door? This is the gist of the enlightened hacker mind, which understands there is an excess of user profiles equipped with administrative privileges floating around most shops. Now new software from Townsend Security can detangle the complexity of authority levels and give intelligent SIEM tools the data they need to keep hackers out of IBM i.

    Far too many IBM i shops weaken their security by handing out special authorities like they’re candy canes at a Christmas party. PowerTech has documented this unfortunate phenomenon quite well over the years with its annual State of IBM i Security Study, which shows the average shop has hundreds of user with *SPLCTL and *JOBCTL authorities. By contrast, user profiles with the more powerful *ALLOBJ and *SECADM authorities typically exist in the dozens (see Fig. A).

    This isn’t a theoretical problem. Cybercriminals are finding ways into IBM i systems. In 2014, Townsend Security CEO Patrick Townsend explained how compromised PCs were allowing the bad guys to launch brute force dictionary attacks in an attempt to compromise the user ID and passwords of QSECOFR user profiles. “Attacks are happening and are being successful against the IBM i,” Townsend told IT Jungle then.

    You’ll also remember the European IT worker who last year shared his recipe for IBM i privilege escalation at the annual DEF CON conference for hackers. The core of the hack was finding a way to gain access to powerful user profiles by tricking Java APIs to gain clear text versions of passwords and taking advantage of the fact that some IBM i shops assign ownership of applications and application users profiles to the same group.

    To be fair, hackers try to compromise every system by walking in the front door if they can. It’s not just IBM i servers. Taking over a user profile with elevated privilege like *ALLOBJ, or landing a QSECOFR user profile, essentially gives the hacker a “golden key” to do anything they want to the system. In the past month, system makers have issued security patches to fix privilege escalation flaws in Linux and Android OSes.

    But in this little corner of the IT jungle, the IBM i takes precedence. That’s why understanding the peculiarities of IBM i security relative to other platforms, and taking steps to address any shortcomings, should be a priority for any IBM i professional who values the integrity of his company’s and customers’ data.

    Townsend Security recently took a shot at cleaning up the sometimes confusing state of elevated privileges on the IBM i platform with an update to Alliance LogAgent, an IBM i product that packages and sends log data from the IBM i server to Security Information and Event Management (SIEM) solutions, which always run on different platforms.

    The key enhancement is the addition of a single field to the log. The newly added field does one thing: inform the SIEM tool if administrator privileges have been detected in a particular piece of log data, or not.

    Fig. A. Use of special authorities in IBM i user profiles is ridiculously high, according to PowerTech’s 2015 “State of IBM i Security” report.

    It’s a relatively simple change. But this simplicity is deceptive because untangling elevated privileges can be quite a chore in real-world IBM i systems, where regular user profiles can temporarily gain access to heightened privileges through adopted authority.

    “Many IBM i customers have struggled with identifying who on their system has elevated privileges,” the Townsend CEO says in a press release. “It is crucial to identify and strictly control these users, as cyber criminals often use privilege escalation to enable the exfiltration of sensitive data.”

    At first glance, an IBM i account may appear to have normal user privileges, but may in fact inherit higher privileges through a Group Profile or Supplemental Group Profile, Townsend says. “Alliance LogAgent now detects these elevated privileges in real time, and provides the security administrator with an easy-to-use report to identify the source of elevated privileges,” he adds. “We think this is a crucial enhancement that will help IBM i customers better secure their platforms.”

    The change works with plain vanilla SIEM solutions that speak Syslog, as well as the IBM QRadar solution, which uses the Log Event Extended Format (LEEF) standard. The software also supports the HPE ArcSight product, which speaks Common Event Format (CEF).

    Townsend has also added a new local assessment report to the new release of Alliance LogAgent. The company says the report is easy to use and will “reduce the overhead of inspecting and adjusting privileges of IBM i users.” For more information, see townsendsecurity.com.

    RELATED STORIES

    Clearing Up IBM i Security Confusion

    Hacker Defends DEF CON Talk on IBM i Vulns

    Did IBM i Just Get Hacked at DEF CON?

    State of IBM i Security? Still Horrible, After All These Years

    Do ‘Non-Standard’ OSes Like IBM i Pose Security Risks?

    New Approaches Needed For Hyperscale Security Threats

    Starving For IBM i Security Skills

    Townsend Launches 2FA To Thwart Cyber Attacks On IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    ServiceExpress

    IBM Power Expertise You Can Rely On

    Schedule a meeting with our experienced IBM Power consultants

    We work alongside you, understanding your budget, performance, and business objectives.

    Our IBM Power consultants can help you navigate:

    • EOSL for Power8
    • Upgrading to Power10
    • Cost & performance comparisons

    Sign Up

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Profound Logic Software:  NOW ON DEMAND! Webinar: Agile Modernization with Node.js.
    Fresche:  IBM i staffing for all of your IT needs. Request a FREE estimate. 1-800-361-6782
    ASNA:  FREE Webcast: Give your RPG apps the UI they deserve with ASNA Wings. Dec 8. 1 p.m. CDT

    Backup And Recovery Options Proliferate With New Storage Director Talking Change Management With Chrono-Logic

    Leave a Reply Cancel reply

Volume 26, Number 54 -- December 7, 2016
THIS ISSUE SPONSORED BY:

Chrono-Logic
Focal Point Solutions Group
ASNA
UCG Technologies
Baseline Data Services

Table of Contents

  • 7 Must-Have Open Source Products for IBM i
  • Freebie IBM i Software, And Some Hardware Withdrawals
  • Maxava Prepares For DR and HA Growth Through Partnerships
  • IBM i Performance Secrets Revealed
  • Reporting Elevated IBM i Privileges to SIEM

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Kisco Adds DUO Support to i2Pass, Okta Up Next
  • Power10 Upgrade Considerations You Need to be Aware Of
  • Eradani Debuts DevOps Suite for IBM i
  • Four Hundred Monitor, October 4
  • This Is Your IBM i Market, And Therefore Your Annual Survey
  • 40 Years Of DB2, But Even More For That No-Name Database Embedded In The System/38
  • API Dev Tool Delivers For Trucking Outfit
  • Guru: TryIT – You’ll Like It
  • It’s Time To Tell Us How It Is And What You’re Doing
  • IBM i PTF Guide, Volume 25, Number 40

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle