• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Reporting Elevated IBM i Privileges to SIEM

    December 7, 2016 Alex Woodie

    Why work hard to find a back door when you can go through the front door? This is the gist of the enlightened hacker mind, which understands there is an excess of user profiles equipped with administrative privileges floating around most shops. Now new software from Townsend Security can detangle the complexity of authority levels and give intelligent SIEM tools the data they need to keep hackers out of IBM i.

    Far too many IBM i shops weaken their security by handing out special authorities like they’re candy canes at a Christmas party. PowerTech has documented this unfortunate phenomenon quite well over the years with its annual State of IBM i Security Study, which shows the average shop has hundreds of user with *SPLCTL and *JOBCTL authorities. By contrast, user profiles with the more powerful *ALLOBJ and *SECADM authorities typically exist in the dozens (see Fig. A).

    This isn’t a theoretical problem. Cybercriminals are finding ways into IBM i systems. In 2014, Townsend Security CEO Patrick Townsend explained how compromised PCs were allowing the bad guys to launch brute force dictionary attacks in an attempt to compromise the user ID and passwords of QSECOFR user profiles. “Attacks are happening and are being successful against the IBM i,” Townsend told IT Jungle then.

    You’ll also remember the European IT worker who last year shared his recipe for IBM i privilege escalation at the annual DEF CON conference for hackers. The core of the hack was finding a way to gain access to powerful user profiles by tricking Java APIs to gain clear text versions of passwords and taking advantage of the fact that some IBM i shops assign ownership of applications and application users profiles to the same group.

    To be fair, hackers try to compromise every system by walking in the front door if they can. It’s not just IBM i servers. Taking over a user profile with elevated privilege like *ALLOBJ, or landing a QSECOFR user profile, essentially gives the hacker a “golden key” to do anything they want to the system. In the past month, system makers have issued security patches to fix privilege escalation flaws in Linux and Android OSes.

    But in this little corner of the IT jungle, the IBM i takes precedence. That’s why understanding the peculiarities of IBM i security relative to other platforms, and taking steps to address any shortcomings, should be a priority for any IBM i professional who values the integrity of his company’s and customers’ data.

    Townsend Security recently took a shot at cleaning up the sometimes confusing state of elevated privileges on the IBM i platform with an update to Alliance LogAgent, an IBM i product that packages and sends log data from the IBM i server to Security Information and Event Management (SIEM) solutions, which always run on different platforms.

    The key enhancement is the addition of a single field to the log. The newly added field does one thing: inform the SIEM tool if administrator privileges have been detected in a particular piece of log data, or not.

    Fig. A. Use of special authorities in IBM i user profiles is ridiculously high, according to PowerTech’s 2015 “State of IBM i Security” report.

    It’s a relatively simple change. But this simplicity is deceptive because untangling elevated privileges can be quite a chore in real-world IBM i systems, where regular user profiles can temporarily gain access to heightened privileges through adopted authority.

    “Many IBM i customers have struggled with identifying who on their system has elevated privileges,” the Townsend CEO says in a press release. “It is crucial to identify and strictly control these users, as cyber criminals often use privilege escalation to enable the exfiltration of sensitive data.”

    At first glance, an IBM i account may appear to have normal user privileges, but may in fact inherit higher privileges through a Group Profile or Supplemental Group Profile, Townsend says. “Alliance LogAgent now detects these elevated privileges in real time, and provides the security administrator with an easy-to-use report to identify the source of elevated privileges,” he adds. “We think this is a crucial enhancement that will help IBM i customers better secure their platforms.”

    The change works with plain vanilla SIEM solutions that speak Syslog, as well as the IBM QRadar solution, which uses the Log Event Extended Format (LEEF) standard. The software also supports the HPE ArcSight product, which speaks Common Event Format (CEF).

    Townsend has also added a new local assessment report to the new release of Alliance LogAgent. The company says the report is easy to use and will “reduce the overhead of inspecting and adjusting privileges of IBM i users.” For more information, see townsendsecurity.com.

    RELATED STORIES

    Clearing Up IBM i Security Confusion

    Hacker Defends DEF CON Talk on IBM i Vulns

    Did IBM i Just Get Hacked at DEF CON?

    State of IBM i Security? Still Horrible, After All These Years

    Do ‘Non-Standard’ OSes Like IBM i Pose Security Risks?

    New Approaches Needed For Hyperscale Security Threats

    Starving For IBM i Security Skills

    Townsend Launches 2FA To Thwart Cyber Attacks On IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Raz-Lee Security

    With COVID-19 wreaking havoc, cybercriminals are taking advantage of the global impact that it has had on our families, our businesses and our societies. It is more important now than ever to ensure that IT systems are protected, so that when all of this is behind us, we can get back to business as usual as quickly as possible.

    iSecurity Anti-Ransomware protects organizations against ransomware attacks and other kinds of malware that may access and change business-critical data on your IBM i. It even protects against zero-day attacks. Anti-Viruses can only report on the damage an attack has caused, but not stop it.

    iSecurity Anti-Ransomware has been recently enhanced with a Self-Test feature that allows you to simulate a ransomware attack on your IBM i. The simulated attack is limited to the test folder and cannot harm any other folders or files. This new feature lets organizations see how they are protected against known or unknown ransomware.

    Key Features:

    • Real-time scanning for known and unknown ransomware threats.
    • Blocks and disconnects the intruder.
    • Instantaneously sends alerts to SIEM as well as the offending computer.
    • Self-Test for attack simulation
    • Classification of the attack based on log.
    • Automatic updates with the most current ransomware definitions.

    Contact us at https://www.razlee.com/anti-ransomware

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Profound Logic Software:  NOW ON DEMAND! Webinar: Agile Modernization with Node.js.
    Fresche:  IBM i staffing for all of your IT needs. Request a FREE estimate. 1-800-361-6782
    ASNA:  FREE Webcast: Give your RPG apps the UI they deserve with ASNA Wings. Dec 8. 1 p.m. CDT

    Backup And Recovery Options Proliferate With New Storage Director Talking Change Management With Chrono-Logic

    Leave a Reply Cancel reply

Volume 26, Number 54 -- December 7, 2016
THIS ISSUE SPONSORED BY:

Chrono-Logic
Focal Point Solutions Group
ASNA
UCG Technologies
Baseline Data Services

Table of Contents

  • 7 Must-Have Open Source Products for IBM i
  • Freebie IBM i Software, And Some Hardware Withdrawals
  • Maxava Prepares For DR and HA Growth Through Partnerships
  • IBM i Performance Secrets Revealed
  • Reporting Elevated IBM i Privileges to SIEM

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Power10 Entry Machines: The Power S1024 And Power L1024
  • Thoroughly Modern: Latest IT Trends – Bring Security, Speed, And Consistency To IT With Automation
  • Big Blue Unveils New Scalable VTL For IBM i
  • As I See It: Thank God It’s Thursday
  • IBM i PTF Guide, Volume 24, Number 32
  • JD Edwards Customers Face Support Decisions
  • Security, Automation, and Cloud Top Midrange IT Priorities, Study Says
  • Cleo and SrinSoft in Integration-Modernization Link Up
  • Four Hundred Monitor, August 3
  • IBM i PTF Guide, Volume 24, Number 31

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.