• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Reporting Elevated IBM i Privileges to SIEM

    December 7, 2016 Alex Woodie

    Why work hard to find a back door when you can go through the front door? This is the gist of the enlightened hacker mind, which understands there is an excess of user profiles equipped with administrative privileges floating around most shops. Now new software from Townsend Security can detangle the complexity of authority levels and give intelligent SIEM tools the data they need to keep hackers out of IBM i.

    Far too many IBM i shops weaken their security by handing out special authorities like they’re candy canes at a Christmas party. PowerTech has documented this unfortunate phenomenon quite well over the years with its annual State of IBM i Security Study, which shows the average shop has hundreds of user with *SPLCTL and *JOBCTL authorities. By contrast, user profiles with the more powerful *ALLOBJ and *SECADM authorities typically exist in the dozens (see Fig. A).

    This isn’t a theoretical problem. Cybercriminals are finding ways into IBM i systems. In 2014, Townsend Security CEO Patrick Townsend explained how compromised PCs were allowing the bad guys to launch brute force dictionary attacks in an attempt to compromise the user ID and passwords of QSECOFR user profiles. “Attacks are happening and are being successful against the IBM i,” Townsend told IT Jungle then.

    You’ll also remember the European IT worker who last year shared his recipe for IBM i privilege escalation at the annual DEF CON conference for hackers. The core of the hack was finding a way to gain access to powerful user profiles by tricking Java APIs to gain clear text versions of passwords and taking advantage of the fact that some IBM i shops assign ownership of applications and application users profiles to the same group.

    To be fair, hackers try to compromise every system by walking in the front door if they can. It’s not just IBM i servers. Taking over a user profile with elevated privilege like *ALLOBJ, or landing a QSECOFR user profile, essentially gives the hacker a “golden key” to do anything they want to the system. In the past month, system makers have issued security patches to fix privilege escalation flaws in Linux and Android OSes.

    But in this little corner of the IT jungle, the IBM i takes precedence. That’s why understanding the peculiarities of IBM i security relative to other platforms, and taking steps to address any shortcomings, should be a priority for any IBM i professional who values the integrity of his company’s and customers’ data.

    Townsend Security recently took a shot at cleaning up the sometimes confusing state of elevated privileges on the IBM i platform with an update to Alliance LogAgent, an IBM i product that packages and sends log data from the IBM i server to Security Information and Event Management (SIEM) solutions, which always run on different platforms.

    The key enhancement is the addition of a single field to the log. The newly added field does one thing: inform the SIEM tool if administrator privileges have been detected in a particular piece of log data, or not.

    Fig. A. Use of special authorities in IBM i user profiles is ridiculously high, according to PowerTech’s 2015 “State of IBM i Security” report.

    It’s a relatively simple change. But this simplicity is deceptive because untangling elevated privileges can be quite a chore in real-world IBM i systems, where regular user profiles can temporarily gain access to heightened privileges through adopted authority.

    “Many IBM i customers have struggled with identifying who on their system has elevated privileges,” the Townsend CEO says in a press release. “It is crucial to identify and strictly control these users, as cyber criminals often use privilege escalation to enable the exfiltration of sensitive data.”

    At first glance, an IBM i account may appear to have normal user privileges, but may in fact inherit higher privileges through a Group Profile or Supplemental Group Profile, Townsend says. “Alliance LogAgent now detects these elevated privileges in real time, and provides the security administrator with an easy-to-use report to identify the source of elevated privileges,” he adds. “We think this is a crucial enhancement that will help IBM i customers better secure their platforms.”

    The change works with plain vanilla SIEM solutions that speak Syslog, as well as the IBM QRadar solution, which uses the Log Event Extended Format (LEEF) standard. The software also supports the HPE ArcSight product, which speaks Common Event Format (CEF).

    Townsend has also added a new local assessment report to the new release of Alliance LogAgent. The company says the report is easy to use and will “reduce the overhead of inspecting and adjusting privileges of IBM i users.” For more information, see townsendsecurity.com.

    RELATED STORIES

    Clearing Up IBM i Security Confusion

    Hacker Defends DEF CON Talk on IBM i Vulns

    Did IBM i Just Get Hacked at DEF CON?

    State of IBM i Security? Still Horrible, After All These Years

    Do ‘Non-Standard’ OSes Like IBM i Pose Security Risks?

    New Approaches Needed For Hyperscale Security Threats

    Starving For IBM i Security Skills

    Townsend Launches 2FA To Thwart Cyber Attacks On IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Chordia Consulting

    Chordia Consulting announces its first annual 2021 IT Management Effectiveness Survey

    Chordia Consulting’s 2021 IT Management Effectiveness Survey can help clients identify top problem hotspots and priorities for improvement.  There is no charge for survey participation, and clients will receive a personalized, easy-to-understand survey feedback report (a $500 value) right away, together with a full, comparative analysis report when the survey is completed.

    The survey takes only a few minutes to complete using the secure Alchemer survey tool, and is based on RAITH™, Chordia’s proprietary on-line IT healthcheck service and the underlying, proven IT/CBM™ management model.  The focus is on real-world client IT management issues, particularly in the context of today’s IT environment and priorities.  Should clients wish to extend the value of their survey feedback report by conducting a more detailed and complete Chordia RAITH™ IT healthcheck, RAITH is available at a discounted rate for survey participants through June 30 of this year.

    In addition to being offered to IT clients of all sizes, across all industries, and on a worldwide basis, the Chordia survey may also be used by other IT service providers and consulting firms as a means of better understanding the evolving needs of their clients.   Chordia is offering such partners the opportunity to become ‘sponsors’ and invite their own clients to take the survey as a group.  These collective client responses will be bundled into a service provider-specific subset of the full analysis report, offering more focused insight into each sponsor’s existing client population.  Again, this sponsor-specific service is offered at no-charge.

    Whether you’re an IT or business leader looking to learn more about how to improve your IT capabilities in 2021 or an IT professional service provider seeking to understand how better to serve their client base, take a look at Chordia Consulting’s no-charge IT Management Effectiveness Survey – it may be a perfect first step to rebuilding in 2021.

    Take the Survey Now!

    Please Contact Chordia Consulting at info@chordiaconsulting.com or visit our website for additional information.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Profound Logic Software:  NOW ON DEMAND! Webinar: Agile Modernization with Node.js.
    Fresche:  IBM i staffing for all of your IT needs. Request a FREE estimate. 1-800-361-6782
    ASNA:  FREE Webcast: Give your RPG apps the UI they deserve with ASNA Wings. Dec 8. 1 p.m. CDT

    Backup And Recovery Options Proliferate With New Storage Director Talking Change Management With Chrono-Logic

    Leave a Reply Cancel reply

Volume 26, Number 54 -- December 7, 2016
THIS ISSUE SPONSORED BY:

Chrono-Logic
Focal Point Solutions Group
ASNA
UCG Technologies
Baseline Data Services

Table of Contents

  • 7 Must-Have Open Source Products for IBM i
  • Freebie IBM i Software, And Some Hardware Withdrawals
  • Maxava Prepares For DR and HA Growth Through Partnerships
  • IBM i Performance Secrets Revealed
  • Reporting Elevated IBM i Privileges to SIEM

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • 2021 Predictions for IBM i, Part 1
  • West Four Stands Out With On Demand Color Label Printing
  • HelpSystems Acquires Data Security, File Transfer Companies
  • Four Hundred Monitor, January 13
  • IBM i PTF Guide, Volume 23, Number 2
  • Seiden Group Unveils A PHP Distro For IBM i
  • Thoroughly Modern: DevOps Refactoring Of RPG Applications with RDi
  • Guru: Fall Brings New RPG Features, Part 2
  • More Vintage Power Systems Feature Withdrawals
  • IBM i PTF Guide, Volume 23, Number 1

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2021 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.