IBM i Data Vulnerable, Security Report Says
May 9, 2018 Alex Woodie
HelpSystems last month published its 15th annual State of Security report, in which it summarizes the security checks that it performs on its clients and prospects’ IBM i servers over the course of a year. This year’s report covers 158 systems, and if the results are to be extrapolated to the IBM i installed base as a whole, then there’s a lot of vulnerable data out there.
If you’ve followed the HelpSystems and PowerTech reports over the years, then you’ve likely been made award of the irony that lies at the heart of IBM i security. The contradiction is this: While IBM developed a server architecture that is eminently secure-able, the majority of actual IBM i implementations are not secure.
In fact, the reports have shown that many of these IBM i systems are essentially wide open. Thanks to the use of default passwords, regular user profiles with administrative privileges, no oversight of network exit points, and a decided lack of auditing, IBM i shops have a lot of work to do in the security department.
Not every system is wide open, of course – some have been found to be well-secured, with strong passwords, locked-down exit points, restrictive user profiles, and a high security level (40 or higher). It’s also worth mentioning that there is a selection bias at work in HelpSystems’ survey methodology, since it’s the organizations that realize they need to improve their security that are more likely to seek a security assessment in the first place (although that security awareness could also bias the data the other way, too).
While it’s not perfect, HelpSystems’ annual report is the best glimpse we have into the state of average IBM i users’ security posture. With that said, here are the findings from this year’s report.
Setting the security level (QSECURITY) is one of the easiest things an IBM i shop can do to boost their security. HelpSystems found that 72 percent of systems in its study were running at security level 40 or 50, while 28 percent were running at security level 20 or 30. No systems were found at security level 10, which is a good thing.
There are things IBM i shops can do to improve other settings, like bolster key system values for restoring objects. HelpSystems found that most percent of servers are running below the recommended value for the Verify Object on Restore (QVFYOBJRST) and the Force Conversion on Restore (QFRCCVNRST) settings.
User Profiles and Passwords
Users with special authorities have more power than the average user, so it makes sense to reduce them. However, HelpSystems found that authorities like *ALLOBJ are “granted to users in unacceptably high numbers.” What’s more, almost 45 percent of users in the survey had *JOBCTL, the most commonly granted special authority.
Inactive user profiles can also pose a risk. The HelpSystems survey showed that an average of 32 percent of all user profiles hadn’t signed on in the past 30 days or more, and more than half of them were enabled and ready to be used.
The use of default passwords is considered extremely bad form on the IBM i server, because every hacker knows that the default password is the same as the user ID. However, more than 9 percent of user profiles surveilled in HelpSystems’ study have default passwords. What’s more, nearly 30 percent of the systems in the survey had 100 profiles or more with default passwords.
“One system has a total of 1,122 user profiles with default passwords and 898 were in an enabled state,” HelpSystems writes in its report.
*PUBLIC Data Access
Every systems administrator who works on an IBM i server (or security officers if your company is progressive on the security front) should be aware of the peculiar way IBM sets default access.
While other systems lock down access to objects or tasks, the IBM i system falls back to the default *PUBLIC setting.
“Unless proactive steps are taken to restrict *PUBLIC access rights, users who have not been granted a specific authority to an object or task can read, change, and delete data,” HelpSystems writes.
HelpSystems survey shows that 44 percent of users have *CHANGE authority, which allows users to put new objects in the library, while 26 percent have *ALL authority, which lets them manage, rename, specify security for, or delete libraries, the survey shows.
“Our findings demonstrate that IBM i shops still have far too many libraries accessible to the average user,” HelpSystems writes. “The statistics for DB2 libraries indicate a lack of adequate control over the data, which often includes critical corporate financial information.”
The IBM i OS was initially developed with menu-level security controls, which was sufficient for restricting what users could do on a green-screen interface. However, the advent of network protocol such as TCP/IP, FTP, and ODBC opened new interfaces in and out of the IBM i server.
IBM essentially “patched” these openings with exit points that let IBM i shops control who and what can come and go through those network access points. For whatever reason, few IBM i shops use them. According to HelpSystems survey, nearly 70 percent of shops had no exit programs in place to log and control access.
And even when there are exit programs in place, they’re usually incomplete, the company says. Only 6 percent of shops had programs registered to all of the network access exit points (which is obviously a great conversation starter for HelpSystems salespeople who want to sell licenses to the company’s exit point software).
The QAUDJRN is a “tamper-proof” audit trail that allows the system to log important security-related events, such as those that could indicate a data breach or malicious activity. The good news is that most (83 percent) of IBM i shops have the audit journal in place, according to HelpSystems’ survey.
However, there’s a dark side to this seemingly upbeat number: getting useful information out of all that data is a super challenging task. “Given the voluminous amounts of raw data collected in the IBM Security Audit Journal, it’s not realistic to expect system administrators to manually review the logs regularly,” HelpSystems says. “[Y]et it appears that very few of them take advantage of the tools that are available to automate and simplify reporting tasks.”
Stop us if you’ve heard this one before: “The IBM i server is a virus-proof machine.” Well, it turns out that the IBM i is a “virus-resistant” machine, but it’s by no means virus-proof. In fact, it can harbor and distribute Windows viruses in the Integrated File System (IFS) so it’s important to periodically scan the IFS for infections.
The good news is that the news seems to be getting out. “Many IBM i shops are starting to come to terms with the virus threat,” HelpSystems says. However, the majority of those scanning for viruses and assorted digital nasties are doing so on a batch basis, as only 7 percent reported that they’re checking for malware when the IFS responds to a file open request.
No system is perfectly secure, or even secureable, for that matter. The simple task of exposing data and processes, which of course is necessary to conduct business, raises the risk of a breech. Therefore, the best approach to security is one that sees it as a never-ending journey. If you are dedicated to continuous improvement on the security front, then you have the right attitude.
And there is plenty of room for improvement, according to HelpSystems. “No system became vulnerable overnight, nor is it possible to fix every security problem in a single day,” the company concludes. “What’s important is starting somewhere and making continued progress toward a stronger security profile.”
HelpSystems will be distributing the 2018 State of Security Report the near future, and it will also be holding a webinar. Check with the company’s website, www.helpsystems.com, for details.