Hacking IBM i: Penetration Testing Gains Popularity
April 13, 2020 Alex Woodie
Think your IBM i is hacker-proof? It may well be, but only a handful of systems have escaped the wrath of Carol Woodbury, the HelpSystems IBM i security expert who previously was the platform’s security architect at IBM. In recent years, Woodbury and company have ramped up a unique penetration testing service that aims to poke holes in IBM i configurations, all in the name of better security.
Penetration testing, or ethical hacking, is growing in popularity as organizations seek to solidify the security of their servers. Open systems platform, like Linux and Windows servers and cloud resources, are the most common targets for penetration testing services, and are widely available in the IT security business. But for companies that house their most important data on IBM i, HelpSystems might be only one game in town.
Woodbury and her Skyview Partners business partner, John Vanderwall, had the idea for a penetration testing service back in 2015, just as HelpSystems was expressing interest in acquiring Skyview. HelpSystems bought Skyview in June 2015, and the pair launched the industry’s first IBM i pen testing service a few months later under the HelpSystems banner.
Since then, HelpSystems has conducted hundreds of IBM i pen tests for clients all over the world, at the rate of about one per week, Vanderwall says. The company does about twice as many security assessments as pen tests, and they are starting point for most client engagements.
The security assessments usually uncover some problem with IBM i security configurations. But not all clients take the next step and contract for Woodbury and friends to attempt to compromise a live system.
Those that do are usually the better for it. That’s because a good pen test – where Woodbury is violating security policies, making herself a superuser, creating a backdoor, nearly accessing sensitive data, and using other tricks up her sleeve – makes the theoretical risks raised in the security assessment feel a little bit more real.
“What penetration testing does for IBM i is prove that what they’re saying is true or not,” she continues. “With a risk assessment, all we can do is take their word for it. They will say, ‘Right, but our users can only get to the data through menu items’ or ‘We’ve put rules in place through exit point software such that they can’t get to this.’ But when you do a penetration test, we’re actually proving that they can’t get to data except through menu items or they do have their rules in place. It’s the seeing is believing.”
After being provisioned with a working user profile and a password, Woodbury will go to work. She’ll typically run the HelpSystems Risk Assessor product against the system to detect if there are any obvious security flaws, such as powerful user profiles with default passwords or network exit points that are unprotected.
“We have a prescribed script that we walk through,” Woodbury tells IT Jungle. “We’ll try to create profiles with a non-privileged user. We’ll try to display the authorities on database files, especially for applications that we know about and we know where the critical information is. We will display the authorities as an end user. And if we can see the authorities, then that means we could have seen that data.”
As ethical hackers, Woodbury never actually views or downloads sensitive data (although sometimes the organization will plant a dummy document loaded with supposedly sensitive data and challenge Woodbury to get it). She also never uses any “brute force” hacking approaches, such as attacks that could bring the system down.
“We’re very sensitive to the fact that we don’t want to be downloading any of their private or confidential data,” she says. “We’ll prove that we can download information. We’ll prove that we could see information, if we wanted to, through the authorities. What we’re trying to do is prove that we can do the things that we have asserted that we can do.”
Data is the critical element that organizations of all stripes need to protect, but all too often, they leave it open to unauthorized access, Vanderwall says. The IBM i pen tests will demonstrate these security flaws.
“Corporate data is the jewel of the company. If that is in any way compromised, you lose a lot of business,” Vanderwall says. “One of the key things of the pen test is showing what sort of access to data people do have. That’s a surprising thing to a lot of people, the amount data that the average user can get access to. To me, it’s a temptation. It’s there. They could do something.”
IBM i is among the most securable servers on the planet. But all too often, administrators either misconfigure their server, thereby leaving themselves open to hackers, malicious employees, or casual mistakes. And there are some unfortunate souls in the midrange who still believe that a greenscreen system affords special protection from the Internet masses (it doesn’t).
“There are still people who think that people can only get to data through menus, and they swear they have their users locked into menus,” Woodbury says. “They have no regard to the openness of the system. So they are not accounting for remote command, FTP, ODBC, or SSH. They just aren’t accounting for any of that. So if we can get in there and do a pen test for a system, we can show them. It’s there in black and white.”
When the executives at HelpSystems saw how popular Woodbury and Vanderwall’s pen testing service had become, they decided to broaden out. Last month, the Eden Prairie, Minnesota, company acquired Cobalt Strike, which develops automated pen testing software for open systems environments. The Cobalt Strike software doesn’t work on IBM i, but it can test just about everything else on the network.
The Cobalt Strike pen testing tools will work hand in hand with the IBM i pen testing, Woodbury says. “The network testing will come in and knock at the front door,” she says. “But we go in through the front door. We go in through the windows, and we rummage through all the rooms and see if your safe is open.”
Woodbury doesn’t use the same script all the time. Just as hackers have to change their approaches to adapt to a changing IT landscape, Woodbury has to adapt her pen testing as conditions and IBM i capabilities change.
Woodbury politely declined to talk about some of the alternative pen-testing techniques she’s using with clients, for obvious reasons. But she assured us that she’s taking all the threats seriously.
“There’s always new vulnerabilities or new technologies that come up,” she says. “That’s part of our responsibility as security professionals – to stay abreast of the current technology and current threats. Because if we just kept doing it over and over, or doing it in ways that have been solved a long time ago, that’s not doing what we’ve been hired to do.”
Woodbury also declined to provide her record, or win-loss rate for pen testing. But she assured us that it was very good. “There are a couple of countries that have incredibly tight regulations, such that their IT people could go to jail if they get hacked,” she says. “In those cases, we have not been able to get through. So good for them.”