Security Gaining Attention On IBM i, But More Progress Needed
June 22, 2020 Alex Woodie
First, the good news: IBM i shops are paying more attention to security and are making it a priority, according to the 2020 State of IBM i Security Study. But that isn’t necessarily translating into better security, as too much data remains vulnerable, the new report concludes.
“A deeper understanding of the risks and the security controls built into the OS is currently driving a wave of interest in prioritizing cybersecurity issues on IBM i,” Robin Tatum, director of security technologies at HelpSystems, wrote in the 2020 State of IBM i Security Study, now in its 17th year.
Security has been the top concern of IBM i shops for the past four years, according to HelpSystems’ ongoing IBM i Marketplace study. In the most recent report, 77 percent of surveyed IBM i shops claimed security as a top concern, the highest it’s ever been.
“Cybersecurity is becoming a higher priority,” Tatum writes. “However, many organizations are still in the early stages of implementing IBM i security controls.”
The conclusion that security is a growing concern jibes with another recent report on IBM i security conducted by Precisely (previously Syncsort), which found a big jump in the number of IBM i shops feeling somewhat or very unconfident in their ability to prevent a security breach. In two previous years, IBM i shops expressed significantly higher confidence (perhaps unfounded) in their ability to prevent a breach.
For its 2020 State of IBM i Security Study, HelpSystems surveyed data from 255 IBM i servers and LPARs. These are production systems owned by organizations that have asked HelpSystems to analyze their security configuration, often as part of a larger deal for security software or services. The Minnesota company also conducts security scans on IBM i system for free.
There are several areas of concern raised in the security report. For starters, more than one-quarter of systems studied have user profiles with default passwords (where the user ID and the password are identical). That’s a grave offense for anybody who takes security seriously.
Special authorities are another problem area for IBM i security. Best practices call for special authorities to be associated with fewer than 10 user profiles, or less than 3 percent of the user population, according to HelpSystems. But in reality, special authorities are much more common than that, with an average of more than 300 user profiles granted Job Control (*JOBCTL) and Spool Control (*SPLCTL) authority, according to the report.
Another problem concerns access to data, the lifeblood of companies. IBM i servers are shipped from the factory with a default configuration that that gives non-named users, or *PUBLIC users, enough authority to read, write, and even delete any piece of data or any program on the system. It’s up to users to lock down specific libraries and programs by restricting *PUBLIC access to libraries.
According to HelpSystems report, 55 percent of libraries are set to *CHANGE, which allows general users to place new objects in the library and change some characteristics; 25 percent are set to *USE, which enables general users on the system to get a catalog of all objects in a library; and 8 percent are set to *ALL, which means that general users can manage, rename, and delete a library. Only 10 percent of libraries are set to *EXCLUDE, and 2 percent are set to *AUTL, the report found.
“Our findings demonstrate that IBM i shops still have far too many libraries accessible to the average user — libraries that often include critical corporate information,” the company says. “With virtually every system user having access to data far beyond their demonstrated need, administrators need better processes to control access to IBM i data.”
Setting authority levels for libraries is considered the first line of defense in restricting access to data, according to HelpSystems. If that’s not practical, exit monitoring tools should be used to monitor and manage access to the data through common access (or exit) points, such as FTP, ODBC, and TCP/IP.
However, only 31 percent of IBM i shops surveyed by HelpSystems had at least one exit program in place. And out of those shops, 10 percent have one or two exit programs. Considering there are 27 exit point interfaces on the IBM i platform, that is a grossly underwhelming number, HelpSystems says.
“Adoption of exit programs has grown steadily in recent years, but many companies are still unaware of this wide-open network access problem,” it says.
HelpSystems also identified another concern around unrestricted command line access. In the past, AS/400 shops could control user access to sensitive data and programs by restricting access to the command line. However, that approach has become less relent with the advent of the Internet and the addition of exit points.
While this vestigial approach of imposing security by restricting access to the command line is still rampant (with 76 percent of users having their command line access restricted), there’s a subset of the whole IBM i population that not only still has command line access (24 percent), but also has a fully enabled user profile. According to HelpSystems, 17 percent of user profiles surveyed had both command line access and a fully enabled user profile, which presents “a very clear risk.”
“Several network interfaces do not acknowledge the command line limitations configured in a user profile and must be controlled in other ways,” HelpSystems writes in its report. “This means that users can run commands remotely, even when system administrators have purposely taken precautions to restrict them from using a command line.”
Malware is another concern on the platform. IBM i is well known to have a “Typhoid Mary” problem, where it can house and help distribute loads of Windows viruses to connected machines without itself becoming infected – although perhaps, in light of current events, we should update the analogy and label the IBM i an Asymptomatic COVID-19 Super Spreader.
Unfortunately, few IBM i shops are actually taking the precautions that are necessary to prevent malware infestations. According to HelpSystems’ report, 86 percent of IBM i shops lack antivirus protection on file opens from the IFS, leaving them vulnerable to housing viruses, Trojan horses, and other types of malware squirreling its way across the Internet and into your system.
There are some positive indications that IBM i shops are (finally) recognizing security as a real concern. The constant drumbeat of high-profile security breaches and passage of security laws are helping to get people’s attention. But just being cognizant of the problem is not enough, and HelpSystems’ report shows that the average IBM i shop still has lot of work to do before they can call themselves “secure.”
You can download a copy of the 2020 State of IBM i Security Report at www.helpsystems.com/cta/download-state-ibm-i-security-study-guide.