Is Information Overload Hurting IBM i Security?
September 28, 2020 Alex Woodie
What is wrong with IBM i security? If you look at surveys and reports, you would be hard pressed to find something that is not broken. From excessive authority and ransomware, to exit programs and default passwords, it can feel as if IBM i servers are rife with security failures.
IBM i shops are certainly aware of the security shortcomings. Security has been rated the number one concern in each of the past two IBM i Marketplace studies conducted by HelpSystems. In the most recent report, 77 percent of respondents rated security a top concern, the highest percentage ever. (The state of security seems to have gotten worse under COVID-19, as bad actors have intensihttp://www.helpsystems.comfied their efforts to exploit the situation.)
A rising concern over security resonates with the finding of another study from Precisely (formerly Syncsort and Vision Solutions, which bought Cilasoft, Enforcive, and Townsend Security’s encryption tech). That study, released earlier this year, found a big jump in the number of IBM i shops feeling somewhat or very unconfident in their ability to prevent a security breach.
Why are people unconfident? Well, if you believe the studies, it’s because their IBM i systems simply are not very well configured. This is well documented across 17 years’ worth of State of IBM i Security reports conducted by PowerTech Group and HelpSystems, which bought PowerTech in 2008.
Every year since 2003, we have been treated to an in-depth look into the security practices of thousands of real-world IBM i systems. And for 17 years, including the most recent 2020 report, that survey has demonstrated how remarkably poorly most IBM i systems are configured. (That study is not based on a random sample, so it’s not a perfect representation of all IBM i shops in the real world. But it’s the best data we have.)
So where has that gotten us? One theory says there are so many problems with IBM i security that many IBM i shops simply don’t know where to start. And rather that deal with each of these real security concerns, many organizations choose instead to just bury their heads in the sand and pretend the security problems don’t exist. That’s not good, of course, but that’s what one reading of the data suggests.
That’s the premise behind the new IBM i security services firm co-founded by Carol Woodbury and John Vanderwall, called DXR Security. The longtime business partners, who left HelpSystems earlier this year, decided to take a fresh approach to IBM i security.
“There’s plenty of marketplace studies and security studies and surveys that different vendors have done out there, chock full of very interesting information,” Vanderwall tells IT Jungle. “When you look at those sorts of studies and surveys, security still remains high on everybody’s lists. But when you contrast that with security studies or security surveys, you find that things really aren’t changing. They haven’t changed a lot.”
“The reason why you don’t see these studies changing all that much is because people are being overwhelmed with information,” Vanderwall continues. “They just have way too much information to try to figure out where to start, what to do, where to go.”
Woodbury’s experience working with directly with IBM i shops confirms what the studies suggest. “Through the years of doing risk assessments, we would go over them with clients, and they would just kind of be speechless at the end because there’s a huge list of high, medium, and low risk items that they have to address,” Woodbury says.
“The next year, we’d do another risk assessment, and nothing had changed,” she continues. “That’s where John and I came up with the conclusion that they’re just overwhelmed and they just don’t know where to start. They are stuck. And so this will hopefully get them moving.”
Instead of taking a “big bang” approach to try and remediate a laundry list of security failures in one fell swoop – which can take months to complete and cost hundreds of thousands of dollars – DXR Security proposes picking one item and focusing intently on it. Once the customer gets a single security win under their belt, the thinking goes, they will be more inclined to get one more.
Woodbury, who previously was the former security architect for OS/400 at IBM before branching into private practice in the early 2000s, is confident that this incremental approach will resonate with customers. It’s heavy on the handholding and education, and hopefully lighter on the information overload.
“People are just overwhelmed,” Woodbury says. “They have so much information. They have no idea where to start. They don’t know what steps to take. They don’t know how to do it. So that’s why we came up with the service.”
Vanderwall and Woodbury left HelpSystems this spring after nearly five years with the company. (HelpSystems bought their previous security consultancy, Skyview Partners, in 2015). After considering the problem and thinking about possible solutions, they founded DXR Security, which is headquartered in Inlet, South Carolina.
A typical DXR Security engagement will start out with a basic security assessment, Woodbury says. The company will gather some information on their IBM i system and generate a report.
“But it’s not going to be a ten-page report. It’s a one-page report,” she says. “It will list multiple vulnerabilities, but we are not claiming to be a risk assessment. We’re not going to do high, medium, and low. We’re going to list out some vulnerabilities, and then pick one and give detailed instruction on how you approach it and how you actually make the changes to resolve the issue.”
For example, perhaps the customer has a large number of PCs connected to the IBM i server’s Integrated File System (IFS). That is a prime avenue for malware, and ransomware in particular, to travel throughout an organization.
“If you can reduce the number of shares, and especially shares to root, then we can lower that risk of having malware affect your entire system,” Woodbury says. “There would be detailed steps on how you go about removing it. You don’t just want to go and remove that share. There’s some investigation you want to do ahead of that to not break some other processes that might be depending on it.”
The DXR approach favors simplicity and action, rather than complexity and information. That doesn’t mean there isn’t a place for big-bang style remediation projects. Those can work, especially when entire applications need to be revamped to get IBM i shops on a better security footing. But DXR will not be involved in those sorts of engagements.
“We’re not going to sit there and go through exhaustive information about those vulnerabilities,” Vanderwall says. “We want them to take action. So rather than overwhelming them with information and daunting them with the stuff that they’re probably even scared to think about, we’re going to actually help them make a move forward. It’s going to be very detailed and they’re going to very confident taking that first step.”
It’s a worthwhile approach, if only because it doesn’t appear that it’s been taken before. If it resonates with the market, you can bet that Woodbury and Vanderwall will be looking to expand their business. But for now, the company will be starting small and concentrating on getting those first wins in, just as it advises its clients.