3 Takeaways from the 2021 PowerTech Security Report
April 14, 2021 Alex Woodie
PowerTech tomorrow will officially release its report on the state of IBM i security, which will be the 18th straight year it has published aggregated data collected from security scans of actual IBM i machines. We caught up with the report’s author, HelpSystems Director of Security Technologies Robin Tatam, for a quick preview.
Tatam and Sandi Moore, HelpSystems principal security consultant, will share the full results of the PowerTech security study in two webinars tomorrow, including one at 8 a.m. CT and another at noon CT. You can find more information about these free events and register to attend at this link.
In the meantime, Tatam teased us with three findings from the report. Two of the findings are cause for alarm, while one of them gives us a glimmer of hope.
- ALLOBJ Authority Widens
In years past, the number of user profiles with all object (ALLOBJ) authority was in the middle of the pack in relation to the seven other special authorities on the IBM i system. This year, for whatever reason, ALLOBJ surged ahead and was the second most popular special authority, behind Job Control.
The average IBM i shop had more than 300 user profiles with ALLOBJ, which Tatam said was “kind of mind blowing, considering what a privileged account authority that is.”
“Out of the eight special authorities, that is by far the most critical one,” Tatam added. “It’s one people seem to have some level of concept of, ironically. At least they know it’s a bad thing, when a user has it and doesn’t need it. So for there to be over 300 on each box is an interesting twist over prior years.”
In PowerTech’s 2020 State of Security report, the average number of users with ALLOBJ authority was 159. The figure has nearly doubled in the past year, and Tatam is stumped as to the sudden increase.
“I don’t really have a hypothesis on why,” he said. “There tends to be a disregard in the IBM i community based on, hey the system is secure, hey the system is inside firewall — all the traditional things we have espoused during the conversations and documentation that we put forth.”
- Exit Points Failures
The study found that 30 percent of the IBM i systems scanned were using at least one exit point program. However, 70 percent of them were not using any programs to monitor what was going on with the 27 exit points on the system, which provide external access to IBM i data via FTP, Telnet, ODBC, etc.
Having one exit program is nice. It shows some level of investment and concern. But the story gets a little more distressing when PowerTech looked at the percentage of IBM i systems that cover all of the “standard exit points,” which is basically everything but the socket exit point that IBM introduced a few years ago. When an IBM i shop has all of the standard exit points covered, that usually means they are using a network security product, such as the one from PowerTech, Tatam said.
“When we say that every standard exit point has to be covered, we have a 13 percent success rate,” he said. “When we up the ante and say someone invested money in this, we go from 30 percent success rate to 13 percent.”
In other words, 87 percent of IBM i systems scanned for the 2021 security study are basically wide open. That is a distressing statistic, to say the least.
“Exit programs are doors that are attacked the most frequently,” Tatam said. “And as we can see, they are the doors that are least protected.”
Level 40 Victory
However, it was not all doom and gloom for the PowerTech report (it was mostly doom and gloom, but not all). The study found the “vast majority” of IBM i systems were using Level 40 security. That was a “positive,” Tatam said.
Running an IBM i server at Level 40 is good because it influences what the default security settings are, Tatam said.
“So if you create a new user account at level 20 or level 40, it will either be given ALLOBJ or not by default,” he said. “It also influences the integrity of the operating environment. At level 40, there are a whole bunch of things that come into play under the covers.”
For example, you can’t run a job with somebody else’s permissions at security level 40, but you can do that at security level 30. The operating system will log it as a violation, and then allow it to happen anyway, Tatam said.
However, running at security level 40 or higher isn’t a panacea.
“I can have a level 40 or 50 machine that looks great on paper but is running effectively like a level 20 machine,” Tatam said. “If I give all my users ALLOBJ [on a level 50 machine], I’m effectively running a level 20 machine. A lot of people don’t see the nuances of how the synergy between these different attributes adds up to the overall security stance.”
Head Vs. Wall
As previously stated, this is the 18th straight year that PowerTech (now HelpSystems) has put this study together. We have covered all of those reports here at IT Jungle. There is rarely any good news that comes out of the security report.
Like Bill Murray’s character Phil Connors in the 1993 classic “Groundhog Day,” PowerTech and HelpSystems security experts seem to be stuck in a rut, saying the same things, year after year after year.
So rather than continue to beat his head against the wall on the security question, Tatam is taking a new approach this year.
“This is the 18th study that has been done with arguably very similar issues across the board. And so I have to figure out a way to get that message to resonate more to the point where people do something about it,” he said.
“What I’d like to do is help people transition from what we’re telling as a story into a state that is more manageable,” Tatam continued. “We’re over 30 years into the IBM i DNA at this point. We’re not going to fix this overnight. But what can be worked on? What can be mitigated What are the easy low-hanging fruit items, things like default passwords?”
When an IBM i professional realizes the extent of security misconfigurations in their systems, it can be overwhelming. Tatam wants to help that professional get past the state of frozen fear and moving in a positive direction. The way he intends to do that is by starting small by suggesting a few action items, and going from there.
“The intent with the report that the customer walks away with is theoretically not to be too overwhelming,” he adds. “Just give them an at a glance view of these are areas that might be eligible for improvement and kind of ease them into it.”
Hopefully it works. Because after nearly two decades, these IBM i systems are still wide open.