Security Checks Drive Consulting Biz for Briteskies
June 14, 2021 Alex Woodie
With high-profile ransomware attacks becoming the norm and calls for a federal cybersecurity department gaining steam, there’s a distinct uneasiness when it comes to the security of corporate computer systems. That uptick in awareness is helping to drive business for Briteskies, the Cleveland, Ohio-based IT consultancy that has made IBM i security a cornerstone of its business.
Briteskies was founded in 2000 primarily as a JD Edwards specialist for organizations in the Great Lakes region. Over the years, the company has expanded into other niches, including Magento e-commerce systems, custom RPG development, and computer security.
The market for IBM i security services, in particular, was underserved, according to Bill Onion, managing director at Briteskies. “We identified a long time ago that infosec was growing,” Onion tells IT Jungle. “We were looking at that saying, well nobody is paying attention to the IBM i.”
The company has five employees who are dedicated to providing IBM i security services, including conducting security assessments of IBM i installations and remediating the problems it finds.
“Generally, that was kind of okay [that people were not paying attention to the IBM i], but it’s getting more and more to where it’s not,” Onion said. “There’s still a lot of folks that think that because it’s an IBM i server, it’s presumed safe. They think they don’t need to worry about that.”
Briteskies brings all sorts of tools to bear on its IBM i security engagements, most of which are with its clients in the Midwest, but some that are as far as Texas and California. It leans on automated assessment tools from HelpSystems and the new VERIFi offering from iTech Solutions that we wrote about in February.
ALLOutSecurity, which develops JD Edwards-specific auditing tools, is another Briteskies partner. It also works with local Cleveland-based backup and disaster recovery (DR) firm, UCG Technologies, to help prepare customers for ransomware attacks, as well as DXR Security, Carol Woodbury’s new security firm, on penetration testing for IBM i. Onion says Tenable’s the network scanning tool, Nessus, does a good job with IBM i.
After Briteskies runs a security assessment, it provides a color-coded report that lists the various vulnerability it finds, with red, yellow, and green corresponding to the severity levels. Mapped IFS drives can big a big concern, especially in this age of rampant ransomware. The degree of coverage of exit points with exit programs is another area to look at, especially concerning the “alarming” finding from HelpSystems earlier this year that detailed a disturbing lack of exit programs in place at IBM i shops.
If there are a lot of service profiles with ALLOBJ active on the system, that will be flagged too. “Once you have ALLOBJ authority, you can pretty much, with a couple of steps, get access to the entire system, which is really terrifying,” Onion says.
Briteskies gives its clients an assessment of the problems that it identified and the ways they can be fixed, Onion says. “Most of our customers say, they’ve got it, we’re going run with it and they take care of themselves,” he says. “Sometimes we’ll do some of the work, so we’ll split the work up to kind of tighten up the security posture.”
These assessments sometimes turn up unexpected results. For instance, one client that contracted Briteskies to help it test its DR strategy turned out to have an IT system that had a Year 2000 issue. “They’re running an ERP system that they didn’t update for Y2K, 21 years ago,” Onion said. “We all got a chuckle out of it, but it’s also scary at the same time.”
As fate would have it, the company that wrote the ERP product was out of business. Briteskies managed to get the system updated and tested, and this customer’s Y2K story had a happy ending. But it very easily could have ended differently.
“They could not fully recover from that, not on the fly, not in that scenario,” Onion says. “If that company had ransomware or any type of attack or any type of power outage where they lost things, they would not have been able to easily recover from that.”
Many customer engagements reveal a general lack of awareness about basic security precautions. For example, during one security engagement at a smaller shop, the Briteskies technician had the time to inspect the company’s entire IT portfolio. It turned out they were using a residential-type router as the VPN, which is not a recommended security configuration.
“He showed the client the article that shows you how to hack through that thing and get access to their network,” Onion says. “They were worried about the IBM i. We’re like, your whole network’s at risk right now. So it is kind of an arms race, both hardware and software, to try to stay up with the stuff that the hackers are doing.”
The state of security among IBM i shops is a work in progress. Some IBM i shops take it seriously. Other shops, not so much.
“I think the awareness is certainly increasing. That’s a good positive step,” Onion says. “But I still think it’s really bad. I don’t know many shops that are great. There’s a handful out there. But most of them are just same as it was in the late 1990s. They just haven’t made that jump.”
One good indicator that an IBM i shop has made the leap is whether they have somebody with a Certified Information Systems Security Professional (CISSP) certification on their staff or on retainer. “That, to me, is a good metric, to say how many folks that are IBM i savvy also have their CISSP,” Onion says. “There are not many.”
Security threats are evolving, and it’s important that IBM i shops keep up with the changes. The modern IBM i server is an open platform that can run a multitude of applications, and integrate with just about any service across the Internet. It’s no longer cut off from the rest of the world, which is a good thing for commerce, but raises the stakes.
At the same time, there are some commonsense things that the majority of IBM i professionals could do to address many of the threats. You don’t have to be a cyber genius to eliminate the bulk of the potential problems, Onion says. Briteskies and other consulting firms like it can help you identify and address them, or you can do them yourself.
“We’re going to walk around to make sure all the barn doors and windows are closed, the obvious ones, and get those things secured and locked up,” Onion says. “We have really smart engineers, but anybody who is a savvy IBM i’er can do those things. It’s just a question whether they have the time and expertise to do that.”