The 2016 State of IBM i Security Study reveals exclusive information about what tools and strategies organizations are using to secure IBM i—and where they’re leaving the platform vulnerable. Get a first look at the results here, and download the full report to learn more: bit.ly/1SoAuNs
2. HelpSystems Corporate Overview. All rights reserved.
• Introduction
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
4. HelpSystems Corporate Overview. All rights reserved.
Today’s Speaker
Robin Tatam, CBCA CISM
Director of Security Technologies
+1 952-563-2768
robin.tatam@helpsystems.com
5. HelpSystems Corporate Overview. All rights reserved.
• Premier Provider of Security Solutions & Services
– 19 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security subject matter expert for COMMON
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual“State of IBM i Security Study”
About PowerTech
7. HelpSystems Corporate Overview. All rights reserved.
If you wish to receive CPE Credit for today’s
session:
• Send an email to robin.tatam@helpsystems.com
• Answer polling questions
• 1 CPE Credit will be issued within 2-4 weeks
CPE Credit
9. HelpSystems Corporate Overview. All rights reserved.
Why Do I Need to Audit?
• Legislation, such as Sarbanes-Oxley
(SOX), HIPAA, GLBA, State Privacy Acts
• Industry regulations, such as Payment
Card Industry (PCI DSS)
• Internal activity tracking
• High availability
• Application research & debugging
10. HelpSystems Corporate Overview. All rights reserved.
• Is there a company security policy?
(We’ve got one to help you get started.)
• Guidelines and Standards
– COBIT
– ISO 27002 (formerly known as 17799)
– ITIL
Which Standards Do I Audit Against?
11. HelpSystems Corporate Overview. All rights reserved.
IT Controls – an Auditor’s Perspective
Can users perform
functions/activities that are
in conflict with their job
responsibilities?
Can users modify/corrupt
application data?
Can users circumvent
controls to initiate/record
unauthorized transactions?
Can users engage in fraud
and cover their tracks?
12. HelpSystems Corporate Overview. All rights reserved.
The Auditor’s Credo…
“Of course I
believe you…”
(But you still have to prove it to me)
16. HelpSystems Corporate Overview. All rights reserved.
Help IT managers and auditors understand IBM i security
exposures
Focus on top areas of concern in meeting regulatory
compliance
Help IT develop strategic plans to address—or confirm—
high risk vulnerabilities
Purpose of the Study
17. HelpSystems Corporate Overview. All rights reserved.
How We Collect the Data
Schedule your own security scan at www.helpsystems.com/powertech
• PowerTech Security Scan
– Launched from a PC
– Collects security data
– Data for the study are anonymous
• Companies are self-selected
– More or less security-aware?
• Study first published in 2004
– Over 2,500 participants since inception
18. HelpSystems Corporate Overview. All rights reserved.
Be a Part of the Study!
(Submission of data for use in the Security Study is optional)
24. HelpSystems Corporate Overview. All rights reserved.
Determine if auditing is
active and what types of
events are being logged
25. HelpSystems Corporate Overview. All rights reserved.
Determine how many users
have administrator privileges
(special authorities)
26. HelpSystems Corporate Overview. All rights reserved.
• Administrative Privileges (powerful users)
• Public Authority (to libraries and data)
• Network Access (through TCP interfaces)
• User Vulnerabilities and Password Policy
• Security System Values
• System Audit Controls
• Anti-Virus Controls
Major Areas of Review
28. HelpSystems Corporate Overview. All rights reserved.
Assessed 177 different systems throughout 2015
Settings reviewed from a total of:
– 238,409 User Profiles
– 94,066 Libraries
On average, each assessed system had:
– 1,347 Users
– 531 Libraries
State of IBM i Security Overall
That’s double the
number from 2015!
29. HelpSystems Corporate Overview. All rights reserved.
State of IBM i Security Overall
Installed Version of IBM i
V7R1M0
76%
V6R1M0
11%
V7R2M0
6%
V5R4M0
7%
34. HelpSystems Corporate Overview. All rights reserved.
Most “Invalid Sign-On Attempts” Found
This is the number of attempts that someone made using
one profile to access one system partition!
Would you detect an intrusion attempt?
610,387
35. HelpSystems Corporate Overview. All rights reserved.
Most “Invalid Sign-On Attempts” Found
Would you detect an intrusion attempt?
610,387
This is the number of attempts that someone made using
one profile to access one system partition!
36. HelpSystems Corporate Overview. All rights reserved.
Most “Invalid Sign-On Attempts” Found
Systems with a profile that had experienced
more than 1,000 invalid attempts:
48%
38. HelpSystems Corporate Overview. All rights reserved.
What Good Is Audit Journal Data?
• Mountains of raw data
• Multiple places to look
• Frustrating manual reporting
processes
As a result, IT often ignores the
data, or just looks on the day
before the auditors arrive.
39. HelpSystems Corporate Overview. All rights reserved.
84% of systems had an IBM audit journal (QAUDJRN)
24% of those had a recognized auditing tool installed
18% of servers had the auditing control system turned off
610,000 invalid sign-on attempts against a single profile!
Would you be more concerned if it was the QSECOFR profile?
Is Anyone Paying Attention?
40. HelpSystems Corporate Overview. All rights reserved.
What Is *PUBLIC?
*PUBLIC is a special reference to any user that is
not explicitly named and given an authority.
(Although sometimes referred as “anonymous”
access, the user still needs credentials and is not
anonymous to the organization.)
41. HelpSystems Corporate Overview. All rights reserved.
• The one and only library authority that keeps users out is
*EXCLUDE.
• A policy of “deny by default” calls for *PUBLIC to be excluded and
then authorized, named users or groups granted the appropriate
access.
• WARNING: A user can (potentially) delete objects with only *USE
authority to the library.
Deny by Default
44. HelpSystems Corporate Overview. All rights reserved.
Public Authority to Libraries
*EXCLUDE
6%
*CHANGE
61%
*USE
22%
*ALL
9%
*AUTL
1%
45. HelpSystems Corporate Overview. All rights reserved.
When New Objects Are Created
Library Default - Create Authority
System Default - Create Authority
46. HelpSystems Corporate Overview. All rights reserved.
Many IBM i applications rely on menu security because…
– It’s easy to build
– It’s the legacy of many existing business applications
Menu security design assumes:
– Access originates only via the menus
– No users have command line permission
– Users can’t have access to SQL-based tools
Menu security is often accompanied by:
– Users belonging to a Group that owns the objects
– *PUBLIC being granted broad (*CHANGE) access to data
Network Access Control
50. HelpSystems Corporate Overview. All rights reserved.
A New Function?
The function of an exit program can include anything the
programmer codes within it—including unauthorized acts! - but
security officers typically want network exit programs to:
• Audit (as IBM i doesn’t)
• Control Access (as good object security is rare & inflexible)
The exit program returns a pass/fail indicator to the exit point.
In the 1990s, IBM supplemented
Object Level security with a suite of
exit points, which are temporary
interruptions in an OS process in
order to invoke a user-written
program.
53. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every administrative
operation on the system, including unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
54. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system user profiles
without requiring the user to be in the *SECOFR user class or giving
*ALLOBJ authority.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
55. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage devices, lines, and
controllers. Also permits the configuration of TCP/IP, and the start of
associated servers (e.g., HTTP).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
56. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
Audit
The user is permitted to manage all aspects of auditing, including
setting the audit system values and running the audit commands
(CHGOBJAUD / CHGUSRAUD).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
57. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
Spool Control
This is the ALLOBJ of Spooled Files and allows a user to view, delete,
hold, or release any spooled file in any output queue, regardless of
restrictions.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
58. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
Service
This allows a user to access the System Service Tools (SST) login,
although they also need an SST login since V5R1.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
59. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
Job Control
This enables a user to start/end subsystems and manipulate other
users’ jobs. It also provides access to spooled files in output queues
designated as “operator control.”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
60. HelpSystems Corporate Overview. All rights reserved.
Administrator Privileges
Special Authority (aka Privileges)
Save System
This enables a user to perform save/restore operations on any object
on the system, even if there is insufficient authority to use the object.
* Be extra cautious when securing objects at a library level only *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
62. HelpSystems Corporate Overview. All rights reserved.
IBM i Special Authorities
Administrator Privileges
Try to get down to < 10
profiles with SPCAUTs
69. HelpSystems Corporate Overview. All rights reserved.
Other Password Rules
5%
95%
Limits Imposed
Character Restrictions in Password
70. HelpSystems Corporate Overview. All rights reserved.
Other Password Rules
56%
44% Digit Required
Password Must Include A Digit
71. HelpSystems Corporate Overview. All rights reserved.
How Many Attempts?
88
13
50
8
1 1
4 5
2 3
7
0
10
20
30
40
50
60
70
80
90
100
3 4 5 6 7 8 10 15 20 25 *NOMAX
No.ofAttempts
Maximum Signon Attempts Allowed
72. HelpSystems Corporate Overview. All rights reserved.
88
13
50
8
1 1
4 5
2 3
7
0
10
20
30
40
50
60
70
80
90
100
3 4 5 6 7 8 10 15 20 25 *NOMAX
No.ofAttempts
Maximum Signon Attempts Allowed
How Many Attempts?
Let’s hope this wasn’t the
server that experienced
650,000 invalid sign on
attempts.
73. HelpSystems Corporate Overview. All rights reserved.
And Then What?
Action for Exceeding Invalid Signon Attempts
56%
44%
Disable Workstation
Disable Profile
Disable Both
11%
61%
28%
74. HelpSystems Corporate Overview. All rights reserved.
Default passwords are banned by compliance mandates, and for
GOOD reason! Review and resolve using ANZDFTPWD
Default Passwords
All Default Passwords
Enabled, Default Passwords
75. HelpSystems Corporate Overview. All rights reserved.
One system had 2,199 users with default passwords.
99 systems had > 30 users with default passwords.
49 systems had > 100 users with default passwords.
Default Passwords
77. HelpSystems Corporate Overview. All rights reserved.
Adopted Privileges
Programs can run with:
• Authority of the caller, plus…
• Authority of the program owner,
plus…
• Authority of the program owner
of other programs in the stack
96%
4%
Limits Imposed
Systems that restrict creation of
programs that adopt
78. HelpSystems Corporate Overview. All rights reserved.
“Limit Capabilities” controls what users can do on the system
command line.
Just remember some interfaces (e.g. FTP) do not check the setting
before processing some command requests!
5250 Command Line
79. HelpSystems Corporate Overview. All rights reserved.
Are you AV Scanning?
Scan on File OPEN
89%
11%
97%
3%
Scan on File CLOSE
81. HelpSystems Corporate Overview. All rights reserved.
The Perfect Storm of Vulnerability
Some of the most valuable data
in any organization is on your
Power Systems server (iSeries,
AS/400).
Most IBM i data is not secured
and the users are far too
powerful.
Security awareness among IBM i
professionals is generally low.
IBM i awareness among audit
and compliance professionals is
generally even lower.
82. HelpSystems Corporate Overview. All rights reserved.
The Call to Action
1.Conduct a Security Scan (free and
deep-dive options).
2.Remediate “low-hanging fruit” such
as default passwords and inactive
accounts.
3.Review appropriateness of profile
settings: password rules, limit
capabilities (command line), special
authorities, etc.
4.Perform intrusion tests over FTP
and ODBC to assess risk of data
leaks.
5.Evaluate solutions to help mitigate
risk.
83. HelpSystems Corporate Overview. All rights reserved.
Download the Full Study
www.helpsystems.com/powertech
resources
white papers
84. HelpSystems Corporate Overview. All rights reserved.
www.helpsystems.com/powertech
(800) 328-1000 | info.powertech@helpsystems.com