Revealing the 2016 State of IBM i Security

All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved.
2016
Revealing the New State of
IBM i Security: The Good, the
Bad, and the Downright Ugly
2016

HelpSystems Corporate Overview. All rights reserved.
• Introduction
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda

Today’s Speaker
Robin Tatam, CBCA CISM
Director of Security Technologies
+1 952-563-2768
robin.tatam@helpsystems.com

• Premier Provider of Security Solutions & Services
– 19 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security subject matter expert for COMMON
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual“State of IBM i Security Study”
About PowerTech

If you wish to receive CPE Credit for today’s
session:
• Send an email to robin.tatam@helpsystems.com
• Answer polling questions
• 1 CPE Credit will be issued within 2-4 weeks
CPE Credit

UP NEXT...
Regulations on IBM i

Why Do I Need to Audit?
• Legislation, such as Sarbanes-Oxley
(SOX), HIPAA, GLBA, State Privacy Acts
• Industry regulations, such as Payment
Card Industry (PCI DSS)
• Internal activity tracking
• High availability
• Application research & debugging

• Is there a company security policy?
(We’ve got one to help you get started.)
• Guidelines and Standards
– COBIT
– ISO 27002 (formerly known as 17799)
– ITIL
Which Standards Do I Audit Against?

IT Controls – an Auditor’s Perspective
Can users perform
functions/activities that are
in conflict with their job
responsibilities?
Can users modify/corrupt
application data?
Can users circumvent
controls to initiate/record
unauthorized transactions?
Can users engage in fraud
and cover their tracks?

The Auditor’s Credo…
“Of course I
believe you…”
(But you still have to prove it to me)

Breach Sources

UP NEXT...
Conducting the Study

Help IT managers and auditors understand IBM i security
exposures
Focus on top areas of concern in meeting regulatory
compliance
Help IT develop strategic plans to address—or confirm—
high risk vulnerabilities
Purpose of the Study

How We Collect the Data
Schedule your own security scan at www.helpsystems.com/powertech
• PowerTech Security Scan
– Launched from a PC
– Collects security data
– Data for the study are anonymous
• Companies are self-selected
– More or less security-aware?
• Study first published in 2004
– Over 2,500 participants since inception

Be a Part of the Study!
(Submission of data for use in the Security Study is optional)

Summary provides
auditors & executives with
visual indicators

IBM i registry is reviewed
to see if network events
are audited or controlled

*PUBLIC authority to
application libraries
are interrogated & reported

User profiles are analyzed
for adequate controls and
suspicious activity

Review of numerous
critical system values
that impact security

Determine if auditing is
active and what types of
events are being logged

Determine how many users
have administrator privileges
(special authorities)

• Administrative Privileges (powerful users)
• Public Authority (to libraries and data)
• Network Access (through TCP interfaces)
• User Vulnerabilities and Password Policy
• Security System Values
• System Audit Controls
• Anti-Virus Controls
Major Areas of Review

UP NEXT...
The State of IBM i Security Study

Assessed 177 different systems throughout 2015
Settings reviewed from a total of:
– 238,409 User Profiles
– 94,066 Libraries
On average, each assessed system had:
– 1,347 Users
– 531 Libraries
State of IBM i Security Overall
That’s double the
number from 2015!

State of IBM i Security Overall
Installed Version of IBM i
V7R1M0
76%
V6R1M0
11%
V7R2M0
6%
V5R4M0
7%

QSecurity
System Security Level

QSECURITY
Failing the Recommended Minimum Security Level

What Does IBM Say about Security Level 30?

Auditing Events?
15%
85%
Systems Using the IBM i Audit Journal

Most “Invalid Sign-On Attempts” Found
This is the number of attempts that someone made using
one profile to access one system partition!
Would you detect an intrusion attempt?
610,387

Would you detect an intrusion attempt?
610,387
This is the number of attempts that someone made using
one profile to access one system partition!

Systems with a profile that had experienced
more than 1,000 invalid attempts:
48%

What Should I Look For?

What Good Is Audit Journal Data?
• Mountains of raw data
• Multiple places to look
• Frustrating manual reporting
processes
As a result, IT often ignores the
data, or just looks on the day
before the auditors arrive.

84% of systems had an IBM audit journal (QAUDJRN)
24% of those had a recognized auditing tool installed
18% of servers had the auditing control system turned off
610,000 invalid sign-on attempts against a single profile!
Would you be more concerned if it was the QSECOFR profile?
Is Anyone Paying Attention?

What Is *PUBLIC?
*PUBLIC is a special reference to any user that is
not explicitly named and given an authority.
(Although sometimes referred as “anonymous”
access, the user still needs credentials and is not
anonymous to the organization.)

• The one and only library authority that keeps users out is
*EXCLUDE.
• A policy of “deny by default” calls for *PUBLIC to be excluded and
then authorized, named users or groups granted the appropriate
access.
• WARNING: A user can (potentially) delete objects with only *USE
authority to the library.
Deny by Default

Who Cares?

Public Authority to Libraries
*EXCLUDE
6%
*CHANGE
61%
*USE
22%
*ALL
9%
*AUTL
1%

When New Objects Are Created
Library Default - Create Authority
System Default - Create Authority

Many IBM i applications rely on menu security because…
– It’s easy to build
– It’s the legacy of many existing business applications
Menu security design assumes:
– Access originates only via the menus
– No users have command line permission
– Users can’t have access to SQL-based tools
Menu security is often accompanied by:
– Users belonging to a Group that owns the objects
– *PUBLIC being granted broad (*CHANGE) access to data
Network Access Control

Network Access Control
ODBC isn’t rocket
science anymore

Are These Services Running?
Systems with FTP Autostarted

Are These Services Running?
Systems with REXEC Autostarted

A New Function?
The function of an exit program can include anything the
programmer codes within it—including unauthorized acts! - but
security officers typically want network exit programs to:
• Audit (as IBM i doesn’t)
• Control Access (as good object security is rare & inflexible)
The exit program returns a pass/fail indicator to the exit point.
In the 1990s, IBM supplemented
Object Level security with a suite of
exit points, which are temporary
interruptions in an OS process in
order to invoke a user-written
program.

Exit Program Coverage
One or More Exit Programs in Place

Exit Program Coverage
Complete Exit Program Coverage
8%
92%

Administrator Privileges
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every administrative
operation on the system, including unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Security Administration
Enables a user to create and maintain the system user profiles
without requiring the user to be in the *SECOFR user class or giving
*ALLOBJ authority.

I/O Systems Configuration
Allows the user to create, delete, and manage devices, lines, and
controllers. Also permits the configuration of TCP/IP, and the start of
associated servers (e.g., HTTP).

Audit
The user is permitted to manage all aspects of auditing, including
setting the audit system values and running the audit commands
(CHGOBJAUD / CHGUSRAUD).

Spool Control
This is the ALLOBJ of Spooled Files and allows a user to view, delete,
hold, or release any spooled file in any output queue, regardless of
restrictions.

Service
This allows a user to access the System Service Tools (SST) login,
although they also need an SST login since V5R1.

Job Control
This enables a user to start/end subsystems and manipulate other
users’ jobs. It also provides access to spooled files in output queues
designated as “operator control.”

Save System
This enables a user to perform save/restore operations on any object
on the system, even if there is insufficient authority to use the object.
* Be extra cautious when securing objects at a library level only *

IBM i Special Authorities

IBM i Special Authorities
Try to get down to < 10
profiles with SPCAUTs

Endless News Reports of Insider Breaches

Password vs. Passphrase
0
20
40
60
80
100
120
140
0 1 2 3
No.ofSystems
System Password Level

Password vs. Passphrase
0
20
40
60
80
100
120
140
0 1 2 3
No.ofSystems
System Password Level
Password
(10 character
maximum)
Passphrase
(128 character
maximum)

Minimum Password Length

Minimum Password Leng
Not too hard to
guess your way in!

Password Expiration
1 2 1 1 1
12
1
20
2 1
68
1 1 1
5
1 1
62
0
10
20
30
40
50
60
70
80
28 30 31 36 42 45 55 60 70 72 90 92 100 120 180 365 366 *NONE
No.ofSystems
Password Expiration Period (Days)

Other Password Rules
5%
95%
Limits Imposed
Character Restrictions in Password

Other Password Rules
56%
44% Digit Required
Password Must Include A Digit

How Many Attempts?
88
13
50
8
1 1
4 5
2 3
7
0
10
20
30
40
50
60
70
80
90
100
3 4 5 6 7 8 10 15 20 25 *NOMAX
No.ofAttempts
Maximum Signon Attempts Allowed

88
13
50
8
1 1
4 5
2 3
7
0
10
20
30
40
50
60
70
80
90
100
3 4 5 6 7 8 10 15 20 25 *NOMAX
No.ofAttempts
Maximum Signon Attempts Allowed
How Many Attempts?
Let’s hope this wasn’t the
server that experienced
650,000 invalid sign on
attempts.

And Then What?
Action for Exceeding Invalid Signon Attempts
56%
44%
Disable Workstation
Disable Profile
Disable Both
11%
61%
28%

Default passwords are banned by compliance mandates, and for
GOOD reason! Review and resolve using ANZDFTPWD
Default Passwords
All Default Passwords
Enabled, Default Passwords

One system had 2,199 users with default passwords.
99 systems had > 30 users with default passwords.
49 systems had > 100 users with default passwords.
Default Passwords

Inactive Profiles

Adopted Privileges
Programs can run with:
• Authority of the caller, plus…
• Authority of the program owner,
plus…
• Authority of the program owner
of other programs in the stack
96%
4%
Limits Imposed
Systems that restrict creation of
programs that adopt

“Limit Capabilities” controls what users can do on the system
command line.
Just remember some interfaces (e.g. FTP) do not check the setting
before processing some command requests!
5250 Command Line

Are you AV Scanning?
Scan on File OPEN
89%
11%
97%
3%
Scan on File CLOSE

248,095 Reasons To Scan Your IFS!

The Perfect Storm of Vulnerability
Some of the most valuable data
in any organization is on your
Power Systems server (iSeries,
AS/400).
Most IBM i data is not secured
and the users are far too
powerful.
Security awareness among IBM i
professionals is generally low.
IBM i awareness among audit
and compliance professionals is
generally even lower.

The Call to Action
1.Conduct a Security Scan (free and
deep-dive options).
2.Remediate “low-hanging fruit” such
as default passwords and inactive
accounts.
3.Review appropriateness of profile
settings: password rules, limit
capabilities (command line), special
authorities, etc.
4.Perform intrusion tests over FTP
and ODBC to assess risk of data
leaks.
5.Evaluate solutions to help mitigate
risk.

Download the Full Study
www.helpsystems.com/powertech
resources
white papers

www.helpsystems.com/powertech
(800) 328-1000 | info.powertech@helpsystems.com

Revealing the 2016 State of IBM i Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Revealing the 2016 State of IBM i Security

Similar to Revealing the 2016 State of IBM i Security (20)

More from HelpSystems

More from HelpSystems (20)

Recently uploaded

Recently uploaded (20)

Revealing the 2016 State of IBM i Security