IBM i Security Expert Uncovers Dirty Little Secret

25 August 2015
Expert Uncovers the
“Dirty Little Secret” of IBM i Security
!! Security Alert !!

© 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners2
ROBIN TATAM
Director of Security Technologies
robin.tatam@powertech.com
Your Presenter

• Has over 25 years of IBM i experience, including
10 years in security
• Is a subject matter expert and award-winning
speaker for COMMON
• Officially certified by ISACA as an Information
Security Manager
• Holds more than 20 IBM certifications
• Hosts technical presentations on a variety of
security topics
• Authors articles on security for leading trade
journals and newsletters
• An award-winning photographer
Your Presenter

Security vs. Compliance

Security
A state of being whose ultimate
objective is to prevent unauthorized
or undesired activity

Compliance
The adherence to a stated
policy or standard

Warning: You can be fully compliant
even if the policy or standard does
not outline desirable practices!
Policy:
• Don’t prevent authorized activity
• Allow any user to modify data
• Permit data to be taken home

The primary goal of a compliance
standard is to act as a guideline to help
maintain an acceptable level of
operating procedures and security.
Regulations are:
– Not a precise technical roadmap
– Have to be interpreted
– Often outline a basic minimum

Businesses rely on auditors to be interpreters.
Unfortunately, many don’t speak the ‘i’ language.
4.3.2 Privileged
account access should…
Don’t grant
end users *ALLOBJ

Okay SOX, what
should I set my
system values to?!
Regulations don’t usually speak
‘technology’, and certainly don’t speak ‘i’.

Far too many organizations approach
compliance as the sole objective without
seeing the value to their security.
What’s the least I can do
and still be able to check
the box to say I did it?

Unfortunately, the fact that
most organizations have to
invest so much to achieve
compliance shows how our
security has fallen short.
Don’t lose sight of security even
when your compliance is your
primary objective.

Do you have your own
regulatory directive?

Maybe you say NO!
as you don’t have to deal with
PCI, HIPAA, SOX, GLBA, BASEL II, etc.

But
everyone
should have one

It’s called a
Security Policy

A security policy is a map to guide employees
and may contain many levels targeted at
different audiences, business units, or purposes.
Corporate What the business goal is
Information Technology
How to configure the technology to support the
business goals
End User Acceptable use policies

How susceptible is my
IBM Power Systems
server to attack?
“I was assured this
server was secure!”
Why Do We Care? We’re On Power Systems!

The IBM i
operating
system is
secure

What do you think?

The IBM i
operating
system is
secure

The IBM i
operating system
is highly
securable

Secure Securable
A Common Misconception

They’re On To Us!

“Security by obscurity”
is no longer a good option…
Of course, it never
really was!
v
Hacking for Dummies?
Security By Obscurity

But are you using them?
IBM i contains numerous
world-class security features!
A Common Misconception

What’s integrated?
– Intrusion Detection System (IDS)
– Support for Role-Based Access (RBAC)
– Object-level security
– Event auditing
– Operating system integrity protection
– Security exit points
What Comes Free (or Cheap)?

What else is needed?
– Security exit programs
– User provisioning and management
– Real-time audit notification
– Database monitoring
– Audit and compliance reporting and control
– Anti-virus software
What Upgrades Are Available?

An Alarming State
State of IBM i Security

PowerTech uses anonymous audit data
from our Compliance Assessment tool
to compile an annual study of security
statistics.
This study (available online) provides a
picture of what IBM i shops are
currently doing with their security
controls.
And, year after year, it shows that there
is definitely still room (and a need) for
improvement!
Where Is Improvement Needed?
2015
www.helpsystems.com/powertech
resources / white-papers

QSECURITY: System Security Level

Library Authority

Password Frenzy
Not too hard to
guess your way in!

Who’s Using the Audit Journal?

Managing
Network Access
Network Access

Exit Point Coverage

PowerTech Network Security
• Modern Browser-based UI
• Multi-Partition Aware
• Real-time Dashboards
• Transaction Reports
• Access Control
• Alert Notification
• On-going development
• World-class Support
Comprehensive Exit Point Coverage
from the leader in IBM i Security

Managing
Privileged Users
Privileged Users

Programmers
Claim they need *ALLOBJ authority to fix production applications
System Administrators
Claim they need *IOSYSCFG authority to configure and change the
system and *SECADM and perhaps *ALLOBJ to reset passwords
Operators
Claim they need *JOBCTL, *SPLCTL, and *SAVSYS to IPL and do
backups and other specialized functions
Vendors
Can’t imagine running without Security Officer rights
Privileged Users

END USER # 427
Oh, and…

Limit Capabilities *NO
User Class *PGMR
Initial Menu QSYS/MAIN
Special Authorities: *ALLOBJ, *JOBCTL
Operations Navigator
END USER # 427
Hackers Aren’t The Only Threat

Endless Examples of Insider Breaches

Don’t ever assume that
“my users could not/would not (know how to) do that”
because you already gave them a valid login.
It CAN Happen To You

The #1 issue cited
by auditors is:
Control and monitoring
of powerful users
Auditors Are In Agreement

What defines a powerful user?
1. Carry one or more special
authorities
2. Granted private authority
3. Access to a system with
permissive public access
to production data
PLUS the ability to execute commands
What is Powerful?

How Many On Each Server (Average)?

5
Mistakes Are Made

Grant access to privileges on an as-needed
basis.
User Actions should be audited to ensure
accountability and visibility to each individual’s
activities.
This is required to satisfy virtually all regulatory
mandates worldwide.
Mitigate This!

PowerTech Authority Broker
User profile
lacks
necessary
authority
Switch profile
request
submitted
Authority
increased
Comprehensive Reporting
Profile Swap Alerts
Separation of Duties

Easy-to-read (and searchable) visibility to:
• Interactive SQL
• Data File Utility (DFU)
• System Service Tools (SST)
• Program Development Manager

A Common Myth
A Common Myth

‘i’ can contract a virus!
Long thought to be immune to the virus threat, IBM i can
actually act as the source of virus problems on your network.
Virus activity can be discovered on:
• Mapped Drives
• FTP
• Image Catalogs
• Backup Tapes
• High Availability
A Common Myth

Who’s Scanning For Viruses?

Where Next?
Wrapping Up

• Data is secured by out-of-date methods
(if at all).
• Management assumes data is secured
as no one is advising them otherwise.
• Regulatory demands are the primary
catalyst of change.
The Past and The Present

• More regulatory mandates trying to
stem data loss.
• Businesses will be called upon to react
faster using more calculated methods.
• Potential for corporate and consumer
”breach fatigue.”
The Future

Do NO thing
The Worst Plan

Take ACT ion
The Best Plan

• IT Security has (but has to keep) executive attention
– This is the best opportunity to solve long-standing problems
– Gain management approval now
– Fight symptoms of “breach fatigue”
• Control users with broad authority to production data
– Leaving users unchecked is both an audit exception and an
accident waiting to happen
– Don’t accept that powerful users have to be limitless
• Limit the use of—and necessity for—powerful profiles
– Monitor and report when power is used
Summary

• SECURITY and COMPLIANCE are not the same
• IBM i ships in an “allow-all” configuration and CORRECTIVE
ACTION must be taken to move to a “deny-all” configuration
• Evaluate coverage and functionality of 1st gen security tools
• OS and tooling should play COMPLEMENTARY ROLES
• RISK can (and should) be reduced; it’s never totally eliminated
Summary

How Can PowerTech Help Us?

6 categories of review
Completes in under 5 minutes
Includes executive summary
Accompanied by live review and Q&A
Personalized recommendations
7-day grace period
FREE!
Option 1 — Security Scan

Did I Remember To Mention…

System Auditing Controls
Unsecured Profiles
Public Authorities
Password Policy
Administrative Rights
Analyzed by Leading Industry Experts
Option 2 —Risk Assessment

Other Available Information

Familiarize yourself with the Ponemon Institute.
Perform cost analysis of a breach:
• Forensic analysis
• Notification
• Lawsuits
• Loss of customer confidence
• Corporate embarrassment
• Suspension of ability to trade
• Lowered business valuation
• Jail terms
A significant breach can be a enterprise killer!
Additional Steps for Cost Justification

Visit PowerTech online to access:
• State of IBM i Security Study
• Online Compliance Guide
• Open source security policy
• Articles
• Webinars/educational events
• White papers
• e-newsletter
• Security solution datasheets
Free Online Resources

Thank You For Joining Me
ROBIN TATAM
Director of Security Technologies
robin.tatam@powertech.com

IBM i Security Expert Uncovers Dirty Little Secret

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to IBM i Security Expert Uncovers Dirty Little Secret

Similar to IBM i Security Expert Uncovers Dirty Little Secret (20)

More from HelpSystems

More from HelpSystems (20)

Recently uploaded

Recently uploaded (20)

IBM i Security Expert Uncovers Dirty Little Secret