The document outlines a presentation by Robin Tatam, Director of Security Technologies at Powertech, focusing on the state of IBM i security and the importance of compliance assessments. It discusses various regulatory requirements, data collection methods for the security study, and the alarming statistics regarding invalid sign-on attempts and security vulnerabilities within IBM i systems. The presentation also emphasizes the need for enhanced security measures and strategic planning to address high-risk vulnerabilities.

1. WELCOME
MAY 1, 2013
Robin Tatam, Director of Security Technologies

2. Today’s Agenda
•
•
•
•
•
•
2
Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
Resources for Security Officers
Questions and Answers

3. Today’s Speaker
ROBIN TATAM
Director of Security Technologies
952-563-2768
robin.tatam@powertech.com
3

4. About PowerTech
•
Premier Provider of Security Solutions & Services
–
16 years in the security industry as an established thought leader
–
Customers in over 70 countries, representing every industry
–
Security Subject Matter Expert for COMMON
•
•
•
•
4
IBM Advanced Business Partner
Member of PCI Security Standards Council
Authorized by NASBA to issue CPE Credits for Security Education
Publisher of the Annual “State of IBM i Security” Report

5. Today’s Agenda
•
•
•
•
•
•
5
Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
Resources for Security Officers
Questions and Answers

6. Why Do I Need To Audit?
•
•
Industry Regulations, such as Payment
Card Industry (PCI DSS)
•
Internal Activity Tracking
•
High Availability
•
6
Legislation, such as Sarbanes-Oxley
(SOX), HIPAA, GLBA, State Privacy Acts
Application Research & Debugging

7. Which Standards Do
I Audit Against?
• Is there a company Security Policy?
(We’ve got one to help you get started)
• Guidelines and Standards
– COBIT
– ISO 27002 (formerly known as 17799)
– ITIL
7

8. IT Controls—
An Auditor’s Perspective
Can users perform functions/activities that are in
conflict with their job responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls to
initiate/record unauthorized transactions?
Can users engage in fraud and cover their tracks?
8

9. The Auditor’s Credo…
Of course
I believe you!
(But you still have
to prove it to me)
9

10. Today’s Agenda
•
•
•
•
•
•
10
Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
Resources for Security Officers
Questions and Answers

11. Purpose Of The Study
Help IT managers and auditors
understand IBM i security exposures
Focus on top areas of concern in
meeting regulatory compliance
Help IT develop strategic plans to
address—or confirm—high risk
vulnerabilities
11

12. How We Collect
The Data
PowerTech Compliance Assessment
– Launched from a PC
– Collects security data
– Data for the study is anonymous
Companies are self-selected
– More, or less, security-aware?
Study first published in 2003
– Over 1,700 participants since inception
Schedule your Compliance Assessment
at www.PowerTech.com
12

13. Be A Part of the Study!
YOUR PC
YOUR IBM i SERVER
YOUR VULNERABILITIES
(Participation in the Security Study is optional)
13

14. Simple summary provides
auditor & executives with
visual indicators

15. IBM i registry is reviewed
to see if network event
are audited or controlled
15

16. *PUBLIC authority levels
on application libraries
are interrogated

17. Statistics are retrieved on
profile metrics, such as any
with default passwords
17

18. Review of the
system values that
impact security

19. Verify if auditing is
active, and what types of
audit events are being
logged

20. Determine how many users
have Special Authorities
(admin privileges)

21. Six Major Areas of Review
•
•
•
•
•
•
21
System auditing
Privileged users
User and password management
Data access
Network access control
System security values

22. Today’s Agenda
•
•
•
•
•
•
22
Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
Resources for Security Officers
Questions and Answers

23. State of IBM i
Security—Overall
Assessed 101 different systems
A total of:
– 109,251 Users
– 43,104 Libraries
On average, per assessed
system there were:
– 1,082 Users
– 427 Libraries
23

24. State of IBM i
Security—Overall
24

25. State of IBM i
Security—Overall
WARNING:
September 30 will be here SOON!
25

26. No. of Systems
QSECURITY
(System Security Level)
System Value: QSECURITY
26

27. System Security
Level Historically
27

28. What Does IBM Say About
Security Level 30?
28

29. Using QUADJRN?
Systems Using the System i Audit Journal
29

30. Audit Settings Historically
Systems Using the System i Audit Journal (2010-2012)
30

31. Top 10 “Invalid Sign-On
Attempts” Found
2010: 1,000,000+
2011: 789,962
2012: 154,404
31

32. Top 10 “Invalid Sign-On
Attempts” Found
10)
9)
8)
7)
6)
5)
4)
3)
2)
1)
32
7,729
8,333
12,921
19,201
23,183
28,078
147,918
161,427
211,631
567,772

33. Top 10 “Invalid Sign-On
Attempts” Found
But there was one that even shocked us!
6.9 million... All undetected!
33

34. What should I look for?
34

35. What Good Is Audit
Journal Data?
Too much data
Too many places to look
Manual reporting processes
Audit and IT get locked in a
request/respond cycle
35

36. Is Anyone Paying
Attention?
88% of systems were logging audit data but…
…only 27% of those had a recognized auditing
tool installed
Over 6.9 million invalid sign-on attempts
against a single profile!
– Would you be more concerned if you knew it was
the QSECOFR profile?
36

37. Library Authority
The only library authority that keeps users out
is *EXCLUDE
A policy of ―Least Privilege‖ calls for *PUBLIC
to be excluded and then authorized users
granted the appropriate access
You can (potentially) delete objects with only
*USE authority to the library
37

38. Library Authority
38

39. Library Authority—
Historically
39

40. When New Objects
Are Created
Default Create Authority by Library
40

41. Network Access
Control
Many IBM i applications rely on menu security because…
– It’s easy to build
– It’s the legacy of many existing business applications
Menu security design assumes:
– Access always originates via the menus
– No users has command line access
– Users have no access to SQL-based tools
Menu security is often accompanied by:
– User being a member of group that owns the objects
– *PUBLIC is granted broad (*CHANGE) access to data
41

42. Network Access
Control
ODBC isn’t rocket
science anymore
42

43. Are These Services Running?
43

44. Exit Program
Coverage
44

45. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
All Object
The ―gold key‖ to every object, and almost every
administrative operation on the system, including
unstoppable data access
45

46. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority
46

47. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP)
47

48. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD)
48

49. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Spool Control
This is the *ALLOBJ of Spooled Files. Allows a user to
view/delete/hold/release any spooled file in any
output queue, regardless of restrictions
49

50. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Service
Allows a user to access the System Service Tools
(SST) login, although, since V5R1, they also need
an SST login
50

51. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Job Control
Enables a user to be able to start/end subsystems,
manipulate other users’ jobs. Also provides access
to spooled files in output queues designated as
―operator control‖
51

52. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Save System
Enables a user to perform save/restore operations on
any object on the system, even if there is insufficient
authority to use the object
* Be cautious if securing objects at only a library level *
52

53. Administrator Privileges
53

54. Administrator Privileges
Best Practices call for
<10 users with SPCAUTs
54

55. Powerful Users Historically
55

56. Endless News Reports
of Insider Breaches
56

57. No. of Systems
Minimum Password
Length
System Value: QPWDMINLEN
57

58. No. of Systems
Minimum Password
Length
Not too hard to
guess your way in!
System Value: QPWDMINLEN
58

59. No. of Systems
Default Passwords
59

60. No. of Systems
Password Expiration
Password Expiration Period (Days)
60

61. No. of Systems
How Many Attempts?
Maximum Signon Attempts Allowed
61

62. No. of Systems
How Many Attempts?
Let’s hope this wasn’t the
server that experienced 6.9
million invalid attempts
Maximum Sign On Attempts Allowed
62

63. And Then What?
Default Action for Exceeding Invalid Sign On Attempts
63

64. No. of Profiles
Inactive Profiles
64

65. No. of Profiles
5250 Command Line
65

66. The Perfect Storm
Of Vulnerability
Security awareness among IBM I
professionals is generally low
IBM i awareness among audit
professionals is generally low
Some of the most valuable data in any
organization is on your Power Systems
server (System i, iSeries, AS/400)
Most IBM i data is not secured and the
users are far too powerful
66

67. The Call To Action
1. Conduct a Compliance Assessment (free and deep-dive options)
2. Remediate ―low-hanging fruit‖ such as default passwords and
inactive accounts
3. Review appropriateness of profile settings: password rules, limit
capabilities (command line), special authorities, etc.
4. Perform intrusion tests over FTP and ODC to assess data leak risk
5. Evaluate PowerTech solutions to mitigate risk
67

68. Comprehensive Security
Solutions for Power Systems
68

69. Today’s Agenda
•
•
•
•
•
•
69
Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
Resources for Security Officers
Questions and Answers

70. Additional Resources
Online Compliance Guide
70
Security Policy

71. Today’s Agenda
•
•
•
•
•
•
71
Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
Resources for Security Officers
Questions and Answers

72. Questions
72

73. Thanks for your time!
Please visit www.PowerTech.com to access:
• Demonstration Videos & Trial Downloads
• Product Information Data Sheets
• White Papers / Technical Articles
• Customer Success Stories
• PowerNews (Newsletter)
• Robin’s Security Blog
• To request a FREE Compliance Assessment
www.powertech.com
73
(800) 915-7700
info@powertech.com