Fortra Issues 20th State of IBM i Security Report

May 24, 2023 Alex Woodie

IBM is celebrating 35 years of its midrange platform next month, and there is no doubt it will be an exciting moment for the IBM i community. But there’s another occasion you might not be aware of: the 20th annual State of IBM i Security Study, which was issued last month by Fortra (formerly HelpSystems).

Back in 2004, the security experts at PowerTech took it upon themselves to analyze the configurations of customers’ actual iSeries and AS/400 servers (there were still AS/400s around) and write a report sharing what they found. As you might imagine, the state of security, as depicted in that first State of iSeries Security report, was not good.

For example, 84 percent of the systems analyzed had more than 10 users with ALLOBJ authority, and 18 percent of the users covered in the survey had default passwords. While 33 percent of the systems were using exit points (higher than expected), there was no monitoring of exit points on 74 percent of the systems (not good).

The security outlook was mostly bleak. As the late PowerTech CTO John Earl told the late IT Jungle Executive Managing Editor Dan Burger, less than 10 percent of the systems analyzed could have passed a Sarbanes-Oxley audit. “Probably far less than 10 percent,” Earl said.

While PowerTech was acquired by HelpSystems in 2008, the organization continued to issue the annual State of (Pick Your System Name) Security reports. In some years, the state of security seemed to improve a skosh. In other years, there was regression. Because of the nature of the sampling (anybody could volunteer to have their production, test, or development system tested), it was tough to make year-to-year comparisons, but we tried our best anyway.

Fast forward 19 years to 2023, and Fortra (HelpSystems changed its name last fall) is continuing the tradition with the 20th annual State of IBM i Security. In some ways, the state of security is better. In some ways, there’s a need for improvement.

QSECURITY levels of IBM i users. (Source: Fortra’s 2023 State of IBM i Security Study)

For example, 70 percent of surveyed systems were at a recommended QSECURITY level (40 o 50). Only four out of the 112 systems analyzed were at level 20, with the rest at level 30. While neither are recommended security levels, there are serious concerns with running at level 20, according to Amy Williams, senior security services consultant for Fortra.

“As soon as you create a user profile, by default it’s granted ALLOBJ in SAVSYS, so it’s an administrator of the system,” Williams said during a recent Fortra webinar presenting the findings. “At 30 the are some opportunities for users to be able to elevate that aren’t well-known, without explicit permission, to other user profiles, so that’s the big one that gets kind of capped off when you move into 40.”

But the fact that 30 percent of systems surveyed were not meeting IBM-recommended security levels is “a big concern,” said Sandi Moore, principal security consultant at Fortra.”

“It should be frightening people,” she said on the webinar with Williams. “The fact that they’re still there [at level 20 or 30] is a big issue and I hope that doing a security scan with us and actually evaluating your system and talking about what this means for you and what the impact will be – I’m hoping that it will get somebody to take action on this.”

The level of default password use in IBM i-land remains a concern. In this year’s study, 61 percent of the systems analyzed had more than 30 user profiles with default passwords; 30 percent had more than 100 such profiles. One system analyzed for Fortra had nearly 2,300 profiles with default passwords, with nearly 90 percent of them enabled.

“This one always surprises me,” Williams said. “IBM ships the system very functional. But it also means that it’s very open. The default today, at IBM i 7.4 and prior, is that when you create a user profile, the default is to create it with that default password. And when that happens it makes it really easy to innumerate those profiles and be able to guess that password and be able to take systems over.”

Administrative privileges of IBM i users. (Source Fortra’s 2023 State of IBM i Security Study)

Special authorities are another perpetual area of concern in IBM i security. Adminstrators typically are the only ones who need to be in a user profile with special authorities, for making changes to the system or killing batch jobs or print jobs. Best practices call for fewer than 10 users to have one or more of the eight special authorities on IBM i, but that number is exceeded year after year.

“When we look at this, unfortunately, year over year, the data doesn’t change much,” Moore said. “And we haven’t seen a whole lot of movement in this. I don’t know really where the struggle is and why we’re seeing it, but it continues to be a concern.”

If there was a highlight, it’s around ALOBJ, the most powerful special authority because a user can use it to grant himself or herself other special privileges. Only 11 percent of users held *ALLOBJ, which Fortra says is “a significant improvement” from the previous two years’ average, which was 30 percent. But there’s a lot of work left to do with the other authorities.

Not much improvement has been made with exit points and exit programs over the years. In this year’s study, 35 percent said they had one or more exit programs in place, meaning 65 percent were leaving exit points for network access via FTP, ODBC, and JDBC wide open. Only 3 percent of the systems surveyed had all 27 exit points covered with exit programs, Fortra said.

Those figures represent an increase in the number of customers with exit programs, but a decrease in the number of systems with complete coverage of the points, Moore said. Fortra and other IBM i security vendors, of course, sell exit point monitoring software, which is sometimes referred to as a network firewall for the IBM i server.

Few IBM i shops have native antivirus. (Source: Fortra’s 2023 State of IBM i Security Study)

“What we really want to see is that these exit programs provide auditing and access control so you can actually see who’s coming in through those side doors and what they’re doing when they come in through the side doors,” she said. “The system itself does not provide that information for you. It’s unfortunate that we still see that there’s not a lot of adoption of this technology. It really should be one of the first deployed improvements to security on the system to give you that visibility to who’s connecting to the system and how they’re connecting.”

The data on auditing was a mixed bag. The good news is that 81 percent of the systems surveyed by Fortra had an audit journal in place. But just turning on the QAUDJRN and getting real benefit from it are two different things, Williams said.

“You’ve got it turned on. Are you looking at it?” she said. “There is an overwhelming amount of information that you can get from the audit journal that’s all built into IBM i. So knowing what to audit and how to audit that and then to look at it” are not the same things.

Unfortunately, only 25 percent of surveyed systems had “a recognizable tool” installed to analyze the audit data. For some, that could be due to data being offloaded to SIEM tools, which typically reside off the IBM i server.

A lower percentage of IBM i systems – only 13 percent – had antivirus protection installed and configured to scan the opening of files, according to the study. That figure would seem to fly in the face of minimum security protection during a period of elevated ransomware activity, according to Moore. “The IFS is absolutely a willing candidate for infection, hosting malware as well as being attacked by ransomware,” she said.

Best security practices call for overlapping layers of protection. But when there is a cascade of multiple security violations – say, a user with ALLOBJ authority and a shared root folder experiences a failure of their Windows antivirus software – that’s when really bad things can happen.

“We have a ton of real world examples,” Moore said. “It isn’t a matter of ‘if’ it’s going to happen. If you have read-write shares, it’s ‘when’ it’s going to happen.”

To read the 2023 State of IBM i Security Study and view Fortra’s presentation, go to www.fortra.com/resources/guides/state-ibm-i-security-study.

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search