PowerTech Security Survey Says Most IT Departments Could Do Better

Maybe your idea of bad security is leaving the front gate open at San Quentin. Although the prison guard responsible would likely get a harsh reprimand for such an error, there are iSeries and AS/400 security failures that are the equivalent of leaving the prison gate open 24/7. And if you think it doesn’t happen very often, you might want to read a white paper just released from PowerTech Group that was based on survey information collected during the past 18 months.

How bad is security on the iSeries? Let’s just say it’s not a pretty story. But it’s not a story about a machine with security weaknesses; it’s a story about people who are not locking the gate.

Would you be surprised to learn that, of the systems tabulated in the PowerTech report, 87 percent of the total database libraries reviewed allow any user on the system to change the contents of those libraries?

Here are a few other statistics that are ominously alarming:

• Seventy four percent of systems do not monitor or control data access through common network access points such as FTP, ODBC, and Remote Commands.

• Eight four percent of systems had more than 10 users with *ALLOBJ (super user) privilege.

• Eighteen percent of users on each system had default passwords (the password name is the same as the user name).

You might as well be tossing the warden’s car keys to the scary-looking guy in cell block 13. Okay, enough of the prison security analogies.

Although PowerTech and other third-party security vendors, as well as IBM, have been raising the collective consciousness of iSeries users for several years, this survey and subsequent white paper illustrate how most shops have yet to make security a high priority. If you feel like you’re all alone by not covering your bases, you’re not.

When it comes to monitoring changes to individual records, most shops don’t have tools in place. And most couldn’t identify who is reading sensitive data. Your customer files, for instance, could be copied without a trace.

Here’s one example from the PowerTech files that John Earl, chief technology officer at PowerTech, related. An insurance company became suspicious that someone inside the company was taking the company’s policy files. In case after case when customer policies were coming due, the same competitor was always in the right place at the right time talking to the customer. The competitor always new what day the policy expired and how much the customer was paying, and it was using this advantage to steal the customer. At first it seemed coincidental, but it eventually became clear there was a pattern that went beyond the fortuitous efforts of a super salesperson.

The insurance company wanted to know if it could trace who downloaded the files, when it was done, and who was trading the information. Without the proper security tools in place in advance, Earl noted, there was no way to go back a get that kind of information.

“This is the type of thing that can fire up a company to get its security issues in check,” says Brendan Patterson, product manager at PowerTech.

When access to information is not guarded, and particularly when there is no exit program in place, there’s no way of knowing how often people inappropriately access or change data.

As this study shows, many companies have too many users with too much power and unchecked access to the system. When users have a lot of power, a lot of knowledge, and no accountability, because no one in the organization is set up to monitor security, you have the potential for abuse. The survey statistics reveal four systems in which more than 100 users had all-object (*ALLOBJ), or what is also called “super user,” authority. Can you imagine the potential for harm?

“Some people have powerful authorities without reason, Earl says. “These people could, for instance, delete an entire production database. It could happen by mistake or by malicious intent.”

Another survey statistic that Earl mentions is that only one third of the companies implemented exit points. “Companies that have exit points in place have at least put some adequate controls,” Earl says. “With exit point security they could identify people changing the data and people reading the data. If everyone has access to the data, and there is no effective blockade in front of network exit points, then you are inviting a problem.”

“The fact that 33 percent of the people in the survey are using exit points is actually higher than what we thought it would be,” Patterson says. “We think that statistic indicates people are getting the message about security and are putting exit point programs in place.”

Patterson also believes compliancy mandates such as the Sarbanes-Oxley Act are responsible for raising awareness about exit point security. “The regulatory environment has put a new light on security issues,” Patterson says. “Auditors are scrutinizing the boxes and writing reports about security deficiencies. Without exit point security, companies will not pass the audit.”

This type of monitoring can be done with tools that are available on the iSeries, and additional controls can be put into place with third-party software, which PowerTech and other vendors develop and sell.

Sarbanes-Oxley does not specifically address IT security. It does require adequate internal controls over a financial reporting system. Of course, IT plays a key role in the reporting infrastructure. So financial controls means having good IT controls.

“There needs to be a framework in place to assess and measure controls,” Patterson says. “And the controls need to be compliant with ‘best practices,’ which are a published and approved framework. Most of the large audit firms use COBIT as that framework. COBIT is a benchmark that can be applied, and companies know it will pass audit.”

“You could say our study is the state of the iSeries security,” Earl says. “It shows that most iSeries installations would not pass an audit for Sarbanes-Oxley. From our studies, the number of companies that could pass an audit would be less than 10 percent, and probably far less than 10 percent.”

Even though Sarbanes Oxley mandates compliance for publicly traded companies, the controls it puts on those companies are also being applied by private companies wanting to get their financial ship in order and understanding that business-critical documents could be at risk.

“Sarbanes-Oxley talks about proper controls being in place to prevent tampering or misstatement of financial data, but if almost everyone in the organization has access to that data, and could hook up an Excel spreadsheet to the accounting books and modify it, now you have Enron-kind of fraud possibilities,” Earl says.

Although serious as a heart attack, some of the security issues are fairly humorous as well. For instance, the number of systems using default passwords is laughable. The study shows 24 systems–each with more than 200 users–using default passwords. “That means, if my user ID is John, my password is John,” Earl says. “That’s not that hard to guess,” Earl notes. “Anyone who accesses that system over the Internet or by walking in and sitting down at a workstation can probably log on just by guessing.”

Another password faux pax that the study uncovered was one-character passwords. “That’s probably worse than accepting the default password, because someone actually had to go in and set up that password.” Earl says.

To get a copy of the PowerTech white paper that explains the survey results in their entirety, go to www.powertech.com.