State Of IBM i Security? Dismal As Usual, PowerTech Says

May 19, 2014 Alex Woodie

Organizations are taking unnecessary risks by neglecting to properly secure their IBM i environments, according to PowerTech‘s 2014 State of IBM i Security report, which it released last week. While PowerTech spotted all kinds of security shortcomings–ranging from too many powerful profiles to using lax security levels–the most glaring problem may have to do with poor password management.

Bad password hygiene leaves IBM i shops open to external hackers and internal threats, PowerTech says. You are not going to find Heartbleed-level password problems, where billions of once-trusted passwords instantly became vulnerable overnight. But considering the level of fine-tuning that’s available through IBM i operating system facilities and settings–such as the ability to force users to adopt strong passwords and to resets their passwords at certain intervals–it’s really a shame that passwords aren’t more secure than they are.

Consider these statistics pulled from PowerTech’s study. The company found that 53 percent of systems had more than 30 users with default passwords. One system analyzed by PowerTech had 1,823 user profiles with default passwords, out of 1,935 total users. Not every user profile is going to provide a path to the crown jewels, but keeping default passwords around is extremely bad form. Every rookie hacker knows the default password on IBM i systems is the user ID, so it’s unacceptable to have any default passwords, let alone a great number of them.

Changing default passwords is a good first step, but it doesn’t guarantee Fort Knox-like access control, either. On nearly three out of ten systems surveyed by PowerTech, users were never required to change their passwords, while on 40 percent of the systems, numbers aren’t required to be used in passwords. (Using numbers and other characters in passwords is considered good password management.)

PowerTech put more emphasis on analyzing password practices in this study, its 11th annual study, says Robin Tatam, PowerTech director of security technologies and author of the study. “What we realize is there’s not enough in the background to protect the database once the users are on the system, so it’s more critical that we take control of the mechanisms that many of us are putting your eggs into, which is the basket of making sure that credentials valid,” he tells IT Jungle.

The company also looked at authority failures, or when somebody or some application uses the wrong password to log onto the server. Good security practices dictate that a user profile is deactivated after a certain number of failures. But IBM i shops don’t always follow good security practices (you might have detected a theme here).

At one shop, PowerTech recorded 2 million authority failures over the course of the year. In this particular case, it was likely the result of a broken application. But hackers are also known to use automated bots to gain unauthorized access to servers too.

“What’s more concerning to me as a security person is I’m the one telling them that it’s happening,” Tatam says. “They don’t have any awareness that this has been going on. That to me is one of the biggest red flags of unauthorized activity that exists on the system. The invalid sign-on attempt is one of the thing that the IBM i server has to be able to say ‘Help! Somebody is trying to get in who shouldn’t be.'”

PowerTech found that 12 percent of its survey respondents did not have the QAUDJRN turned on. And while that number is down from recent years, it still represents a serious security problem. “Even if you’re not interested in buying a commercial solution, I tell customers to turn the collection on,” Tatam says. “It’s like a camera in a bank. If somebody comes in and robs the bank, I can go back and rewind the tape and look at it.”

A lack of basic understanding about network exit points continues to plague the IBM i platform, PowerTech finds. Tatam might have understood if IT pros were not worried about exit points because they had already taken steps to secure them, or perhaps had implemented object-level security, which affords some protection. “It’s that they’re completely unaware that exit points exist!” he says. “So their FTP and ODBC traffic is potentially exposed.”

According to PowerTech’s survey, 66 percent of the systems had zero exit point programs in place. Of the third who did have exit programs, the majority of them were covering the popular protocols, like FTP and ODBC. Only 6 percent of the respondents had coverage for all 27 IBM i exit points.

Monitoring the exit points is critical because the operating system (and its menu-based security approach) was designed before FTP, ODBC, and SQL were in in widespread use. Without a product or a program to guard the exit points, there is no oversight or control over the activity conducted using those protocols.

Another common problem is using an IBM i security level that’s lower than what IBM recommends. IBM recommends using security level 40 or higher, but 27 percent of the systems studied by PowerTech were running security level 30 or 20. Anything less than security level 40 is very likely to lead to a failed PCI audit. But that’s only if you’re lucky (or unlucky?) enough to have an auditor who actually knows how to spell IBM i on Power Systems.

“I’ve seen customer who’s been audited on things that are not important in the i world because of the nature of the beast, but the auditor completely overlooks the fact that FTP is unlocked,” Tatam says. “If you’re struggling to achieve compliance–that’s the minimum you need to be doing. If you’re not self-policing very well, we’re going to tell you what you have to do. If you can’t reach that level, what does that say about the security of the environment? Because compliance should be easier if you’re secure.”

Tatam will be presenting the results of the survey in an upcoming webinar. In the meantime, to download the full report, go to PowerTech’s webpage at www.ibmisecurity.com/index.php?source=ptcom_homepage_banner.