ibm i (iseries, as/400) security: the good, the bad, … i (iseries, as/400) security: the good, the...

IBM i (iSeries, AS/400) Security:

the Good, the Bad, and the downright Ugly

2016

2

• Introductions

• Regulations on IBM i

• Conducting the Study

• The State of IBM i Security Study

• Questions and Answers

Today’s Agenda

3

Today’s Speaker

ROBIN TATAMDirector of Security Technologies

robin.tatam@helpsystems.com

4

About PowerTech

• Premier Provider of Security Solutions & Services

– 19 years in the security industry as an established thought leader

– Customers in over 70 countries, representing every industry

– Security Subject Matter Expert for COMMON

• IBM Advanced Business Partner

• Member of PCI Security Standards Council

• Authorized by NASBA to issue CPE Credits for Security Education

• Publisher of the Annual “State of IBM i Security” Report

5

6

• Introductions

• Regulations on IBM i

• Conducting the Study

• The State of IBM i Security Study

• Questions and Answers

Today’s Agenda

7

• Legislation, such as Sarbanes-Oxley (SOX),

HIPAA, GLBA, State Privacy Acts

• Industry Regulations, such as Payment

Card Industry (PCI DSS)

• Internal Activity Tracking

• High Availability

• Application Research & Debugging

Why Do I Need to Audit?

8

• Is there a company security policy?

(We’ve got one to help you get started.)

• Guidelines and Standards

– COBIT

– ISO 27002 (formerly known as 17799)

– ITIL

Which Standards Do

I Audit Against?

9

IT Controls—

an Auditor’s Perspective

Can users perform functions/activities that are in

conflict with their job responsibilities?

Can users modify/corrupt application data?

Can users circumvent controls to

initiate/record unauthorized transactions?

Can users engage in fraud and cover their tracks?

10

The Auditor’s Credo…

Of course

I believe you!

(But you still have

to prove it to me)

11

• Introductions

• Regulations on IBM i

• Conducting the Study

• The State of IBM i Security Study

• Questions and Answers

Today’s Agenda

12

Help IT managers and auditors

understand IBM i security exposures

Focus on top areas of concern in

meeting regulatory compliance

Help IT develop strategic plans to

address—or confirm—high risk

vulnerabilities

Purpose Of the Study

13

PowerTech Security Scan

– Launched from a PC

– Collects security data

– Data for the study are anonymous

Companies are self-selected

– More or less security-aware?

Study first published in 2004

– Over 2,000 participants since inception

How We Collect

the Data

Schedule your own security scan at

www.helpsystems.com/powertech

14

YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES

Be a Part of the Study!

(Participation in the Security Study is optional)

Simple summary provides

auditor & executives with

visual indicators

16

IBM i registry is reviewed

to see if network events

are audited or controlled

*PUBLIC authority levels

on application libraries

are interrogated

18

Statistics are retrieved on

profile metrics, such as any

with default passwords

Review of the

system values that

impact security

Verify if auditing is active,

and what types of audit

events are being logged

Determine how many users

have Special Authorities

(admin privileges)

22

• System auditing

• Privileged users

• User and password management

• Data access

• Network access control

• System security values

Six Major Areas of Review

23

• Introductions

• Regulations on IBM i

• Conducting the Study

• The State of IBM i Security Study

• Questions and Answers

Today’s Agenda

24

Assessed 177 different systems throughout 2015Multiple runs against single servers within 7 days were discarded

Settings reviewed from a total of:

– 238,409 User Profiles

– 94,066 Libraries

On average, each assessed system had:

– 1,347 Users

– 531 Libraries

State of IBM i

Security—Overall

That’s double the

number from 2015!

25

State of IBM i

Security—Overall

26

QSECURITY

(System Security Level)

27

QSECURITY

(System Security Level)

28

What Does IBM Say about

Security Level 30?

29

Auditing Events?

30

Top 10 “Invalid Sign-On

Attempts” Found

610,387

Would you detect an Intrusion Attempt?

This is the number of attempts to access one partition

that someone made using an individual profile.

31

Top 10 “Invalid Sign-On

Attempts” Found

610,387

Would you detect an Intrusion Attempt?

This is the number of attempts to access one partition

that someone made using an individual profile.

32

Top 10 “Invalid Sign-On

Attempts” Found

48%

Systems with a profile that had experienced

more than 1,000 invalid attempts

Who Is Watching?!

33

What Should I Look For?

34

• Mountains of raw data

• Multiple places to look

• Frustrating manual reporting

processes

As a result, auditors and IT often

get locked in a request/respond

cycle or IT only looks the day

before the auditors arrive.

What Good Is Audit

Journal Data?

35

84% of systems had an IBM audit journal (QAUDJRN)

24% of those had a recognized auditing tool installed

18% of servers had the auditing control system turned off

610,000 invalid sign-on attempts against a single

profile!

Would you be more concerned if it was the QSECOFR profile?

Is Anyone Paying

Attention?

36

*PUBLIC is a special reference to any user that

is not explicitly named and given an authority.

(Although sometimes referred as

“anonymous” access, the user still

needs credentials and is not

anonymous to the organization.)

What is *PUBLIC?

37

The one and only library authority that keeps users out

is *EXCLUDE.

A policy of “deny by default” calls for *PUBLIC to be

excluded and then authorized named users or groups

granted the appropriate access.

WARNING: A user can (potentially) delete objects with

only *USE authority to the library.

Deny By Default

38

Who Cares?

39

Library Authority

40

When New Objects

Are Created

41

When New Objects

Are Created

42

Many IBM i applications rely on menu security because…– It’s easy to build

– It’s the legacy of many existing business applications

Menu security design assumes:– Access only originates via the menus

– No users have command line permission

– Users have no access to SQL-based tools

Menu security is often accompanied by:

– User being a member of group that owns the objects

– *PUBLIC is granted broad (*CHANGE) access to data

Network Access

Control

43

Network Access

Control

ODBC isn’t rocket

science anymore

44

Are These Services

Running?

45

Are These Services

Running?

46

A New Function?

In the 1990s, IBM supplemented Object

Level security with a suite of Exit Points,

which are temporary interruptions in an

OS process in order to invoke a

user-written program.

The function of an Exit Program for network access can be anything–but

security officers typically want it to:

• Audit (as IBM doesn’t)

• Control (as good object security is often lacking)

The Exit Program has to return a pass/fail indicator to the Exit Point.

47

Exit Program

Coverage

48

Exit Program

Coverage

49

Special Authority (aka Privileges)

All Object

The “gold key” to every object and almost every

administrative operation on the system, including

unstoppable data access.

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

50

Special Authority (aka Privileges)

Security Administration

Enables a user to create and maintain the system

user profiles without requiring the user to be in the

*SECOFR user class or giving *ALLOBJ authority.

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

51

Special Authority (aka Privileges)

I/O Systems Configuration

Allows the user to create, delete, and manage

devices, lines, and controllers. Also permits the

configuration of TCP/IP, and the start of associated

servers (e.g., HTTP).

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

52

Special Authority (aka Privileges)

Audit

The user is permitted to manage all aspects of

auditing, including setting the audit system values

and running the audit commands

(CHGOBJAUD / CHGUSRAUD).

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

53

Special Authority (aka Privileges)

Spool Control

This is the *ALLOBJ of Spooled Files and allows a

user to view, delete, hold, or release any spooled file

in any output queue, regardless of restrictions.

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

54

Special Authority (aka Privileges)

Service

This allows a user to access the System Service Tools

(SST) login, although they also need

an SST login since V5R1.

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

55

Special Authority (aka Privileges)

Job Control

This enables a user to start/end subsystems and

manipulate other users’ jobs. It also provides access

to spooled files in output queues designated as

“operator control.”

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

56

Special Authority (aka Privileges)

Save System

This enables a user to perform save/restore

operations on any object on the system, even if there

is insufficient authority to use the object.

* Be cautious if securing objects at only a library level *

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

57

Administrator Privileges

58

Administrator Privileges

Try to get down to < 10

profiles with SPCAUTs

59

Endless News Reports

of Insider Breaches

60

Endless News Reports

of Insider Breaches

Spring

2015

61

Password vs. Passphrase

62

Password vs. Passphrase

Password

(10 character

maximum)

Passphrase

(128 character

maximum)

63

Minimum Password

Length

64

Minimum Password

Length

Not too hard to

guess your way in!

65

Password Expiration

66

Other Password Rules

67

Other Password Rules

68

How Many Attempts?

69

How Many Attempts?

Let’s hope this wasn’t the

server that experienced

650,000 invalid sign on

attempts.

70

And Then What?

71

Default Passwords

Default profiles are banned by compliance mandates, and for

GOOD reason! Review and resolve using ANZDFTPWD

72

Default Passwords

One system had 2,199 users with default passwords.

99 systems had > 30 users with default passwords.

49 systems had > 100 users with default passwords.

73

Inactive Profiles

Do you have obsolete user profiles?

Did you know IBM i has the ability to automatically

disable an inactive account? (ANZPRFACT)

74

Adopted Privilege

Programs can run with:

• Authority of the caller,

plus…

• Authority of the

program owner, plus…

• Authority of the

program owner of other

programs in the stack

75

5250 Command Line

“Limit Capabilities” controls what users can do on the

system command line

Just remember some interfaces (e.g. FTP) don’t check the

setting before processing some command requests!

76

Are you AV Scanning?

77

Some of the most valuable data in any

organization is on your Power Systems

server (System i, iSeries, AS/400).

Most IBM i data is not secured and the

users are far too powerful.

Security awareness among IBM i

professionals is generally low.

IBM i awareness among audit and

compliance professionals is

generally low.

The Perfect Storm

Of Vulnerability

78

1. Conduct a Security Scan (free and deep-

dive options).

2. Remediate “low-hanging fruit” such as

default passwords and inactive

accounts.

3. Review appropriateness of profile

settings: password rules, limit

capabilities (command line), special

authorities, etc.

4. Perform intrusion tests over FTP and

ODBC to assess risk of data leaks.

5. Evaluate solutions to help mitigate risk.

The Call To Action

79

Download the Full Study

www.helpsystems.com/powertech

resources

white-papers

80

www.helpsystems.com/powertech

(800) 915-7700 | info@powertech.com