ibm i (iseries, as/400) security: the good, the bad, … i (iseries, as/400) security: the good, the...
TRANSCRIPT
![Page 1: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/1.jpg)
IBM i (iSeries, AS/400) Security:
the Good, the Bad, and the downright Ugly
2016
![Page 2: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/2.jpg)
2
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
![Page 4: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/4.jpg)
4
About PowerTech
• Premier Provider of Security Solutions & Services
– 19 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security Subject Matter Expert for COMMON
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
![Page 5: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/5.jpg)
5
![Page 6: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/6.jpg)
6
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
![Page 7: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/7.jpg)
7
• Legislation, such as Sarbanes-Oxley (SOX),
HIPAA, GLBA, State Privacy Acts
• Industry Regulations, such as Payment
Card Industry (PCI DSS)
• Internal Activity Tracking
• High Availability
• Application Research & Debugging
Why Do I Need to Audit?
![Page 8: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/8.jpg)
8
• Is there a company security policy?
(We’ve got one to help you get started.)
• Guidelines and Standards
– COBIT
– ISO 27002 (formerly known as 17799)
– ITIL
Which Standards Do
I Audit Against?
![Page 9: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/9.jpg)
9
IT Controls—
an Auditor’s Perspective
Can users perform functions/activities that are in
conflict with their job responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls to
initiate/record unauthorized transactions?
Can users engage in fraud and cover their tracks?
![Page 10: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/10.jpg)
10
The Auditor’s Credo…
Of course
I believe you!
(But you still have
to prove it to me)
![Page 11: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/11.jpg)
11
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
![Page 12: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/12.jpg)
12
Help IT managers and auditors
understand IBM i security exposures
Focus on top areas of concern in
meeting regulatory compliance
Help IT develop strategic plans to
address—or confirm—high risk
vulnerabilities
Purpose Of the Study
![Page 13: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/13.jpg)
13
PowerTech Security Scan
– Launched from a PC
– Collects security data
– Data for the study are anonymous
Companies are self-selected
– More or less security-aware?
Study first published in 2004
– Over 2,000 participants since inception
How We Collect
the Data
Schedule your own security scan at
www.helpsystems.com/powertech
![Page 14: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/14.jpg)
14
YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES
Be a Part of the Study!
(Participation in the Security Study is optional)
![Page 15: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/15.jpg)
Simple summary provides
auditor & executives with
visual indicators
![Page 16: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/16.jpg)
16
IBM i registry is reviewed
to see if network events
are audited or controlled
![Page 17: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/17.jpg)
*PUBLIC authority levels
on application libraries
are interrogated
![Page 18: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/18.jpg)
18
Statistics are retrieved on
profile metrics, such as any
with default passwords
![Page 19: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/19.jpg)
Review of the
system values that
impact security
![Page 20: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/20.jpg)
Verify if auditing is active,
and what types of audit
events are being logged
![Page 21: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/21.jpg)
Determine how many users
have Special Authorities
(admin privileges)
![Page 22: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/22.jpg)
22
• System auditing
• Privileged users
• User and password management
• Data access
• Network access control
• System security values
Six Major Areas of Review
![Page 23: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/23.jpg)
23
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
![Page 24: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/24.jpg)
24
Assessed 177 different systems throughout 2015Multiple runs against single servers within 7 days were discarded
Settings reviewed from a total of:
– 238,409 User Profiles
– 94,066 Libraries
On average, each assessed system had:
– 1,347 Users
– 531 Libraries
State of IBM i
Security—Overall
That’s double the
number from 2015!
![Page 25: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/25.jpg)
25
State of IBM i
Security—Overall
![Page 26: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/26.jpg)
26
QSECURITY
(System Security Level)
![Page 27: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/27.jpg)
27
QSECURITY
(System Security Level)
![Page 28: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/28.jpg)
28
What Does IBM Say about
Security Level 30?
![Page 29: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/29.jpg)
29
Auditing Events?
![Page 30: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/30.jpg)
30
Top 10 “Invalid Sign-On
Attempts” Found
610,387
Would you detect an Intrusion Attempt?
This is the number of attempts to access one partition
that someone made using an individual profile.
![Page 31: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/31.jpg)
31
Top 10 “Invalid Sign-On
Attempts” Found
610,387
Would you detect an Intrusion Attempt?
This is the number of attempts to access one partition
that someone made using an individual profile.
![Page 32: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/32.jpg)
32
Top 10 “Invalid Sign-On
Attempts” Found
48%
Systems with a profile that had experienced
more than 1,000 invalid attempts
Who Is Watching?!
![Page 33: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/33.jpg)
33
What Should I Look For?
![Page 34: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/34.jpg)
34
• Mountains of raw data
• Multiple places to look
• Frustrating manual reporting
processes
As a result, auditors and IT often
get locked in a request/respond
cycle or IT only looks the day
before the auditors arrive.
What Good Is Audit
Journal Data?
![Page 35: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/35.jpg)
35
84% of systems had an IBM audit journal (QAUDJRN)
24% of those had a recognized auditing tool installed
18% of servers had the auditing control system turned off
610,000 invalid sign-on attempts against a single
profile!
Would you be more concerned if it was the QSECOFR profile?
Is Anyone Paying
Attention?
![Page 36: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/36.jpg)
36
*PUBLIC is a special reference to any user that
is not explicitly named and given an authority.
(Although sometimes referred as
“anonymous” access, the user still
needs credentials and is not
anonymous to the organization.)
What is *PUBLIC?
![Page 37: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/37.jpg)
37
The one and only library authority that keeps users out
is *EXCLUDE.
A policy of “deny by default” calls for *PUBLIC to be
excluded and then authorized named users or groups
granted the appropriate access.
WARNING: A user can (potentially) delete objects with
only *USE authority to the library.
Deny By Default
![Page 38: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/38.jpg)
38
Who Cares?
![Page 39: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/39.jpg)
39
Library Authority
![Page 40: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/40.jpg)
40
When New Objects
Are Created
![Page 41: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/41.jpg)
41
When New Objects
Are Created
![Page 42: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/42.jpg)
42
Many IBM i applications rely on menu security because…– It’s easy to build
– It’s the legacy of many existing business applications
Menu security design assumes:– Access only originates via the menus
– No users have command line permission
– Users have no access to SQL-based tools
Menu security is often accompanied by:
– User being a member of group that owns the objects
– *PUBLIC is granted broad (*CHANGE) access to data
Network Access
Control
![Page 43: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/43.jpg)
43
Network Access
Control
ODBC isn’t rocket
science anymore
![Page 44: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/44.jpg)
44
Are These Services
Running?
![Page 45: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/45.jpg)
45
Are These Services
Running?
![Page 46: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/46.jpg)
46
A New Function?
In the 1990s, IBM supplemented Object
Level security with a suite of Exit Points,
which are temporary interruptions in an
OS process in order to invoke a
user-written program.
The function of an Exit Program for network access can be anything–but
security officers typically want it to:
• Audit (as IBM doesn’t)
• Control (as good object security is often lacking)
The Exit Program has to return a pass/fail indicator to the Exit Point.
![Page 47: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/47.jpg)
47
Exit Program
Coverage
![Page 48: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/48.jpg)
48
Exit Program
Coverage
![Page 49: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/49.jpg)
49
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every
administrative operation on the system, including
unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 50: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/50.jpg)
50
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 51: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/51.jpg)
51
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 52: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/52.jpg)
52
Special Authority (aka Privileges)
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 53: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/53.jpg)
53
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files and allows a
user to view, delete, hold, or release any spooled file
in any output queue, regardless of restrictions.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 54: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/54.jpg)
54
Special Authority (aka Privileges)
Service
This allows a user to access the System Service Tools
(SST) login, although they also need
an SST login since V5R1.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 55: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/55.jpg)
55
Special Authority (aka Privileges)
Job Control
This enables a user to start/end subsystems and
manipulate other users’ jobs. It also provides access
to spooled files in output queues designated as
“operator control.”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 56: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/56.jpg)
56
Special Authority (aka Privileges)
Save System
This enables a user to perform save/restore
operations on any object on the system, even if there
is insufficient authority to use the object.
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 57: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/57.jpg)
57
Administrator Privileges
![Page 58: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/58.jpg)
58
Administrator Privileges
Try to get down to < 10
profiles with SPCAUTs
![Page 59: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/59.jpg)
59
Endless News Reports
of Insider Breaches
![Page 60: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/60.jpg)
60
Endless News Reports
of Insider Breaches
Spring
2015
![Page 61: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/61.jpg)
61
Password vs. Passphrase
![Page 62: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/62.jpg)
62
Password vs. Passphrase
Password
(10 character
maximum)
Passphrase
(128 character
maximum)
![Page 63: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/63.jpg)
63
Minimum Password
Length
![Page 64: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/64.jpg)
64
Minimum Password
Length
Not too hard to
guess your way in!
![Page 65: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/65.jpg)
65
Password Expiration
![Page 66: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/66.jpg)
66
Other Password Rules
![Page 67: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/67.jpg)
67
Other Password Rules
![Page 68: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/68.jpg)
68
How Many Attempts?
![Page 69: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/69.jpg)
69
How Many Attempts?
Let’s hope this wasn’t the
server that experienced
650,000 invalid sign on
attempts.
![Page 70: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/70.jpg)
70
And Then What?
![Page 71: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/71.jpg)
71
Default Passwords
Default profiles are banned by compliance mandates, and for
GOOD reason! Review and resolve using ANZDFTPWD
![Page 72: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/72.jpg)
72
Default Passwords
One system had 2,199 users with default passwords.
99 systems had > 30 users with default passwords.
49 systems had > 100 users with default passwords.
![Page 73: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/73.jpg)
73
Inactive Profiles
Do you have obsolete user profiles?
Did you know IBM i has the ability to automatically
disable an inactive account? (ANZPRFACT)
![Page 74: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/74.jpg)
74
Adopted Privilege
Programs can run with:
• Authority of the caller,
plus…
• Authority of the
program owner, plus…
• Authority of the
program owner of other
programs in the stack
![Page 75: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/75.jpg)
75
5250 Command Line
“Limit Capabilities” controls what users can do on the
system command line
Just remember some interfaces (e.g. FTP) don’t check the
setting before processing some command requests!
![Page 76: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/76.jpg)
76
Are you AV Scanning?
![Page 77: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/77.jpg)
77
Some of the most valuable data in any
organization is on your Power Systems
server (System i, iSeries, AS/400).
Most IBM i data is not secured and the
users are far too powerful.
Security awareness among IBM i
professionals is generally low.
IBM i awareness among audit and
compliance professionals is
generally low.
The Perfect Storm
Of Vulnerability
![Page 78: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/78.jpg)
78
1. Conduct a Security Scan (free and deep-
dive options).
2. Remediate “low-hanging fruit” such as
default passwords and inactive
accounts.
3. Review appropriateness of profile
settings: password rules, limit
capabilities (command line), special
authorities, etc.
4. Perform intrusion tests over FTP and
ODBC to assess risk of data leaks.
5. Evaluate solutions to help mitigate risk.
The Call To Action
![Page 79: IBM i (iSeries, AS/400) Security: the Good, the Bad, … i (iSeries, AS/400) Security: the Good, the Bad, and the downright Ugly 2016. 2 ... Why Do I Need to Audit? 8 • Is there](https://reader034.vdocuments.site/reader034/viewer/2022042611/5adc66ba7f8b9ae1408b8586/html5/thumbnails/79.jpg)
79
Download the Full Study
www.helpsystems.com/powertech
resources
white-papers