29
Fri, Nov
0 New Articles

The Five Characteristics of Organizations That Don’t Take IBM i Security Seriously

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Carol discusses the characteristics she’s observed over the years that are indications an organization isn’t taking IBM i security as seriously as it should.

I’ve seen the entire range of IBM i organizations when it comes to implementing security. There are organizations that have implemented “deny by default” and “least privilege access” postures such that, when I do a penetration test, I have little to no success in attaining access when I shouldn’t. Then there are organizations that are still running at QSECURITY level 20, where all profiles have *ALLOBJ—but at least they’re asking for help and are moving in the right direction. Unfortunately, and to put it bluntly, not all organizations care about IBM i security. Here are the characteristics I’ve observed over the years that indicate to me that an organization isn’t serious about attaining a secure IBM i.

#1:   Not realizing the value of the data residing on IBM i

By far, one indication that an organization isn’t taking IBM i seriously is that they fail to recognize the value of the data running on IBM i. Without this recognition, insufficient time and funds are allocated to protecting it. Many organizations think that, just because they don’t have data that falls under some law or regulation, they don’t have to worry about security. Nothing could be further from the truth. I talked to someone at a conference recently who was claiming that his company had “too much” security and he couldn’t understand why, given that they had no compliance requirements. I posed this question to him: If the data on your IBM i became unavailable, what would happen to your company? His response? “The manufacturing line would shut down.” “And who would that affect?” I asked. “The entire company,” was his response. He suddenly realized my point. It doesn’t matter if your organization falls under compliance requirements or not; if your data can be stolen, accidentally deleted or modified, or become unavailable due to ransomware, the very essence of the business is in danger. It’s unfortunate, but many organizations have drunk the Kool-Aid that IBM i is secure (rather than secureable) and ignore the fact that they need to apply resources to protect it.

#2: Not staying current

The next indication to me that an organization doesn’t care about IBM i security is that they don’t stay current. Several ways of not being current exist. First is the operating system (OS) itself. I’m shocked at how many organizations are running their operating systems at version 7.2 and earlier with no upgrade plans in sight! I also see organizations running IBM i 7.3 with no plans to upgrade even though end of support is September 30, 2023 (that’s slightly more than a month after this article is originally published). In addition to missing out on new features and enhancements of the current releases (many of which are security-related, especially in IBM i 7.5), the biggest issue of not staying current is the lack of support when security issues arise. Which brings me to my next point.

The operating system may be running at a supported release, but the PTF level may not be current. More than ever before, it’s incredibly important that you keep your PTFs up to date. Like it or not, open source is now used for many of the latest IBM i enhancements and features. Open-source code used in IBM i is used by other platforms and in many software packages literally around the world. Bad actors are constantly attempting to find and exploit vulnerabilities. As such, when a vulnerability is discovered, the IBM i team must incorporate the fix, just like all other operating systems and applications using this code. To reduce your organization’s risk of being exploited by a known vulnerability, your system must stay current with PTFs. The easiest way to keep your PTF levels current is to use the following service, which does a “phone home” to IBM to find the most recent PTFs and then compares that list to what’s installed.

SELECT *

   FROM SYSTOOLS.GROUP_PTF_CURRENCY

   ORDER BY PTF_GROUP_LEVEL_AVAILABLE - PTF_GROUP_LEVEL_INSTALLED DESC;

Unfortunately, there is an occasional defective PTF, so another service has been created that looks at defective PTFs and shows whether the replacement PTF is installed.

SELECT *

 FROM SYSTOOLS.DEFECTIVE_PTF_CURRENCY;

The final way organizations can be out of date is by not learning about and taking advantage of the new features and technologies IBM has provided us. If you’re reading this article, it’s doubtful that this applies to you. I get that everyone’s plate is full, so there’s a temptation to not change something if it’s not broken. But what if that old process could be made better—for example, fewer resources could be required, or the output could be made more readable or accessible, or data could be aggregated so that a human visual comparison between two reports could be eliminated? This refusal by IBM i administrators/programmers/security administrators to leave processes “as is” is what’s made some organizations assert that the system is “old.” The system isn’t old, but processes running on it sure can be! We are doing ourselves a huge disservice by not modernizing our processes. Also, not upgrading technology can put your organization at risk. Again, you may be running the latest OS level and be current on PTFs, but using old technology or old software could put your system at risk. For example, if you are still using the old (IBM calls it “Heritage,” but I call it like it is…old) Navigator for i, you’re putting your system at a security risk. Or, if you are still running the ancient Client Access for Windows, you’re using technology that’s been out of service for over four years (April 30, 2019) and, yes, I still see it in use. Not only does it have security issues, but you run the risk of a Microsoft Patch Tuesday breaking it and having to scramble to replace it across your entire organization with the current technology, Access Client Solutions (ACS). Rest assured, IBM is not going to put out a fix to resolve the issue; it will be your problem to resolve.

#3: Not monitoring for changes or not periodically reviewing security configurations

Another issue I see is not taking the time to monitor for security changes or review security configurations. Again, I understand that no one has extra time, but unless you are periodically (at a minimum quarterly) looking for changes or reviewing settings, I guarantee they are not what you expect them to be. How can settings change, you ask? Let me give you a few examples that I’ve seen over the years:

  • In the heat of trying to debug an application issue in the middle of the night, the *PUBLIC authority of an authorization list is changed from *PUBLIC *EXCLUDE to *ALL because, obviously, the issue was being caused by security (which it rarely is and wasn’t in this case), and the *PUBLIC authority was never changed back when admin realized that didn’t solve the problem.
  • Two user profiles are created with a default password because the administrator was in hurry and didn’t follow policy.
  • Users changed jobs within the organization and retained their original group profile assignments for training purposes. Now those users are members of a group representing an area of the business they haven’t worked for in for five years but still have access.
  • A developer was asked to work on a short-term project that required elevated authority. *ALLOBJ was assigned to their profile on a “temporary” basis. Two years later and 18 months after the project was completed, the developer still has *ALLOBJ.

Do any of these sound familiar?

#4: Not taking advantage of the features provided by IBM to secure the system

As a reader of my articles, you know I love to help people understand how to use the latest features IBM provides us either in a full OS release or in the periodic Technology Refreshes (TRs). Authority Collection has taken the mystery out of securing objects and demystified how much authority a user requires by telling us exactly how much authority is required. (New) Navigator for i has made security accessible to the novice user—including getting information out of the audit journal. And I can’t say enough about how much this non-SQL user loves SQL Services and has made administering IBM i security soooo much easier! But even if organizations don’t like these up-to-date features, there’s the old (but still working!) SECTOOLS that at least gives a basic view of security. Unfortunately, many organizations choose to ignore these integrated security features.

#5: Not using the software they’ve purchased

Many organizations have purchased one of the security vendor’s software packages to add another layer of security one top of what’s provided by the operating system. Unfortunately, I often see those software packages underutilized or, worse, not used at all! What a waste! Sometimes the administrator who was originally in place when the software was purchased has moved into another job or insufficient resources were never allocated when the software was purchased. Regardless, if you have this software, USE IT!

Summary

If you are reading this article and none of these issues applies to you, huzzah! You get a gold star! If one of these characteristics hits home, I encourage you to work with your management to get it resolved. Many of these characteristics manifest themselves because personnel—especially management—is uninformed about IBM i. Resources abound to help anyone in the organization gain a better understanding of IBM i. Perhaps you know of colleagues in the industry to which one or more of these characteristics applies; if so, I encourage you to talk with them. Many times peer-to-peer conversations can reach the unconvinced. I truly believe that, as a community, we can convince organizations to take IBM i security seriously.

Carol Woodbury

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.


MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: