PowerWire.eu

Independent IBM i, AIX and Linux news and tech tips for Europe and beyond

  • Home
  • News
  • Technical Articles
    • IBM i
    • AIX
    • Linux
    • VIOS
  • Subscribe
  • About Us
  • Contact Us
  • Advertise with PowerWire.eu

IBM i security survey: be afraid, very afraid…

May 27, 2015 by Seamus Quinn

IBM i security; be afraid
There’s only one conclusion that one can reach after reading PowerTech’s latest security survey: IBM i people just aren’t scared enough.

The midrange security specialist has been issuing the results of its annual State of IBM i Security Study for 12 years. Its 2015 study reviewed data from 110 IBM i servers and partitions audited between January and December, 2014.

Given that us Power i types like to sing the praises of the platform’s inherent security, some of PowerTech’s findings are quite shocking.

Take *ALLOBJ, for example. This is the special authority that provides users with the unrestricted ability to view, change and delete every file and program on a system. Average number of people in an organisation given *ALLOBJ status? 75.

Yes, you read that last number right. It is ridiculously high. Organisations in the U.S.A. alone lost $40 billion due to employee theft and fraud last year. In one American survey of IT folk, 46% of them reported internal incidents as the most common cause of the breaches they experienced in the past year. Out of those, almost half said the breach stemmed from a malicious insider.

The authors of the report point out that, in general, it is good security practice to keep the number of users with these sorts of powers to less than ten. However, only six of the 110 systems reviewed had ten or less users with *ALLOBJ authority. To say that *JOBCTL and *SPLCTL authorities were also sprinkled far too liberally would be an understatement.

How about passwords? Surely the message on this one must have gotten through to the midrange masses?

First the good news. IBM i provides the capability to require a minimum length for passwords. According to PowerTech’s results, 80% met or surpassed the best practices standard of six characters or more.

But mandates like the Payment Card Industry Data Security Standard (PCI DSS) specify the importance of a seven character password (or longer). 54% of servers in the study failed to satisfy this requirement and more than 15% of systems let users select a password that was less than five characters long.

What’s more, PowerTech checked for profiles that have a default password – where the password is the same as the user name. This is a particularly high-risk factor for the Power i, say the study’s authors, because this is the default when new user profiles are created.

Nearly 9% of enabled user profiles had default passwords. More than half (52%) of the systems in the study had more than 30 user profiles with default passwords. One system had 1,434 user profiles (918 of them enabled) with default passwords out of only 1,956 total users.

Another bad practice highlighted by the report was the vast amounts of phantom user profiles that were set up and unused or were once used by an ex-employee. There was a general inability to check if user accounts have been hit multiple times in order to guess a password (almost half of the systems had a profile that had experienced more than 100 denied attempts).

There are some caveats. As PowerTech itself points out, the sample used in the survey was not random. Data was collected via the HelpSystems division’s Compliance Assessment tool and people at the firms involved were concerned enough about IBM i security to request an assessment.

As the report says: “This may have resulted in a sample that is either unusually security-conscious or, at the other extreme, knowingly deficient. Our experience leads us to believe the latter is closer to the norm.”

It points out that the integrated nature of many IBM i security controls has caused confusion over who is responsible for the configuration – IBM, the customer, or the application provider. As such, many systems operate with default settings due to lack of ownership.

The report also points to another phenomenon in today’s IT industry, breach fatigue. Already noted as a well-established consumer behavior, this is where the sheer amount of security horror stories provokes inaction. But if this mindset is leaking into IT departments themselves, then such fatalism is surely a boon to the hackers.

All in all, PowerTech’s report is extremely thought-provoking. Thankfully, it’s not all gloom and doom. Its authors take the trouble to advise readers on the practical steps that they can take to avoid every pitfall it describes. As such, wherever you think your organisation sits within the security spectrum, it makes for recommended reading. You can download it here.

Related Posts

  • HelpSystems improves BI and security toolsHelpSystems improves BI and security tools
  • Fifth Annual IT Marketplace Survey Reveals Ongoing Reliance on IBM i to Support Critical Business NeedsFifth Annual IT Marketplace Survey Reveals Ongoing Reliance on IBM i to Support Critical Business Needs
  • New product release: RE4i – Object distribution for IBM iNew product release: RE4i – Object distribution for IBM i
  • Halcyon adds new layer of IBM i protectionHalcyon adds new layer of IBM i protection
  • Proximity signs security deal with Raz-LeeProximity signs security deal with Raz-Lee
  • Power System conference dates in UK, Sweden, Hungary, Germany, more…Power System conference dates in UK, Sweden, Hungary, Germany, more…

Filed Under: News Tagged With: *ALLOBJ, *JOBCTL, authorities, IBM i, passwords, PowerTech, security

Free monthly newsletter signup

News

IBM Power Systems Enhances Hybrid Cloud Capabilities with Red Hat

New pre-configured private cloud platform, innovative cloud-consumption payment model, and more Red Hat … [Read More...]

Remain Software Milestone

NIEUWEGEIN, Netherlands — Remain Software released today the second Milestone of TD/OMS V13, Gravity V6, … [Read More...]

Version 4 of the well-known “Flash for i” product: to enhance the usage of External Storage with IBM i

Available for 5 years, installed in more than 200 LPARs in 12 countries, you certainly already know the ‘Flash … [Read More...]

More articles from this section

Quick Links

  • Advertise
  • Subscribe

Follow Us…

  • Email
  • LinkedIn
  • Twitter

Search This Website

Copyright © 2021 · Cue Communications · All Rights Reserved · RED NOISE MEDIA

Copyright © 2021 · Magazine Pro Theme on Genesis Framework · WordPress · Log in

This site uses cookies More info