IBM i security survey: be afraid, very afraid…

There’s only one conclusion that one can reach after reading PowerTech’s latest security survey: IBM i people just aren’t scared enough.

The midrange security specialist has been issuing the results of its annual State of IBM i Security Study for 12 years. Its 2015 study reviewed data from 110 IBM i servers and partitions audited between January and December, 2014.

Given that us Power i types like to sing the praises of the platform’s inherent security, some of PowerTech’s findings are quite shocking.

Take *ALLOBJ, for example. This is the special authority that provides users with the unrestricted ability to view, change and delete every file and program on a system. Average number of people in an organisation given *ALLOBJ status? 75.

Yes, you read that last number right. It is ridiculously high. Organisations in the U.S.A. alone lost $40 billion due to employee theft and fraud last year. In one American survey of IT folk, 46% of them reported internal incidents as the most common cause of the breaches they experienced in the past year. Out of those, almost half said the breach stemmed from a malicious insider.

The authors of the report point out that, in general, it is good security practice to keep the number of users with these sorts of powers to less than ten. However, only six of the 110 systems reviewed had ten or less users with *ALLOBJ authority. To say that *JOBCTL and *SPLCTL authorities were also sprinkled far too liberally would be an understatement.

How about passwords? Surely the message on this one must have gotten through to the midrange masses?

First the good news. IBM i provides the capability to require a minimum length for passwords. According to PowerTech’s results, 80% met or surpassed the best practices standard of six characters or more.

But mandates like the Payment Card Industry Data Security Standard (PCI DSS) specify the importance of a seven character password (or longer). 54% of servers in the study failed to satisfy this requirement and more than 15% of systems let users select a password that was less than five characters long.

What’s more, PowerTech checked for profiles that have a default password – where the password is the same as the user name. This is a particularly high-risk factor for the Power i, say the study’s authors, because this is the default when new user profiles are created.

Nearly 9% of enabled user profiles had default passwords. More than half (52%) of the systems in the study had more than 30 user profiles with default passwords. One system had 1,434 user profiles (918 of them enabled) with default passwords out of only 1,956 total users.

Another bad practice highlighted by the report was the vast amounts of phantom user profiles that were set up and unused or were once used by an ex-employee. There was a general inability to check if user accounts have been hit multiple times in order to guess a password (almost half of the systems had a profile that had experienced more than 100 denied attempts).

There are some caveats. As PowerTech itself points out, the sample used in the survey was not random. Data was collected via the HelpSystems division’s Compliance Assessment tool and people at the firms involved were concerned enough about IBM i security to request an assessment.

As the report says: “This may have resulted in a sample that is either unusually security-conscious or, at the other extreme, knowingly deficient. Our experience leads us to believe the latter is closer to the norm.”

It points out that the integrated nature of many IBM i security controls has caused confusion over who is responsible for the configuration – IBM, the customer, or the application provider. As such, many systems operate with default settings due to lack of ownership.

The report also points to another phenomenon in today’s IT industry, breach fatigue. Already noted as a well-established consumer behavior, this is where the sheer amount of security horror stories provokes inaction. But if this mindset is leaking into IT departments themselves, then such fatalism is surely a boon to the hackers.

All in all, PowerTech’s report is extremely thought-provoking. Thankfully, it’s not all gloom and doom. Its authors take the trouble to advise readers on the practical steps that they can take to avoid every pitfall it describes. As such, wherever you think your organisation sits within the security spectrum, it makes for recommended reading. You can download it here.