2017 Results. Revealing the New State of IBM i Security: The Good, the Bad, and the Downright Ugly

Transcription

1 Revealing the New State of IBM i Security: The Good, the Bad, and the Downright Ugly 2017 Results HelpSystems LLC. All rights reserved. All trademarks and registered trademarks are the property of their respective owners.

2 Today s Agenda Security Study Methodology Results: The 2017 State of IBM i Security Questions and Answers

3 ROBIN TATAM, CBCA CISM PCI-P Global Director of Security Technologies

4 UP NEXT... Conducting the Study

5 Purpose of the Study Help IT managers and auditors understand IBM i security exposures Focus on top areas of concern in meeting regulatory compliance Help IT develop strategic plans to address or confirm high risk vulnerabilities

6 How We Collect the Data Security Scan Hundreds of free security scans are performed by HelpSystems each year Security Scans identify system vulnerabilities Submitting data for the study is voluntary and anonymous State of IBM i Security Study was first published in 2004 Thousands of participants since inception Companies are self-selected More or less security-aware?

7 Be a Part of the Study! (Submission of data is optional)

8 Summary provides auditors & executives with visual indicators

9 IBM i registry is reviewed to see if network events are audited or controlled

10 *PUBLIC authority to application libraries are interrogated & reported

11 User profiles are analyzed for adequate controls and suspicious activity

12 Review of numerous critical system values that impact security

13 Determine if auditing is active and what types of events are being logged

14 Determine how many users have administrator privileges (special authorities)

15 Major Areas of Review 1. Administrative Privileges (powerful users) 2. Public Authority (to libraries and data) 3. Network Access (through TCP interfaces) 4. User Vulnerabilities and Password Policy 5. Security System Values 6. System Audit Controls 7. Anti-Virus Controls

16 UP NEXT... The Results: The 2017 State of IBM i Security

17 Power Systems: 332

18 User Profiles: 380,545 total 1,146 average

19 Libraries: 148,418 total 447 average

20 V7R1M0 76%

21 2017 Results Operating System Installed Version of IBM i V6R1M0 11% V7R1M0 76%

22 QSecurity System Security Level

23 System Security Level 81% of systems Failing the Recommended Minimum Security Level meet or exceed the recommended security level Not Meeting Recommended Security Level Meeting Recommended Security Level

24 System Security Level 81% of systems Failing the Recommended Minimum Security Level meet or exceed the recommended security level Not Meeting Recommended Security Level but other factors influence benefits Meeting Recommended Security Level

25 Constant diagnostics record critical events

26 used in the event of a catastrophic failure

27 used 15% in the event of IBM of ia servers catastrophic do not failure have an active flight recorder

28 The rest often can t see the events.

29 Would you know if there was a brute force attack?

30 One server had experienced Would you know if there was a 6.9 million brute force attack? failed connection attempts

31 Would you know if there was a Would you know if there was a brute force attack? brute force attack? 67 servers had experienced One Thousand failed connection attempts

32

33 What Good Is Audit Journal Data? Mountains of raw data Multiple places to look Frustrating manual reporting processes

34 As a result, IT often ignores the data, or just looks on the day before the auditors arrive.

35 Consider Automation

36 Is Anyone Paying Attention? 85% of systems had an IBM audit journal (QAUDJRN) 17% of those had a recognized auditing tool installed 18% of servers had the auditing control system turned off 6.9 million invalid sign-on attempts against a single profile! Would you be more concerned if it was the QSECOFR profile?

37 What Is *PUBLIC? *PUBLIC is a special reference to any user that is not explicitly named. (Although sometimes referred as anonymous access, the user still needs credentials and is not anonymous to the organization.)

38 Deny by Default The only library authority that keeps users out is *EXCLUDE. A policy of deny by default calls for *PUBLIC to be excluded and then named users or groups are granted the appropriate access. WARNING: A user can (potentially) delete objects with only *USE authority to the library.

39 Who Cares?

40 Who Cares?

41 Public Authority to Libraries *USE 22% *ALL 9% *CHANGE 61%

42 When New Objects Are Created Default Library Create Authority

43 Network Access Control

44 Network Access Control Many IBM i applications rely on menu security because It s easy to build It s the legacy of many existing business applications Menu security design assumes: Access originates only via the menus No users have command line permission Users can t have access to SQL-based tools Menu security is often accompanied by: Users belonging to a Group that owns the objects *PUBLIC being granted broad (*CHANGE) access to data

45 ODBC isn t rocket science

46 Are Services Running? Systems with FTP Autostarted

47 Are Services Running? Systems with REXEC Autostarted

48 A New Function? In the 1990s, IBM supplemented Object Level security with a suite of exit points, which are temporary interruptions in an OS process in order to invoke a user-written exit program.

49 A New Function? The function of an exit program can include anything the programmer codes within it including unauthorized acts! - but security officers typically want network exit programs to: Audit (as IBM i doesn t) Control Access (as good object security is rare & inflexible) The exit program returns a pass/fail indicator to the exit point.

50 At Least One Exit Program Deployed

51 Complete Exit Point Coverage 9% 91%

52 Complete Exit Point Coverage 9% 91%

53 Complete Exit Point Coverage YOUR DATA

54 What About IBM i Define a Powerful User Someone with special authorities Someone with private authority A server with permissive public authority (hint: this is most of them!) + A way to execute commands

55 What About IBM i *ALLOBJ Unrestricted access

56 What About IBM i *SECADM Manage user profiles

57 What About IBM i *IOSYSCFG Administer communications

58 What About IBM i *AUDIT Manage and access audit logs

59 What About IBM i *SPLCTL Unrestricted access to printed information

60 What About IBM i *SERVICE Hardware administration

61 What About IBM i *JOBCTL Server operations

62 What About IBM i *SAVSYS Save any object

63 What About IBM ten profiles three percent

64 Administrator Privileges IBM i Special Authorities

65 Insider Threat Source: privacyrights.org

66 36 Million records breached due to an insider since 2005 Source: privacyrights.org

67 Source of the Common Breach Median loss: $4 million 49% of victims did not recover their losses Source: The State of Employee Fraud, Veriato

68 Source of the Common Breach A median detection period of 18 months

69

70 Minimum Password Length Minimum Password Length

71 Minimum Password Length Minimum Password Length Not too hard to guess your way in!

72 Password Expiration Password Expiration Period 30 % No Set Password Expiration time 70 % Set Password Expiration Time

73 Other Password Rules Character Restrictions in Password 3% No Restrictions Imposed on Characters 97% Restrictions Imposed on Characters

74 Other Password Rules Password Must Include A Digit 41% 59% No Requirements to Include A Digit Requirements to Include a Digit

75 Tr0u3ad0r

76 WillingHorseBucket

77 No. of Systems Password vs. Passphrase System Password Level Password (10 character maximum) Passphrase (128 character maximum)

78 Core of IBM i Security

79 How Many Attempts?

80 How Many Attempts?

81 How Many Attempts? Let s hope this wasn t the server that experienced 6.9 million invalid sign on attempts!

82 And Then What? Action for Exceeding Invalid Sign-on Attempts

83 Default Passwords 127 profiles password = profile name (88 are enabled)

84 One system had 4,153 profiles with default passwords.

85 47 percent Systems with 30+ profiles with default passwords.

86 24 percent Systems with 100+ profiles with default passwords.

87 Inactive Profiles 346 dormant profiles 30+ days of inactivity (160 are enabled)

88 Adopted Privileges Programs can run with: Authority of the caller, plus Authority of the program owner, plus Systems that restrict creation of programs that adopt Authority of the program owner of other programs in the stack 96%

89 5250 Command Line Option or command: 375 Profiles can run commands here

90 5250 Command Line C:\ the rest may be able to run them from here

91 Are you AV Scanning?

92 248,095 Reasons To Scan Your IFS!

93 Who s Scanning? Scan on File OPEN 94% of servers do not scan prior to File Open

94 In Summary

95 Some of the most valuable enterprise data is stored on IBM Power Systems.

96 The Perfect IBM i Security Storm A Perfect Storm is brewing

97 The Perfect IBM i Security Storm Security awareness among IBM i professionals is generally low.

98 The Perfect IBM i Security Storm IBM i awareness among security professionals is even lower.

99 The Perfect IBM i Security Storm Most IBM i data is not secured.

100 The Perfect IBM i Security Storm Most IBM i data is not secured. And users are far too powerful.

101 Call To Action

102 Call To Action 1. Conduct a free Security Scan or a complete Risk Assessment 2. Remediate low-hanging fruit such as default passwords and inactive accounts. 3. Review appropriateness of profile settings: password rules, limit capabilities (command line), special authorities, etc. 4. Perform intrusion tests over FTP and ODBC to assess risk of data leaks. 5. Evaluate solutions to automate the review process and also to help mitigate risk.

103 About HelpSystems Security Investment Premier Security Products (globally-recognized Powertech product line) Represented by industry veteran, Robin Tatam, CISM CBCA PCI-P Comprehensive IBM i and AIX Security Services Represented by industry veteran, Carol Woodbury, CRISC Member of PCI Security Standards Council Authorized by NASBA to issue CPE Credits for Security Education Publisher of the Annual State of IBM i Security Report

104 Best of Breed Security Solutions

105 Ask Questions helpsystems.com Product Information Data Sheets Demonstration Videos Trial Downloads Customer Success Stories How-To Articles Request a FREE Security Scan

106 Ask Questions Ask Questions via the WebEx chat window

107 Ask Questions helpsystems.com

108 Ask Questions