PowerTech has published the annual study for 12 years, aiming to raise awareness of IBM i security vulnerabilities and ways to correct them. Key findings from 2015 include:
- Nearly half of systems studied have no controls in place to log and restrict traffic passing through the back doors of your database, such as FTP, ODBC, or SQL
- 33 percent of systems have more than 100 user profiles with default passwords
- Only eight percent of systems are utilizing the password policy settings introduced with IBM i 6.1
“Weak password settings are especially dangerous when combined with overly permissive user authorities,” says Robin Tatam, PowerTech Director of Security Technologies and author of the study. “A hacker or malicious insider will have an easier time accessing sensitive data on the system—the risk of a serious data breach is much higher.”
For the first time, the study also includes data about virus scanning on IBM i. Of the servers reviewed for anti-virus controls, 80 percent are not scanning files before they’re opened. This creates a risk of viruses spreading to other servers in the networks.
“The lack of virus scanning is consistent with what we’ve seen year after year in the other areas of IBM i security,” says Tatam. “The factory settings in IBM i simply won’t prevent data from being stolen, deleted, or corrupted. There’s an urgency to adopt a proactive approach to security policies and configurations best practices if we want to stand any chance of securing it.”
This year’s study includes data from 110 IBM i servers and partitions audited by PowerTech’s Compliance Assessment in 2014. Participating organizations varied in size and represent multiple industries, including insurance, retail, manufacturing, and finance.
For more information about other IBM i security gaps that increase the risk of a data breach, download your copy of the study today.