PowerTech's State of IBM i Security Study is provoking interest and hopefully will be viewed as a call to action.
PowerTech has recently released the 2016 State of IBM i Security Study. I sat down with the author of the study, Robin Tatam, to discuss the study and the resurgence of the IBM i community's interest in security.
Steve Pitcher: Do you see any big difference from the study last year?
Robin Tatam: Typically, we release them at COMMON with a coordinated webinar and release. We had a phenomenal response to the webinar, much more than in the past. What we're hoping is that perhaps it is a raised awareness of an important topic.
This year, we had 177 servers compared to 133 last year. Doing a year-to-year comparison is a little difficult but not impossible. You may have different systems involved with the study altogether, depending on who downloads our software and runs it for the study. We were excited to see the number of servers with a 50 percent increase. The general impression we got was that there were slight improvements but still a long way to go.
SP: Have there been any major improvements?
RT: Well, not as a security control but certainly from a regulatory mandate perspective. Staying current on the operating system was something people were struggling with for a while. That hurdle seems to have been somewhat overcome. That kind of goes back to the last couple of years; people have been dealing with the IBM i 6.1 transition, which is a bigger deal than most OS changes because of the object encapsulation. A lot of people were holding back. We've had a tremendous amount of people in the last couple of years who were roped down on IBM i 5.4, and we seem to have pushed through the wall at this point. Most people are on version 7.1 now. It will be interesting to see if people stay at 7.1 even after it's pulled.
Overall, I'd say there's nothing that stands out that says, “Yep, that one is ten times better than it used to be.” We still have horrible password controls. We still have lots of dormant accounts. We have overly privileged users and weak system values.”
SP: What do you think the security features on 7.3 will do to help cue some of these things up? What's your forecast there?
RT: I have two thoughts on that. Number one, the new security collection doesn't help you remove any special authorities. What it helps you with is establishing the appropriate object-level authorities. It's more about private and public permissions than special permissions. I think we'll see users who are overly privileged from a special authority perspective. Authority Collection in 7.3 is going to be extremely beneficial to anybody who wants to engage in tightening the locks down on their objects. People like Carol Woodbury and her team, who are more responsible for the service kind of things, are very excited for the value that authority collection is bringing to them. It will make their lives a whole lot easier, and it will entice a lot of people to use it. Do I think Johnny Admin is going to start doing a security trace and do something with it? I'd question that. Look at row and column access control and some of the other features rolled into the OS. We can't seem to get the basics done. When I have a password length of one, do I really care about row and column access control? Do I really care about object authorities? Most likely not. Those types of shops have to get to a point where they recognize that they need better security and then most likely they'll engage someone to help them with that task. The good news is that we can assist them more efficiently and effectively now.
SP: Do you see people trying to get more security savvy in recent years? If you look at QPWDRULES, the statistic you showed last year was that 6 percent were using it. I made that change specifically because I didn't want to be part of that 94 percent not using it. We use Active Directory for our authentication, so it's not so much of an issue on our system. But I still wanted to do it because it is better to manage the few users who log onto the system directly.
RT: What we're trying to point out here is the low-hanging fruit. We're trying to find the balance between reminding people of these controls but not to make them feel like it's an insurmountable objective. There are things that are easy to do. Other things require a little more knowledge and experience. For those things, they'll probably turn to an expert to assist them. The first step is always the acknowledgement of a problem in the first place. I think the study reinforces the fact that the operating system is not configured out of the box. In fact, the last few seminars I've done, whether they've pertained to overall security or the security study, the vast majority of people think that the box is already secure. Part of it is just education and then movement towards mediation.
SP: What's your top low-hanging fruit to challenge the community to get fixed in the next year?
RT: I think that what we have to look at are the ones that are relatively easy to address with low risk of breaking anything. That's where most people hold back: the fear of breaking the application. They need to make a change without an interruption to the application. With regards to password policy, default passwords. It's unacceptable on any other platform, so why do we allow it on this one? Things like command-line permissions are easy to remove because it's pretty obvious if a user needs it or not. That reduces the risk with special authorities that are a little difficult to remove. You can reduce the risk by taking command-line away. We also have to acknowledge that there are other ways to run commands, and we need to look at things like exit programs to prevent those controls from being circumvented. Users don't have as many ways to leverage those permissions.
SP: Talk to me a little about FTP. I can have limited capabilities on my user profile but still be able to run certain commands through FTP.
RT: Sure. Like DLTLIB (Delete Library). But you can lock a lot of those things down via exit programs. You can do some stuff through Application Administration, but typically it's not granular enough. That's why we continue to see our exit point solution (Network Security) as a top seller. When I talk to a customer, and I hear that they don't have a big budget or a lot of resources and they want to know where to begin, and of course depending on their configuration and applications, Network Security is probably my first recommendation. At the end of the day, the customer needs to understand where they're at.
SP: I can sympathize with an admin being asked to do more with less or having a reduced budget or even reduced staff. We've all been there. However, I'm one of those guys who think there should be a proper, independent security audit once a year. We had Skyview on our system a year or two ago, and they provided us with an in-depth analysis of the security state of our system. It was a heck of an eye opener because we thought we knew what we were doing. I think it's an old Socrates quote, “The definition of being wise is knowing how very little you know.”
RT: You don't know what you don't know. If nothing else, you need to understand where you are.
SP: How much work do you do with other vendors about enlightening them with proper security? I couldn't count the amount of times a vendor wanted a QSECOFR copy in order to make their software work.
RT: Part of the complaint is that a lot of people inherited something that a vendor installed. We've certainly reached out and have relationships with a lot of vendors. They want to know how to make their applications tighter and service their customers better. We see some synergies and want to keep going down that path.
I think that we are getting a raised awareness in not only the study, but in the webinars and sessions that we do. I did a session at NEUGC a few weeks ago, and it was standing room only. There is definitely an awareness compared to the past. Where the study helps them is they can now carry something forward to management. If they've been getting away with some open doors for 20-25 years, they can make the case that the times have changed and things need to be addressed. We can't use the same configurations and settings we used a quarter century ago and expect it to be comprehensive.
SP: What do you say to a CEO or CFO who replies with something like, “We don't need to change because we've never been hit. We've never had a security breach, so why bother?”
RT: I have four words: how do you know? People say things like that to me all the time. They claim they've never been breached. How do they know?
SP: If you're not looking for it, you're not going to find it, unless someone comes on your system and drops QINTER. You'll know then. But they're not going to do that.
RT: No, they're not going to do that. They're going to hit FTP and Telnet and leverage a profile with a default password. Then they're going to download data. Data theft is different from any other theft. What someone steals is going to be in the exact same place as where it was to begin with. I've had people tell me they don't have any authority failures on their box so they think they haven't been breached. That's on a system where a lot of profiles have *ALLOBJ. So they're monitoring for authority failures, but they'll never ever see one.
SP: The good thing is that there's a light at the end of the tunnel, and a lot of these doors can be easily closed. What you just mentioned about *ALLOBJ with default passwords and open FTP and Telnet. It's not hard to find the potential open doors and close them. I think the great thing about this study is that it's a consistent wakeup call to take care of the low-hanging fruit that you mentioned.
RT: Exactly. And we're doing a webinar series called “Getting Started with IBM i Security” in a few weeks. A lot of these areas that were highlighted in the study will be covered. People can feel very overwhelmed, and we know that people have limited bandwidth. This series is designed to help with that. We're breaking it up into very digestible chunks where people can take some action and move in the right direction. Over a couple of months, Carol Woodbury and I will be doing six webinars to do just that.
Take Steps Toward Being Secure
The PowerTech study sheds a light on issues that seem to be consistent year after year. Fortunately, most of the concerns are easy to address. The challenge to the IBM i community is to pick the low-hanging fruit. The more advanced concerns are still out there, but they're not insurmountable. We have to admit that we have a false sense of security and put a plan in place to strengthen it.
So what are you going to do about it?