Learn from 10 years of IBM i audits, including AS400 audits and iSeries audits. This popular study includes recommendations on iSeries security configurations, iSeries user controls, iSeries client access, and other IBM security tips.
4. About PowerTech
•
Premier Provider of Security Solutions & Services
–
16 years in the security industry as an established thought leader
–
Customers in over 70 countries, representing every industry
–
Security Subject Matter Expert for COMMON
•
•
•
•
4
IBM Advanced Business Partner
Member of PCI Security Standards Council
Authorized by NASBA to issue CPE Credits for Security Education
Publisher of the Annual “State of IBM i Security” Report
6. Why Do I Need To Audit?
•
•
Industry Regulations, such as Payment
Card Industry (PCI DSS)
•
Internal Activity Tracking
•
High Availability
•
6
Legislation, such as Sarbanes-Oxley
(SOX), HIPAA, GLBA, State Privacy Acts
Application Research & Debugging
7. Which Standards Do
I Audit Against?
• Is there a company Security Policy?
(We’ve got one to help you get started)
• Guidelines and Standards
– COBIT
– ISO 27002 (formerly known as 17799)
– ITIL
7
8. IT Controls—
An Auditor’s Perspective
Can users perform functions/activities that are in
conflict with their job responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls to
initiate/record unauthorized transactions?
Can users engage in fraud and cover their tracks?
8
11. Purpose Of The Study
Help IT managers and auditors
understand IBM i security exposures
Focus on top areas of concern in
meeting regulatory compliance
Help IT develop strategic plans to
address—or confirm—high risk
vulnerabilities
11
12. How We Collect
The Data
PowerTech Compliance Assessment
– Launched from a PC
– Collects security data
– Data for the study is anonymous
Companies are self-selected
– More, or less, security-aware?
Study first published in 2003
– Over 1,700 participants since inception
Schedule your Compliance Assessment
at www.PowerTech.com
12
13. Be A Part of the Study!
YOUR PC
YOUR IBM i SERVER
YOUR VULNERABILITIES
(Participation in the Security Study is optional)
13
21. Six Major Areas of Review
•
•
•
•
•
•
21
System auditing
Privileged users
User and password management
Data access
Network access control
System security values
23. State of IBM i
Security—Overall
Assessed 101 different systems
A total of:
– 109,251 Users
– 43,104 Libraries
On average, per assessed
system there were:
– 1,082 Users
– 427 Libraries
23
35. What Good Is Audit
Journal Data?
Too much data
Too many places to look
Manual reporting processes
Audit and IT get locked in a
request/respond cycle
35
36. Is Anyone Paying
Attention?
88% of systems were logging audit data but…
…only 27% of those had a recognized auditing
tool installed
Over 6.9 million invalid sign-on attempts
against a single profile!
– Would you be more concerned if you knew it was
the QSECOFR profile?
36
37. Library Authority
The only library authority that keeps users out
is *EXCLUDE
A policy of ―Least Privilege‖ calls for *PUBLIC
to be excluded and then authorized users
granted the appropriate access
You can (potentially) delete objects with only
*USE authority to the library
37
41. Network Access
Control
Many IBM i applications rely on menu security because…
– It’s easy to build
– It’s the legacy of many existing business applications
Menu security design assumes:
– Access always originates via the menus
– No users has command line access
– Users have no access to SQL-based tools
Menu security is often accompanied by:
– User being a member of group that owns the objects
– *PUBLIC is granted broad (*CHANGE) access to data
41
45. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
All Object
The ―gold key‖ to every object, and almost every
administrative operation on the system, including
unstoppable data access
45
46. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority
46
47. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP)
47
48. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD)
48
49. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Spool Control
This is the *ALLOBJ of Spooled Files. Allows a user to
view/delete/hold/release any spooled file in any
output queue, regardless of restrictions
49
50. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Service
Allows a user to access the System Service Tools
(SST) login, although, since V5R1, they also need
an SST login
50
51. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Job Control
Enables a user to be able to start/end subsystems,
manipulate other users’ jobs. Also provides access
to spooled files in output queues designated as
―operator control‖
51
52. Administrator Privileges
Special Authority (aka Privileges)
*ALLOBJ
*SECADM
*IOSYSCFG
*AUDIT
*SPLCTL
*SERVICE
*JOBCTL
*SAVSYS
Save System
Enables a user to perform save/restore operations on
any object on the system, even if there is insufficient
authority to use the object
* Be cautious if securing objects at only a library level *
52
62. No. of Systems
How Many Attempts?
Let’s hope this wasn’t the
server that experienced 6.9
million invalid attempts
Maximum Sign On Attempts Allowed
62
66. The Perfect Storm
Of Vulnerability
Security awareness among IBM I
professionals is generally low
IBM i awareness among audit
professionals is generally low
Some of the most valuable data in any
organization is on your Power Systems
server (System i, iSeries, AS/400)
Most IBM i data is not secured and the
users are far too powerful
66
67. The Call To Action
1. Conduct a Compliance Assessment (free and deep-dive options)
2. Remediate ―low-hanging fruit‖ such as default passwords and
inactive accounts
3. Review appropriateness of profile settings: password rules, limit
capabilities (command line), special authorities, etc.
4. Perform intrusion tests over FTP and ODC to assess data leak risk
5. Evaluate PowerTech solutions to mitigate risk
67