System iNetwork

March 10, 2008

"Hair on Fire" with System i Security

In the results of its fifth annual review of the state of security on the System i platform, PowerTech reports that System i security is often poorly configured and poorly managed by companies that use it. This is in spite of the fact that IBM has architected the System i with industry-leading security capabilibies. To get the data for this year's study, PowerTech performed more than 200 system audits during the past 12 months. The System i is used by more than 90 percent of the Fortune 1000, and it often hosts sensitive and confidential data such as credit card and Social Security numbers. PowerTech uncovered many security issues, but these common eyebrow-raising problems drew the company's notice this year -- and would surely raise flags for industry auditors:

• 68 percent of systems let any user to change data on the System i using PC applications such as MS Excel and MS Access. These systems also did not audit this vulnerability, which effectively hides it from oversight.
• Out of an average of 751 users, 9 percent have privileged (root level) access authority.
• 30 percent of systems are not using the system security auditing tool inherent in the system.
• Over half the systems have more than 16 users with default passwords (Password = User name) that could be easily determined by any attacker.

"Not Getting Better"

"I guess what's suprising is that things are not getting much better," noted John Earl, PowerTech CTO. "Everybody is talking about security, about compliance, and we keep hearing people get really concerned about security, but when you look at the System i space in broader view, things are not getting dramatically better -- they are getting incrementally better."

PowerTech has been conducting these audits for years and publishing the results with a pretty good rate of dissemination to the System i community. I was wondering, did PowerTech expect more improvement by now?

"I think I did . . . and I've been waiting for one of these press interviews where I could say, 'You know what, in this particular area we've gotten so much better since the last survey' . . . but we haven't really seen that yet," Earl said. "I think a lot of that is inertia on the part of the System i shops. What we've found is they want to do something better, but they don't know what to do to make it better, and they are hamstrung because they certainly don't want to go in and tweak security and disrupt the whole organization."

Security Level 40

"People say, 'We're at security level 40, so we must be secure,' . . . and what that tells me is they don't have a clear idea of what security level 40 does for them and what it does not do. Essentially it protects your operating system against rogue programmers, but it doesn't protect your data," Earl explained.

What about actual hacks? Breaches of security? Rogue programmers? Has PowerTech seen any of these kinds of definitive failures?

"A lot of times when people decide to address a security issue, it's because of an outside influence -- they've had a data loss or they think they've been broken into or an auditor has come in and slapped them around the data room and they're reeling from that and want to make things better," Earl said.

"We do see the outside breaches, and there are a lot of outside breaches that we don't see. We get engaged with customers where it's clear to me that something really bad has happened and they're not going to talk about it and they don't even want to share it with us, but their hair is on fire and they are going to get something fixed by Tuesday," he added.

"What's amazing in those kinds of engagements is that you've got folks who have been in the organization for eight or ten years and they've been afraid to make the slightest change, and we'll go in and help them make a bunch of changes by Tuesday and everything still runs -- it's not the disaster they feared. The System i folks tend not to want to tweak things because they don't know what the effects with be," Earl noted.

It's Not Like a Car

"Data is not like a car. If you're car is stolen, you're going to know about that immediately -- you're not going to be able to drive home," noted Brendan Patterson, PowerTech vice president of marketing and product management. "With data, you can have someone taking it and you might not know about it for years."

The most notorious example of extended data loss comes courtesy of T.J. Maxx, in which hackers stole data connected to more than 45 million credit and debit cards.

"I don't have any inside knowledge -- I know that T.J. Maxx has AS/400s, but I don't know for a fact whether those were among the various systems that were compromised -- can't imagine that they weren't, but I don't know any particular facts of that case," Earl said, noting that many banks had to reissue credit cards and wanted reimbursement for their expenses, which led to massive direct expenses associated with the hack.

The Study

If you're interested in reading the complete results of PowerTech's study, check out http://www.powertech.com/study2008.asp.

Posted by cmaxcer at March 10, 2008 8:46 AM