26
Thu, Dec
0 New Articles

IBM i Security Lessons Learned in 2022

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Carol reflects on the things she’s learned in the past year.

When it comes to the end of a year, I like to look back and see how things have changed and what I’ve learned. This article describes the things I’ve learned about IBM i security this year—some from our clients and some from practical experience working on the system. My hope is that you’ll learn right along with me, making 2023 brighter and more IBM i systems secure.

I Need SQL!

No, Scott Forstie (DB2 for i Business Architect) didn’t pay me to say this! I’ve just found it to be true. This year I worked with a client to help them rework authorities in their IFS. Unfortunately, their system was still on IBM i 7.3 and very far behind on their Technology Refreshes (TRs). I desperately wanted to use the qsys2.ifs_object_privileges and qsys2.ifs_object_statistics IBM i Services, but they weren’t available. While I was able to complete the project, my analysis took significantly longer and one issue—specifically the analysis to find obsolete objects—will have to be re-addressed once they upgrade to IBM i 7.5 in 2023. This leads me to my next observation.

Organizations Need to Stay Current!

I can’t emphasize this enough. Not only are you missing out on the IBM i Services that will make your life as an administrator much easier, but not upgrading and not staying current with PTFs could likely mean leaving your system vulnerable. For example, I’m dismayed by the number of organizations that have not made the switch to New Navigator for i. Almost all functionality has been implemented in New Nav now. Why anyone would want to use the old and ugly interface of “Heritage” Navigator (as IBM calls it) is beyond me. Not to mention that it has security issues, which is why it was deprecated by IBM. If you’re one of those organizations that has not yet started to use New Nav, PLEASE… give it a try. Here’s how you launch it: http://your-system-name:2002/Navigator/login.

This leads me to my next observation.

People Don’t Like to Change

OK, I realize this is not news, and I get it. Change is hard. But when sitting on old technology affects the security of an organization, it makes me want to scream. For example, this year I ran into numerous organizations that continue to use the very ancient Client Access for Windows client. I get that people don’t want to change, but this client has now been out of support for almost four years. Who knows what kind of security issues might be in this client? I get that it can be a chore to roll out new software, but the excuse that end users don’t like change doesn’t fly in this case because end users should see very few if any changes to their user interface if they’re only using 5250 Telnet emulation. And I’ve found that most end users appreciate the usability features of the new client when they’ve been upgraded. I would hate to be an administrator who has not migrated their organization from Client Access to Access Client Solutions (ACS) when the inevitable Microsoft Patch Tuesday breaks Client Access and they’re left scrambling to upgrade their users’ client software. Stop using unsupported software and denying yourself use of the cool, new features of ACS. Put plans in place to upgrade in 2023!

Accidental Errors Occur

I don’t think organizations give enough credence to the fact that accidental errors occur that can affect your IBM i security posture. For example, I have a client that, by policy, creates group profiles with its password set to *NONE. But one day, the administrator was in a hurry and created two new group profiles and didn’t specify the password. Result? Two high-powered profiles with a default password. Fortunately, processes were in place to catch the mistake, but without these processes, they may have gone undetected for a very long time. Thankfully, IBM i 7.5 changes the password parameter on the Create User Profile (CRTUSRPRF) command to be *NONE (from *USRPRF), but my point is that checks need to be in place to make sure your IBM i security policies continue to be met and that your IBM i security policy doesn’t go sideways or take a huge step backward. I’ve had managers tell me they don’t need to take action or invest in IBM i security because “they trust their employees.” That’s great! I’m glad they trust their employees to not do anything malicious, but how do they account for their accidental errors? Obviously—and frighteningly—they don’t.

Misunderstanding of How the System Checks Authority

I still find organizations that don’t have a good understanding of how (in which order) the system checks authority. I was helping a client eliminate excess private authorities to speed up their Save Security Data (SAVSECDTA), and one of the issues I discovered was private authorities granted to profiles with *ALLOBJ special authority. *ALLOBJ is the first thing checked at the user level. It doesn’t matter what private authorities are granted to that user or its groups; *ALLOBJ provides them all authority to the object being accessed. If you’ve granted a private authority to a user with *ALLOBJ assigned to their profile, it will never be used.

IFS Continues to Confound

Even though the IFS has been around for well over 25 years, it continues to confound. I think the issue is twofold. First, organizations are realizing that their IFS is wide open and vulnerable but are frustrated because it’s not obvious to them where to start and/or what authority is required when they do determine where to start. I’d suggest starting with the directory containing the most critical information. Use Authority Collection to determine how much authority is required. Second, eliminate unused and unnecessary file shares since that’s the gateway malware uses to get to the system. And yet another reason to get current, IBM i 7.5 provides the capability to secure which profiles can use a file share. Prior to this, the damage malware could do was determined by the type of share (read-only or read-write) and the authority the profile has to the object being shared. Because the IFS remains such a mystery to most administrators, I included several examples of using Authority Collection and IBM i Services to secure and manage the IFS in my most recent book, Mastering IBM i Security.

Risk Assessment vs. Penetration (Pen) Tests

I’ve determined that a pen test provides more value to our clients than a detailed risk assessment. Why? I have performed more risk assessments than I can count over my career. But rather than take note and address each issue, many organizations dismissed the assertions made in the risk assessment, saying that they weren’t possible to exploit. The reason I like penetration testing is that you can’t argue with a screen shot showing how an IBM i security configuration setting or user profile with a default password was exploited or how a production file was accessed by an end user…all because the controls they thought were in place weren’t or the scenario they dismissed was actually exploitable. While risk assessments have a purpose (primarily for compliance requirements) pen tests provide proof that security controls are in place…or they aren’t. They also allow clients to prioritize their efforts on the areas that they know (based on the pen test results) need to be addressed.

Things I’m Thankful For

I’d be remiss if I also didn’t share my reflections on what’s been good about 2022 and what I’m thankful for. This year has been a year of many IBM i security enhancements, starting with the IBM i 7.5 release as well as the Technology Refreshes. I’m thankful that IBM continues to invest in making this the most securable system available. I’m thankful for all of the support I received that allowed me to publish my second book, Mastering IBM i Security. I’m thankful for my business partner, John Vanderwall, and all of our DXR Security clients. And, of course, I’m thankful for my faith and my family, especially my three great-nieces here in Seattle who bring such joy into my life. I can’t help but smile when I think about them.

My heart and my prayers go out to those of you who struggle this time of year. My prayer is that you can find peace and hope in 2023.

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: