editor's desk: Inside Threat
Over the past few weeks as the Melissa virus battled head to head with the crisis in Kosovo for media coverage, AS/400 managers were probably wondering what the big deal was (about Melissa, not Kosovo!) Any AS/400 manager worth their weight in gold can tell you that the AS/400 is, out of the box, one of the most secure computing platforms. Since V2R3 OS/400 has met the Department of Defenses stringent C2 security standard. Many other operating systems have received C2 security ratings later in their life, but the AS/400 was built from the ground up to be secure.
C2 is one level of security defined in the DoDs Trusted Computing System Evaluation Criteria (DOD5200.28-STD, Dec 1985). C2 security criteria defines, among other things, how an operating system must handle the following:
- Identification and Authentication
- Discretionary Access Control
- Object Reuse Management
- Auditing and Monitoring
Most operating systems adequately handle all of the above and therefore it is not that difficult to get a C2 compliance rating. The AS/400 is especially adept at Discretionary Access Control because you can set security on more than just files, print queues, and similar things, you can even set security on an OS/400 command or for that matter any resource.
The built-in security of OS/400 makes it very difficult for something like the Melissa virus to infect and spread through an AS/400 system or systems. Certainly it is possible for someone to create a virus that could infect an AS/400 system and spread to other AS/400 systems, but the evidence shows that it is highly unlikely.
According to data collected by ChekWARE, makers of CheckMate anti-virus software, there are over 1900 known viruses that can infect DOS, and therefore, in some cases, Windows NT. On the flip side, IBM states that there are no known viruses that affect the AS/400. From these statistics we can gather that it would be very difficult for someone to breach AS/400 security through a virus.
So where do we look to find the security hole in the AS/400 architecture? Go to the nearest mirror and take a good look at yourself. This is where we find the greatest threat to AS/400 security - the insider.
The FBI and the Computer Security Institute conduct a study each year on Computer Crime and Security. Although the number of incidents being attributed to outsiders is on the rise, the largest number of attacks not due to a virus were in the areas of unauthorized access by insiders and insider misuse of net access. The survey also shows that 86% of companies surveyed answered that the most likely source of attack was disgruntled employees.
So how do you protect yourself from computer crime perpetrated by insiders? Follow the C2 guidelines and at the very least, you will weed out the obvious security holes and know who has been accessing your systems and why.
Beyond this, you must ensure that the system and any other systems are physically protected from unauthorized access. You can jam pack an operating system with all of the security features you want, but if you don’t follow well-established physical security guidelines, these security features are for naught and a C2 rating is as good as no security at all.
As a former Intelligence Specialist in the Naval Reserve, I can tell you that C2 security by itself is not enough. The C2 security criteria, if implemented correctly, and followed up with frequent security audits, can render any computer system reasonably safe from unauthorized entry.
Unfortunately, with poor physical security, even frequent security audits will only tell you that you have had a security breach, but do little to prevent the actual breach. Although finding out that someone has breached security on your AS/400 is a good idea, it is a better idea to stop that breach in the first place.
The most sensitive information that the military has is protected by more than just C2 security. The four main criteria are augmented by, among other things, tight physical security. Computer systems that carry sensitive information are not kept in areas that just anyone can access. The computers that hold or access sensitive data are kept separate from those that handle administrative tasks.
Although this is impractical for many companies, limiting access to the computer room and the areas where terminals and PCs that access the AS/400s, goes a long way toward guaranteeing that your AS/400, with its architecture built to be secure, will not be breached by a disgruntled employee. I am sure you would rather not have that disgruntled employee just walk up to a 5250 terminal whose operator has left for a coffee break and delete important company data.
Most of us concentrate on tightening security in just those areas that the C2 guidelines address. Don’t neglect physical security, since the safety of your data, and possibly your job, depend on the total security of your systems, not just the fact that OS/400 is built to be secure and its apparent invulnerability to viruses.