Someone’s Knocking On The Door (Again)

With the recent I LOVE YOU virus attack (and the many copycats and variants that followed), I thought that reprinting this editorial from the April 26, 1999 issue of MIDRANGE Systems would be useful as it raises some important questions about AS/400 security. Read on:

Any AS/400 manager worth their weight in gold can tell you that the AS/400 is, out of the box, one of the most secure computing platforms. Since V2R3, OS/400 has met the Department of Defenses stringent C2 security standard. Many other operating systems have received C2 security ratings later in their lives, but the AS/400 was built from the ground up to be secure.

C2 is one level of security defined in the DoD’s Trusted Computing System Evaluation Criteria (DOD5200.28-STD, Dec 1985). C2 security criteria defines, among other things, how an operating system must handle the following:

  • Identification and Authentication
  • Discretionary Access Control
  • Object Reuse Management
  • Auditing and Monitoring

    Most operating systems adequately handle all of the above and therefore it is not that difficult to get a C2 compliance rating. The AS/400 is especially adept at Discretionary Access Control because you can set security on more than just files, print queues and similar things, you can even set security on an OS/400 command, or for that matter any resource.

    The built-in security of OS/400 makes it very difficult for something such as the Melissa virus to infect and spread through an AS/400 system or systems. Certainly it is possible for someone to create a virus that could infect an AS/400 system and spread to other AS/400s, but the evidence shows that it is highly unlikely.

    According to data collected by ChekWARE, makers of CheckMate anti-virus software, there are over 1,900 known viruses that can infect DOS, and therefore, in some cases, Windows NT. On the flip side, IBM states that there are no known viruses that affect the AS/400. From these statistics we can gather that it would be very difficult for someone to breach AS/400 security through a virus.

    So where do we look to find the security hole in the AS/400 architecture? Go to the nearest mirror and take a good look at yourself. This is where we find the greatest threat to AS/400 securitythe insider.

    The FBI and the Computer Security Institute conduct a study each year on computer crime and security. Although the number of incidents being attributed to outsiders is on the rise, the largest number of attacks not due to a virus were in the areas of unauthorized access by insiders and insider misuse of net access. The survey also shows that 86 percent of companies surveyed answered that the most likely source of attack was disgruntled employees.

    So how do you protect yourself from computer crime perpetrated by insiders? Follow the C2 guidelines and at the very least, you will weed out the obvious security holes and know who has been accessing your systems and why.

    Beyond this, you must ensure that the system and any other systems are physically protected from unauthorized access. You can jam pack an operating system with all of the security features you want, but if you don’t follow well-established physical security guidelines, these security features are for naught and a C2 rating is as good as no security at all.

    As a former Intelligence Specialist in the Naval Reserve, I can tell you that C2 security by itself is not enough. The C2 security criteria, if implemented correctly, and followed up with frequent security audits, can render any computer system reasonably safe from unauthorized entry.

    Unfortunately, with poor physical security, even frequent security audits will only tell you that you have had a security breach, but do little to prevent the actual breach. Although finding out that someone has breached security on your AS/400 is a good idea, it is a better idea to stop that breach in the first place.

    The most sensitive information that the military has is protected by more than just C2 security. The four main criteria are augmented by, among other things, tight physical security. Computer systems that carry sensitive information are not kept in areas that just anyone can access. The computers that hold or access sensitive data are kept separate from those that handle administrative tasks.

    Although this is impractical for many companies, limiting access to the computer room and the areas where terminals and PCs access the AS/400s goes a long way toward guaranteeing that your AS/400, with its architecture built to be secure, will not be breached by a disgruntled employee. I am sure you would rather not have that disgruntled employee just walk up to a 5250 terminal whose operator has left for a coffee break and delete important company data.

    Most of us concentrate on tightening security in just those areas that the C2 guidelines address. Don’t neglect physical security, because the safety of your data, and possibly your job, depend on the total security of your systems, not just the fact that OS/400 is built to be secure and its apparent invulnerability to viruses.

    Related Editorial:

  • Kisco Closes AS/400 Telnet Security Loophole
  • Open Access, Tight Security
  • A Wake Up Call for Security