Batten Down the Hatches on IBM i
Just because you can't name the last IBM i-specific security issue doesn't mean your IBM i platform is secure.
Can you name the last System i-specific security issue you heard of? In fact, can you name any System i-specific security issue?
The former System i, which, along with the former System p, comprises IBM Corp.'s Power Systems portfolio, has an (underground) reputation for stability, reliability, and, of course, security. One reason you don't typically hear all that much about System i -- or IBM i, as it's now called -- is because you don't hear all that much about i in general. IBM i is a no-hoopla platform. It doesn't tend to generate much press -- an issue of long-standing vexation for AS/400/System i advocates -- for either good (e.g., its positive attributes) or ill (e.g., security issues).
It should come as no surprise that IBM i's platform is as robust -- i.e., as uncomplicated, uncompromised, and relatively unruffled -- as it's ever been.
What is surprising is that system security for the platform often leaves a good bit to be desired, thanks to improper or ineffective controls and inappropriate user access privileges. That's the conclusion of this year's "IBM i Security Study," an annual survey published by IBM i security specialist The PowerTech Group Inc.
In practice, the study suggests, IBM i security often takes a back seat to Unix, Linux, and Windows security. One reason for this is i's reputation for reliability and built-in security. "[T]he universal nature of IBM i vulnerabilities ... led us to conclude that if you have IBM i systems in your data center, then your organization probably suffers from similar internal control deficiencies," the study indicates.
"IBM i security projects often take a back seat to Windows- and Unix-platform security, either because it is assumed that an IBM i server is already secure, or because the security professionals or auditors are unsure how to assess this system."
The PowerTech study is based on a sample of 122 IBM i servers and partitions.
The most common IBM i security issue is a preponderance of too-powerful users: too many account profiles have access privileges or rights that they don't need. It's a pervasive problem, according to PowerTech.
"In general, the IBM i servers reviewed in this sample have too many users that are too powerful," the study says. "In the hands of careless or disgruntled employees, this could result in data loss, theft, or damage. Auditors check for the abuse of special authorities as part of any standard IBM i audit. Even auditors who are not very familiar with the IBM i environment are aware of this issue from their work on other platforms."
PowerTech also found that a significant number of enabled user profiles (11 percent) are configured with a default password -- i.e., the username itself.
What's more, almost half (49 percent) of all of the systems in the study have more than 30 such user profiles. That's 30 usernames that simultaneously double as passwords on half of all systems. Not all of these account profiles are enabled, PowerTech concedes, although it did cite a particularly egregious case in which a staggering number of default profiles (322) were shown to be vulnerable.
PowerTech flagged a bevy of other security shortcomings, including non-existent or ineffective auditing procedures. Too few shops monitor network traffic or log invalid sign-on attempts, for example: such monitoring or logging is standard operating procedure on non-IBM i platforms. Suffice it to say, Robin Tatum, director of security technologies for PowerTech, explains that the status quo needs improving.
"In 2012, we continue to see systems that are vulnerable due to too many powerful users, too few controls for *PUBLIC access to libraries, little or no visibility to network traffic, and not enough auditing," Tatum said in a statement.
The complete PowerTech survey is available here.