IBM i is the operating system (formerly known as i5/OS or OS/400) that runs on System i hardware (formerly known as iSeries and AS/400). System i was the IBM mid-range of computer systems. IBM now offer IBM i on their new range of computer systems: Power Systems.

IBM i is used by many industries and generally host the organisations' critical data and applications. Given the classification of the data that is stored/proceeded on those systems, ensuring a high level of security is paramount.

Mid-range computer systems and mainframes has gained a reputation of being very secure. They are known to be secure by design (compared to Windows and Unix operating systems). This belief is generally shared between IT professionals and auditors. However, few security professionals and auditors are familiar with these systems and a comprehensive assessment of these systems may be overlooked.

The company Powertech did a survey of around 200 system i servers (many fortune 100 companies). The result is amazing. Looking at this reports, it seems obvious that the security of those systems should be getting more focus:

  • Almost 10% of enabled user profiles have default passwords. Over half the systems in the study have more than 15 user profiles with default passwords.
  • Too many users have high privileges over the operating system
  • Weak password policies
  • Lack of adequate controls over data: at the object level (platform and database layer) the majority of users has access to any data, hence breaching the need to know and separation of duties basis.
  • 65% of the surveyed systems have no logical access control over network access: one can download the content of a database without any audit log and control at the network layer. Because of the issue described above on object level access control, on 65% of the systems audited, virtually any user can extract or modify any data from database tables without any auditing logs or restrictions. No needs to be a wizard, a simple ftp client or the excel add-on provided with the IBM Client will get the data for you.
  • 18% of the systems have no auditing features activated at all.

What is really interesting is that the vulnerabilities highlighted here are very basic things: Trivial passwords, generic accounts, access control, log/monitoring, no hardening of the security settings etc. All recipes that are used on micro-computers and that are now mature should be applied on IBM i.

Network access control and auditing

Historically, the only way to access those systems was a dumb terminal. Access control was done restricting the user's menu on the terminal. There were not many paths to the database or platform (operating system) layers. There was no real need to apply a consistent object-level access control policy, the only way of accessing the data was through the menu.

With TCP/IP and network connectivity, there are many more points of entry to the data. Ensuring the effectiveness of these controls is obviously more challenging. 

Importance of data classification policies

One of the conclusion that can be reach reading this report is that there is obviously a breach of the security policies of most organisations when it comes to security of there IBM i systems. I believe that almost all fortune 100 companies have information security policies. They just forgot to enforce them for their most critical systems!

This highlight the importance of having sound data classification policies (ISO/IEC 27002 7.2.1 - CobiT PO2.3). The result of this study shows clearly that inappropriate security level is applied on many IBM i systems assessed during the survey - I take the assumption that they proceed critical data. The implementation of a classification and handling policy force the company to identify where is their critical data so this is less likely that an information system is left overlooked by security professionals and help the auditors in defining their risk-based audit strategy.

Regardless of the technology used (mid-range computers, mainframes, micro-computers), the level of security has to be applied in proportion to the value of the data to be protected. Most of the companies have patch management procedures, hardening guides, vulnerability management programs but surprisingly enough, these don't often apply to mid-range and mainframes

Reference

  • I The survey can be downloaded from the Powertech website
  • I also strongly suggest that you read John Earl's article on auditing iSeries systems published in the ISACA journal: 
http://www.isaca.org/Content/ContentGroups/Journal1/2008/jopdf0801-auditing-ibm.PDF
  • IBM i Market
ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/pow03032usen/POW03032USEN.PDF