IBM i and the Difference Between Secure and Securable
Among other things, Fortra's Amy Williams still sees clients using six-character passwords and not using auditing
Paul Tuohy: I’m delighted to be joined today by Amy Williams, who is the senior security services consultant with Fortra—whom some of you would probably remember as HelpSystems if you don’t know about the name change. So hello Amy.
Amy Williams: Hello Paul. It’s so nice to be here today.
Paul: Cool. So listen, Amy—a good place to start: Could you maybe just tell us a little bit about yourself and what you do at Fortra, please?
Amy: Yeah. So you know I fell into the IBM i, like many of us. I kind of tripped and fell, thought I was going to be a Windows programmer when I was a kid and then I really got hooked on the IBM i working in a job in the casinos—I’m located in Los Vegas so you can’t get away from working in the casinos in Las Vegas—and then I really stuck with it. Then the security caught my attention and I haven’t let go of it since. So at Fortra I’ve been able to really be able to help people do the types of things with their IBM i to get them more secure that I was able to do when I was running my own shots, so it’s a lot of fun to be able to see people being able to make forward motion in that security arena that’s been hard to tackle sometimes.
Paul: Yeah, it’s interesting when you mention the casinos. A lot of people aren’t aware of that, how many casinos actually run on IBM i so oh, it was a good idea. Where the money is is where you find the good systems.
Amy: Oh, right. Dependability and stability is required.
Paul: Yes, so let me throw something at you, Amy: IBM i is the most secure system in existence. True or false?
Amy: False. If a system is turned on and it’s left at the defaults, it’s not going to be secure, and IBM i is no different. What I will say is that IBM i is probably one of the most securable systems—and I know that we use that term a lot with IBM i, because IBM has provided so many ways built into the system to secure it. And because of that i being integrated, it can take on numerous different applications or third party software to enhance that even further from what IBM has provided just in the base operating system.
Paul: Okay. So you know there was a great comment I heard years ago was that IBM i was security through obscurity [laughs] since a lot of hackers don’t know it exists. But so you mentioned—I mean, working all the in-house stuff that you’ve done and obviously with your job, you’ve come across a lot of different systems. So are there common problems that you see, Amy, on systems like, across the board?
Amy: There are and because the IBM i has been such a staple in so many industries for so long, what I find is that a lot of the problems get carried forward, because IBM i is backwards-compatible. So what software you were running on version—you know, 3.2—I dare say is still running today on version 7.4 and 7.5. Well, a lot of those problems come forward because if it is working, you don’t want to break it and with those previous systems, nobody was thinking about security, right? We had our twin X terminals that we plugged in and if you didn’t have physical access to it, you know you couldn’t get to it and you know TCP/IP changed that whole world, and now external access and remote—you can be anywhere and access that data—so different steps need to be taken because you can’t simply rely on your application and menu security anymore. You need to start looking at who is coming into your system and having access, with either a software firewall similar to the Powertech Exit Point Manager or just your object level security that’s all built into the IBM i. Again, they’ve given us the tools to do it, but it can be quite a bit of work, so we also have products that will help with automating that and keeping track of it for you instead of all the spreadsheets that can make your head spin trying to keep track of it.
Paul: Yeah. So are there a few of sort of the common things that you see there Amy, like system values, that people should be changing but aren’t and that?
Amy: Yeah, so and surprisingly with the moving forward, we still find a number of systems out there that are running at lower security levels. I think that still surprises me quite a bit today, but some of the most common is, you know, *ALLOBJ authority. We always talk about it. Just give the users *ALLOBJ and then you don’t have to worry about anything breaking because everything just works, right [laughs]? It was the first solution in a number of shops I was working in. They’re like just give them *ALLOBJ and we’ll figure it out later. Well later never comes, right? I worked with somebody for quite some time, and their line was that security is always the 12th item on a 10-item list, and so paying attention to those—not only the system values but password rules. We’re still using a minimum of six characters on a lot of systems out there, even though NIST came out years ago saying yeah, you don’t have to change your password every 90 days anymore, but the length of the password is truly where the strength comes in. So the recommendation is really to have 12-16 characters minimum on your passwords, and we’re still finding today many shops aren’t going past that minimum of eight, which is disconcerting when you think of the value of the data that’s stored on these systems.
Paul: Yeah, and I wonder how many of those passwords are 12345678.
Amy: Right, and you know if you’re at a lower password level it’s not even case-sensitive, so you can type it in any which way you want and it’s going to work. So moving to a higher password level and using the password rules that will allow you to almost get your password complexity rules as similar to what you have working possibility with your active directory, and making those match so it’s easier for users to create those pass phrases that they’ll be able to remember and not have to write down if they’re using similar ways of creating them, so to speak.
Paul: Yeah, so of all of these Amy, what’s the one surprises you the most?
Amy: Beyond the security level 20 is the number of systems that still don’t have auditing turned on. People don’t even know what’s happening on their systems, right? We think everybody knows everything, everybody is watching, right? There are cameras everywhere and everything is being logged but there are still a number of customers we’ve worked with that have never even turned on logging, so they don’t know what’s happening on their systems. That one always catches me I think the most by surprise because I’ve relied on the logs for so long that I always thought it was just a given that everybody had it turned on, and they don’t.
Paul: So it’s not turned on by default?
Amy: No, it’s not turned on by default. IBM does provide a single command that creates the journal for you, starts the auditing and allows you to set the best practice values into it, so it’s not complicated. You can run that single command and your auditing is started for you, but then you do have to manage those journals in storage, even today working in a terabyte world. My first system I managed was 8 gigs, and my development system was 2 gig, and we were running an entire business on it. Now we’re talking about terabytes of data, but those terabytes are still getting taken up. So storage is always a concern and somehow logging always is the first victim when storage becomes critical mass—you wipe all of your logging. So if you’re not storing those or compressing in some way, getting them off the system into a SIM, you have no way of knowing if something did go wrong or badly on your system, how that may have happened because the data is gone or it didn’t exist in the first place if you haven’t turned it on.
Paul: Yeah. So given that—okay so take it that a lot of the shops out there are the ones that have been doing things and just carrying forward for years and yeah, I mean they’re kind of facing a tough thing. So what do you recommend they do?
Amy: So really getting to know your system, and you can do that. We have our free security scan that you can sign up for. It takes seconds and it gives you a really good overview of a lot of the things I’ve talked about today: your security level, the number of profiles that have all *ALLOBJ. Something else that it will bring up is inactive profiles, and we find out that customers that haven’t really looked at their system, that have just been you know, keeping it running and going, have hundreds if not thousands of inactive profiles. When I talk about inactive, I’ve seen like last used dates in the 1990s on user profiles because those profiles just keep coming with every migration and every save restore that they’ve done of the system, and they’ve never removed those old profiles. So inactive profiles get carried forward, the less than optimal security settings. So anywhere from your password activity—where you don’t have to ever change your password, [or] where the expiration is none so you don’t ever have to change your password, or the number of previous passwords you have to use is set to *NONE, so you have to change your password every 90 days but really you just have to type in the same password again and the system acknowledges that as a change. So these are some of the unique, bad configurations that we do see out there, and a lot of times customers don’t know until they perform that first security scan that their systems are even set that way. Because they might have inherited the box—
Paul: Yeah so, I was just going to say there, Amy. Sorry. You did use a four-letter word there. Did you say free?
Amy: Free, yes. It is, and it runs remarkably fast. I’m always surprised—and it turns out a lot of information about your system that would take some time to do manually through the different reports of displaying user profiles or displaying the private authorities of profiles, it will let you know if you don’t have your profiles secure. So if *PUBLIC has been granted authority to a user profile, this report will let you know that you have those outliers out there. Now we have a deeper-dive service, Paul, that I provide through our group it’s the risk assessment. In the risk assessment, which is a paid engagement, we go into the deep dark depths and we actually show you the individual profiles, and we show you those individual configurations and your biggest vulnerabilities, and we also provide you what those steps are that you can take to correct them. I always tell my customers we want you to be as independent as you want to be. So we’ll help you. We’ll step you through step by step, or we’ll just give you the high-level guidelines and you can go and do it yourself and come back to us if you have questions. The more independent and the most resilient our customers are with the information we’re able to educate them with, the better off all of us are and the most secure our data is out there in the world.
Paul: Well that’s a good thing to finish the business part of this on, but before we go okay, I happen to know that you do something that is very close to my heart. I come at it from a completely different angle—I’m more on the QA and consumption side of this; you’re more on the manufacturing and creating side [laughs].
Amy: Yes. So yeah, so when my other half and I became empty nesters and the last kid went off to college, I needed to do something, right? The house is empty and you all of a sudden find yourself with time you didn’t have. So our granddaughter loved watching these cookie decorating videos, this is constantly what we were doing, so I started decorating cookies. So after a couple of years I had friends actually ask me to make cookies for their baby showers and a couple of weddings, and so I turned it into a whole little side business. So that’s how I get away from the computer screens and get away from thinking about all the horrible things about security, right? I do decorated cookies on the side. It’s a lot of fun. It actually brought out a creativity side of my own that I didn’t really realize I had because I’ve done technology forever—in the Air Force, I was in the tech sector in the 90s, didn’t know it was IT back then—but so yeah, that kind of broke me out of my bubble a little bit.
Paul: Well Amy, I look forward to whenever I have the opportunity to sample some of your cookies.
Amy: Absolutely. If I get the opportunity to meet you in person, Paul, absolutely I will come prepared.
Paul: Come prepared [laughs]. Okay well Amy, thank you so much for taking the time to talk to me today and continue success. Please everyone check out the Fortra website for a free security check. Just run a quick check and see where your systems are. So thank you, Amy.
Amy: Thank you so much, Paul.
Paul: Okay everyone, that’s it for this iTalk Business with Tuohy. Hopefully see you again soon for another one. Bye for now.