Carol Woodbury’s Top IBM i Security Projects for 2025
The IBM i security expert joins Charlie Guarino on TechTalk SMB, stressing the importance of updating password levels and ACS, among other insights.
Click here to listen to the audio-only version
The following transcript has been edited for clarity.
Charlie Guarino: Hi everybody. Welcome to another edition of Tech Talk SMB. As you can see here today, I’m so happy to be with a good friend, Ms. Carol Woodbury.
Carol Woodbury: Hey, Charlie.
Charlie: Carol, always great to see you, Carol.
You are an IBM I security subject matter expert and senior advisor for Kisco Systems. Carol is also an IBM champion, has been since 2018 and has well over 30 years experience in this security arena, known literally throughout the world as one of the top security experts for IBM i. Starting her career with IBM Rochester as a security team leader and chief engineering manager. More recently, Carol has published two books which are available on Amazon. The first one is called “IBM i: Security and Administration,” third edition I might say. And the second book is “Mastering IBM i Security.” So that’s just loaded full of accomplishments. And Carol, I know anybody who knows security on this platform anywhere I go, your name is always first on their list. So you really are a well-known entity in this community. Thank you for joining me here today.
Carol: Oh, you’re very kind, and it’s my pleasure.
Charlie: Excellent. So Carol, we are talking today about, we are starting the new year 2025, and I know this is always a good time for people to maybe reevaluate or evaluate what’s going on in their shops, and I know that you’ve compiled a small list, which we’re going to call Carol’s Top Security Projects for 2025, and I think it’s a pretty comprehensive list and it’s things that all shops should be considering. I don’t know necessarily if every shop will be affected by each of every single item on this list, but certainly something that you should be made aware of because security is no joke. We need to really be very cognizant of these days of security,
Carol: Right? Very true. Yes. Yeah, I’m often asked, well, what is it that you would start with? And then you talk about the low hanging fruits or that type of thing. But I wanted to offer up some projects that people might want to try to accomplish during the new year, things that maybe they haven’t thought of before, but that are really important for security.
Charlie: Is it a fair statement to say today that security is more important than it’s ever been? Or is that something that could have said 5, 10, 15, 20 years ago that security is very important today?
Carol: I think it is increasingly important just because of the threat of the bad actors and the reliance on the data that we have running particularly on IBM i and what all it is used for. So to be able to make sure that we know that that data is accurate, so the integrity of that data, and then there’s so many laws and regulations surrounding data these days that we really need to be able to keep it confidential as much as we can.
Charlie: We really want to make sure we have good fortress around our system correct to protect the data because the data obviously is the nuts and bolts of our companies, I believe.
Carol: Absolutely. And I think that people are realizing more and more the value of the data that resides on IBM i and what happens if that data is compromised in some way.
Charlie: Yeah, I agree. It is truly a strategic asset in my company.
Carol: Absolutely. Yes.
Charlie: So therefore it needs to be protected and that’s what we’re going to talk about. So let’s kick off Carol’s Top Security Projects for 2025. I think it’s a great title.
Carol: Okay. So one thing I would offer up is if you haven’t already moved to a higher password level that you make that a point this year. So as of IBM i 7.5, there are four password levels, zero and one as a 7.5 really are the same. So there’s no difference between those two as a 7.5. So that’s how the system ships. But the only password composition that you can have is uppercase A through Z, or Zed if you’re listening in Canada, zero through nine and four special characters. So that is incredibly limiting in that character set. If a bad actor is trying to generate your password, it does not take a very long time to generate a valid password. So there’s that. But the other thing is that most organizations have more network password rules that are much broader than what that 10 character password limit sets. So most organizations will have network requirements of one upper case, one lower case, a special character, and a digit. And you can’t do that at password level zero and one, you can’t make those requirements. So it requires a little bit of work. That’s why I say it’s a project because you need to do some investigation to make sure outside connections are still going to work. You have to do some good education with your end users to make it work. But really I would encourage you to get to that higher password level.
Charlie: Here’s a question for you. So I do my due diligence and I’m prepared to go to password level four, but when I actually pull the trigger on that my current set of passwords will continue to work, I mean, is there an immediate impact to the user base at that moment in time when the system becomes available to me again?
Carol: Yeah, that’s a really good question. One of the things you do, I say this as a project, you have to plan for it. It takes an IPL, so you go to password level two first, and if you find out that something is not right, those passwords until the user changes them, you can easily go back to zero or one if you’re staying at password level two. Once you go to password level three, the hash values that IBM uses to actually the password isn’t stored, a hashed value is stored. So the values that would work at level zero and one start to get cleared at level three. So then for level four, you actually have a stronger hash value that is stored, and that’s really the difference between three and four. But starting at password level two, you have the ability to have a password that’s 128 characters long. Now you don’t have to enable that. You can leave it at 10 if you really want to, but you can have upper and lowercase, you have the numbers of course, but you have all the special characters including spaces. It makes it much easier typically to remember a password when you do something longer like that.
Charlie: That’s an interesting point because I know a lot of companies or a lot of people I should say, even it’s difficult to remember some random password or characters, but so the antidote to that is past phrases.
Carol: Yes.
Charlie: Speak to that for a minute and how they can be useful.
Carol: Yes, absolutely. And that’s kind of the point of starting at password level two, three, and four. It enables the pass phrases. So there’s been studies that have shown that people can remember a sentence much easier than just the random characters like you were talking about. So that makes it easier for people to not write them down. In fact, the longer you get something and the number might have changed with the power of computing, but at least a couple years ago, if you got a password of 15 characters or longer, it was much harder from a compute perspective to actually generate that password through a randomization type algorithm than the lower ones. So if you think about that, if you get a sentence that you have generated that you, well remember the theory is that you won’t forget it as much, plus you might not then have to change it as much. So I know of organizations that have implemented the past phrase that instead of requiring people to change every 90 days, they go half a year or even a year before requiring people to change. So there’s real benefits to doing the pass phrases on multiple levels.
Charlie: I even made a report recently that talks about the length of a password and even the delta in each additional character, you add it exponentially, it makes it more difficult to crack that password.
Carol: Yes, that is absolutely correct. So the longer you go, the better you are and the less likelihood it’s going to be on that list of passwords that have been published. So there’s actually bad actors that sell the list of all of the stolen passwords that have ever been stolen. There’s lists of them. So then there’s a text called password sprain where they will try to use a user ID and password that is in this list of known passwords to try to get into your organization and try to crack in. So if you think of that pass phrase, especially if it’s a sentence that is very unique to you, I could say Aaliyah, Blake and Callan are my favorite great nieces, and that’s going to be very unique. It’s not going to be something that somebody else has used. Sure. So there’s a lot of benefits to a pass phrase. Perfect.
Charlie: Yep. And how would somebody go about changing their password level? Where is that stored in the system?
Carol: It’s a password system value. So Q-P-W-D-L-V-L, again, it ships at password level zero as of 7, 5, 0, and one are the same thing. So don’t bother going from zero to one because it’s the same. No differences. You’ll go to two and then you’ll IPL. But again, you want to do some investigation to make sure that outside connections are still going to have a password that works and so forth. And also it’s an all or nothing. There’s no way to affect some users and not others. So again, educating your end users is key. Users are not required to change their password when you go to a higher level password, but most of my clients do that. They will go in and force the password change. The system doesn’t do that automatically, but most of my clients do. But you’ll want to treat your help desk to beer and pizza or donuts for a few days because it literally affects all of your users all at once.
Charlie: Wow, okay. That might be the best tip you’ve given so far. I’m joking, but there’s this mentality or this spirit of setting it and forgetting it. For example, like in passwords, many shops I know some users have passwords they’ve been using for years
Carol: For sure.
Charlie: This is a perfect segue, I think into the next thing that we think on Carol’s top projects is a CS. I know so many customers are using older versions. You want to speak to that?
Carol: Yeah. Well, let’s go back to the last topic. To successfully go to password level four, it uses a different hashing algorithm, a stronger hashing algorithm to store that hash value. That’s the only difference between three and four. But if you’re using an old version of a CS that will connect that first time you connect, it’s going to fail. So you want to be on within a year of a CS, but I would like you to be current on a CS. So I’m afraid that there are people that are just in the same type of habit of installing a CS, like they did client access and never updating it. So I see a lot of people with very old versions of a CS, and I don’t know if you’ve paid attention to any kind of security pfs that have come out, but earlier in 2024, there were some security relevant pfs that came out for a CS, and there are vulnerabilities in a CS. So you want to be on a current version of a CS.
Charlie: So your version of old, it sounds like is older than one year, seemingly.
Carol: Yes.
Charlie: So I have a question for you. What about the people who, the end users, for example, who say, well, I’m all using a CS for the emulator. Is my need to upgrade my version of a CS more equally as important, I should say, because I’m only using it for emulator, or if I’m using the entire suite or much more of the suite of its functions, is it more critical for me or does it not make a difference?
Carol: Yeah, that’s a good question. I mean, if you read the text of the PTF and can discern which part of a CS it hit, then maybe if you’re only using telenet, it’s not as critical. But a lot of times it’s deep down in the code and maybe the base server code, and you might not be able to know which pieces of a CS use that. So I would say that you want to update that.
Charlie: Okay. So now that begs the next question. How do I know when an update’s available?
Carol: Well, there’s a setting within a CS that will alert you to the fact when you launch a CS, we’ll kind of do a phone home and it will tell you if there is an update available. So I think part of the problem, Charlie, is that people didn’t realize that a CS is fundamentally built differently. It’s an executable. It’s not installed as a product on the workstation, like client access was. People would install client access and just leave it. They would never upgrade it. At least I never saw people upgrade it. Did you see people upgrade it? I never did, but I think that people may not realize that it’s not like this installed product. So you can actually do a CS updates, like you do Windows updates. You actually want to put it in that same process as a Windows update because you push out the executable, the JAR file basically, and you launch the command that will unzip that and update it and it will update it in place. It’ll leave all your icons, it’ll leave all your connections, and so you push it out just like you do Windows updates and voila, you’ve got updated a CS. It’s once you get it into that process, and this again is why I call it a project, because it’s not like something you’re going to have to work with the network team, whoever it is that’s updating your Windows updates to get this in that process. But it’s not that hard.
Charlie: I think I would be remiss if I didn’t include the next topic because it’s certainly in the same sphere of passwords, and that’s multifactor authentication, MFA.
Carol: Yeah.
Charlie: We need to have that. That’s an important part and will, in my view, I’m sure you, but will really bolster your ability to protect the database, I think, or to protect the system as a whole. You want to talk about MFA and how it might work or what you’ve seen working in IBM i?
Carol: Yes. So the way that MFA works multifactor authentication is that once you authenticate once, meaning once you’ve entered your user rating password, another factor is required for you to actually get logged onto the system. So most of the times in the context of IBM i, it’s usually that you have to enter a passcode through something like Okta or the Microsoft product RSA or whatever.
So you have to enter a code and then you get logged onto the system. So the reason this is so important today is kind of going back to that, the fact that passwords in some cases are easily guessed, passwords have been lost and a lot of them have been stolen. They’re very easily available for sale on the dark web. So if somebody enters a password, even though it’s a stolen password, so they have the right user ID and password combination, if they don’t have that key fob or app on the phone to enter the right number for the multifactor authentication, they’re not going to get onto the system. Yay. So that’s why it is so powerful. So about a year ago, a little over a year ago, there were two very high profile breaches at casinos in Las Vegas that started because helped desk were too helpful and re-enabled profiles of people that had recently left the organization.
So one of the things that bad actors are doing are going through LinkedIn and looking for people who have recently changed jobs and try to exploit that with former employers. That’s what happened in this case. They called two different casinos, helped us and said, Hey, this is so-and-so, I have lost my password. They reen enabled the profile, helped us, reen enabled the profile, and they got in and did significant damage. If MFA had been in effect in that case, that would not have been successful in either case. So MFA, not just for IBM i, but throughout your organization is really a key to stopping the case of successful attacks with stolen passwords.
Charlie: I can’t log onto my bank or anything of any significance without MFA.
Carol: Yes.
Charlie: They impose it.
Carol: Yes.
Charlie: I didn’t have the opportunity, although that’s not entirely true because some of these platforms do give me the choice,
Carol: But we are silly if we decline that from a personal perspective. We should want to protect our data as much as we do as we can. So if we’re doing this in our personal lives, we sure should want to do it in our professional lives. And so the argument that, oh, my end users won’t tolerate this type of extra security measure, it’s like, but they’re doing it at home, so let’s have them do it at work and protect their accounts at work.
Charlie: Well, just to bring up one more point about MFA in a business environment, and I know the pushback is because, well, every time I log in, I have to keep doing MFA. So is there some remedy to that? In other words, how many times or some amount of duration of time before I had to get credentialed, things like that? How does that work?
Carol: Yeah. Well, first of all, of the security vendors, including Kisco systems, have some form of MFA product. And the ones that I know about allow you to tune how often you are prompted for that second factor. So you could set it such that when you first log in the morning, you have to do that second authentication. You can require it hourly. You could require it not in the next 24 hours. So it’s up to you how you configure it.
Charlie: And I guess part of what drives that decision is the sensitivity of the data, perhaps.
Carol: The sense of the data, the role of that system in the organization can play, but that really goes to the sensitivity or the value of the data on that system.
Charlie: The value of the data, right. Yeah. Maybe just as important,
Carol: And it might be changed for different users too. Maybe end users that don’t have access to as much maybe aren’t authenticated as often. Maybe once a day is fine. Maybe people with security admin powers, maybe they’re authenticated more often.
Charlie: So unlike password level, which is an across the board change, this is can be tailored.
Carol: Yes. All of the products that I know of allow you to tailor who is requiring MFA. I’ve seen people that will only require their security administrators and system administrators, the ones with all object to have MFA versus their end users. So it can truly be tailored to your business needs appropriately.
Charlie: So another project I think that just goes that dovetails into this whole conversation is security level Q security. You want to talk about why that might be an important project for 2025 and beyond?
Carol: Yes, disturbingly, there are still systems that are running at security level 20. So the system ships at 40 and has for many years. When you go to IBM i 7.5, security level 20 actually goes away. So if you’re running at that level and you upgrade to 7.5 and don’t change hardware, in other words, you haven’t done a save and restore, you’ll still be at 20. But if you ever move hardware or you have to take it to another piece of hardware and do a save restore, you get ipld up to 40. So now’s the time to get off of 20. And the reason that’s so devastating from a security perspective is that by default, when you create a user profile, it’s created with all object. So you can basically do anything you want to on the system. So any kind of data confidentiality or integrity just has to be in question when you’re running at 20. Yeah.
Charlie: Again, it’s a bit of a throwback to the old twin X model paradigm when, when you didn’t have all these external ways of pulling down data or uploading data for that matter.
Carol: Correct. Now the good news is that the same authority algorithm runs at 20 as does on the other security levels. So you can actually test at 20 to see if you have all of your new security scheme set properly. In other words, you can go in and remove the all object from the user and make sure that everything is running properly before you IPL to go to 40. Because once you cross that boundary between 20 and 30, the operating system will strip off the all object special authority from any profile that isn’t in the SEC offer user class.
Charlie: Is that even true for shops that are still running in 36 environment? If I’m running 36 environment and I go to 40, where do you land in that situation?
Carol: Yeah. Is 36 environments still supported
Charlie: On stuff? Well, there’s companies are still using it, certainly,
Carol: Yes. But are they actually in the environment or have they kind of migrated over and everybody has all object because of that?
Charlie: Well, that’s where I was going with that. I’m not entirely sure, but that’s an interesting question because then seemingly, regardless of the security level, if I have 36 environment, you have access to
Carol: Anything. Yeah, 36. That’s an ugly one from a security perspective, just the way they reorganize files and things like that. Yeah. Still
Charlie: Companies still using it. Sad.
Carol: Yes. So that probably requires a bit of rework from the application level to use things like adopted authority so that users don’t have to have all object, but if you own the object, you can still do everything you need to it.
Charlie: Okay. Well, so in general is always a concern. Access in general. And for example, like navigator, there’s this assumption perhaps that when you attach to the navigator that you’re going over a secure connection, for example. Yes. And that’s not the case from what
Carol: I’m hearing. So another project that you’re going to want to spin up for 2025 if you haven’t done it already, is to make sure that your navigator for I Connection is running over HTTPS. So you might think, wait a minute, I thought it did run over HTTPS, and it used to, but several years ago, IBM stopped shipping the self sign certificate that made that connection. And that’s because all the browsers started to reject self sign certificates. So at that point in time, that connection became HTTP, not HTTPS. So if you haven’t done anything about it since then, your user IDs and passwords are flowing in clear text. And the bad part of that is that most of the time if you’re going into navigator, you are a powerful profile. So it’s your profile and password with a lot of power that’s going over the network in Clear
Charlie: Text, and I can snip that right out.
Carol: And that’s part of the problem when bad actors infiltrate a network. A lot of what’s gotten in the news has been malware infestation, and everybody thinks of data being encrypted. And that’s the worst part. That’s not necessarily the worst part of an attack. A different type of attack is when a bad actor has actually infiltrated your network. It could be through a bad fix from a vendor or a vulnerability, I should say, from a vendor application. And they’ve been able to come in through that vulnerability. A lot of times they don’t do an attack right away. A lot of times they’ll just lie and wait and gather information about the network, including sniffing off the traffic. So I have people saying, well, why do I care? Do I really need to have my internal communications encrypted? And the answer is yes, because if somebody infiltrates your network, you don’t want them sniffing those clear text user IDs and passwords
Charlie: Unknowingly.
Carol: Unknowingly or knowingly.
Charlie: Or knowingly, right? Sure, why not?
Carol: So Navigator for i is one of those things. So if you all have implemented the most recent PTs, you’ll notice when you launch Navigator for i, there’s a very obnoxious message that says you are not running over https. Now, for those of you who have assigned a digital certificate to the admin server, you’re good. You won’t get that obnoxious message. You won’t know what I’m talking about. But that message is going to stay there until you actually resolve that problem. The cool thing is that the navigator for ITAM has made it much easier to get digital certificates assigned to the servers that require it for this. In fact, there’s a link in the message that takes you to the screen to help facilitate the configuration of this, but it needs to be done. Yeah.
Charlie: This is all in the vein of just staying current. I mean, you mentioned briefly about people still using client access and not even using ACS and for sure there’s no way to, those passwords are going into clear over telenet all the time.
Carol: Oh, yes. All the time. Well, you could actually run client access over SSL,
But the key is that’s SSL, it does not support TLS. So SSL is deprecated from a standards perspective that is not a secure protocol. And actually the first version of TLS is not a secure protocol. So in the scheme of staying current, both from a client access perspective, there are vulnerabilities in client access. If you are still running client access, all of your workstations with client access installed are vulnerable. So get rid of client access. But that really goes for operating systems and just old code in general. You can have old code if you’re running a, not that long ago release of IBM I, you don’t even have the opportunity to run the most current versions of TLS. So it’s so important to stay current,
Charlie: Which is another perfect segue into our next thing we talked about, and that is that we started our conversation by seeing how important security is. And I mean, again, that statement was completely as valid 20 years ago as it is today. I believe that. But given the importance of this, how important it’s to stay current and sometimes extremely important, get this thing loaded today or as quickly as you can. How do I know if I’m not up on the trades, if my full-time job is not monitoring security, how do I know? How does the ordinary pedestrian layman who’s running an IBM i shop know that there’s a high pot fix out there?
Carol: Yeah. If you are not already registered for the alerts that come out of IBM, you need to get registered for those. IBM will alert you to new releases and pfs, and you can decide which product. This is the IBM corporate wide. So it’s not just for IBM i, but you can select which products you want to have these alerts be generated for. You can say only security alerts. You can do certain group PTF alerts, and they will alert you in your inbox to a new set of group pfs or a new PT F. So I like to get things pushed to me. I don’t know about you, Charlie, but I don’t do well going out and remembering to look for things. So I like to get things pushed to me. So if I had those alerts coming into my inbox, that’s the way to know that I have an issue. But that also brings about the, again, more about staying current. If you have old products from vendors on your system or maybe a proof of concept that you loaded and you didn’t clean up, and that vendor has an issue with that code. So if you’re not on their list of people that they know that you’re their client, how are they ever going to notify you that there’s an exposure of vulnerability in their code and that you need to fix it?
Charlie: Right. Completely valid point.
Carol: So there’s a concept these days of having a technology inventory, if you will. So that to me is a major project that you would have to do. It’s best if you can do it across your entire organization, but if people that are listening here are responsible for IBM I, you can at least do it for IBM I. So know which vendors you’re working with, which products are associated with those vendors, make sure you’re current with their products, that you’re on their list, so that if they do have vulnerabilities, they know to contact you.
Charlie: It almost sounds like Job one is just taking inventory, see what you have. Yes.
Carol: Yep. It is.
Charlie: And then moving. These are some great tips, Carol, and I think this is a great way to start off this coming year, this new year, 2025 or any year, quite frankly, but there’s always new things coming out and certainly worthy of going through this list. Everything that Carol has said, I encourage you to write it down and take a look at some of these. And quite honestly, you might be affected and not even be aware of it. That’s the thing. Some of these things, oh, doesn’t affect me. I don’t need to focus. But that might not be true in your organization. So that’s a valid thing to worry about, not to worry about, to be apprised of.
Carol: Yes, and take action on, or at least plan to take action on it. Once you know about it, then you can assess it and assess the risk to your organization, and then you can get it prioritized and get it going,
Charlie: Get it going. Absolutely. And many of these can be done concurrently. This is not necessarily sequentially just to be clear on that too. Correct. Okay. Carol, this has been a great way to kick off 2025. For anybody who’s listening, this is such valuable information here, and it’s so relevant, really so relevant. These are great tips, and I hope that people take this information to heart because this is really so important, and we go back to how we started the value of our data. While you might think, oh, it’s just my inventory or whatever, but all data has value to somebody, the competitor or things like that, or just on the dark web or anywhere.
Carol: Yeah. I mean, you’re running IBM i for a reason.
Charlie: Yeah.
Carol: It’s typically the data that’s on the system. So even if you’re not holding what somebody would consider to be personal information, what if that data isn’t available? Your manufacturing line goes down, you can’t ship anything out, you can’t make a loan. You can’t, I mean, whatever your business is, if that data isn’t there, you’re out of business. So it has become more and more obvious to people that the business or the data has value to the business.
Charlie: Yeah. We’re now living in a completely data rich world now. We haven’t touched on AI. I’m not going to, but that lives and breathes on data, so that’s for
Carol: Sure. Yes.
Charlie: That’s the essence of it, in fact. So we’re there. Well, Carol, this has been a great checklist. I mean, thank you so much for joining me here today. This is, what can I say? Thank you. I’ll keep saying thank you a million times, so thank you.
Carol: No worries. I tried to do something other than just a typical checklist. It’s like, let’s talk about some projects that you can take over.
Charlie: Yeah. Worthy projects.
Carol: Yes. In my thought.
Charlie: No, I think in many, well, it should be in your thoughts. Put it that way.
Carol: There we go. Yes. My wish for 2025 is that these would be on your project list.
Charlie: There you great.
Carol: There we go.
Charlie: Carol, always a real delight. I’ll just put this out there. If you do need help with any of these, you can reach out to Carol or her company and they’d be more than happy to chat with you and help you get any of these or all of these projects going, and give you good guidance, education, and everything you need to make sure your system is fully secure.
Carol: Thanks for an invite, Charlie. Appreciate it.
Charlie: Always a pleasure. Everybody. Thank you so much for joining us on our podcast today, and we look forward to seeing you again soon. Thanks everybody. Bye now.
Carol:
Bye.