PowerTech Releases Command Security

The newest member of the PowerTech line of security products is Command Security, a rule-based security solution that lets you audit and control selected commands.

With Command Security, you can prevent unauthorized users from executing a monitored command, allow only authorized users to execute certain commands, control the situations when a command is allowed, and monitor and secure commands used by other applications.

Plus, Command Security records monitored command use in a secure journal and provides a complete audit trail to meet government legislation and industry regulations.

“Not all commands have the potential for misuse,” says Robin Tatam, PowerTech Director of Security Technologies. “Command Security gives users the flexibility to control just the commands and situations that could compromise system data or security. Plus, it works with almost any IBM i command and can control commands in third-party applications. It’s a great addition to the PowerTech security suite.”

For more information on commands and how Command Security helps you control their use, see “Commands Never Die!” below.

—————————————————————————————-

Commands Never Die! Stay in Command of Your Command Line

By Oshan Indika, Security Consultant, CISSP, CISA

From its earliest days, the primary means of interaction with a computer has been through a command line. Everything was text based and application programs used menu systems for navigation.

Starting in the early ’90s, many operating systems transitioned to a graphical user interface (GUI). But, surprisingly, the command line has survived—especially among power users, administrators, and geeks (like me). Although great strides have been made on the GUI front, there’s still a unique role for the command line in IT.

When it comes to IBM i, the command line hasn’t changed over the years and still plays an important role, maybe more than in other operating systems. IBM has done a great job in improving the GUI capabilities of the OS. However, power users, developers, and administrators still consider the command line their primary mode of interaction with the system. The reason for this popularity may be due to some easy-to-use features:

• Prompting: You can prompt all commands directly from the command line to display its parameters.
• Command Help: Context-sensitive help is available on all IBM i commands.
• Ease of finding commands: The commands use standardized abbreviations, making them easy to find quickly. For example, change is CHG, display is DSP, program is PGM, user is USR, and so on. If you want to see all verb (such as CHG) or subject (such as USR) commands, go to the respective menus by entering GO VERB or GO SUBJECT. In addition, for each abbreviation there is a corresponding menu that starts with the letters CMD. So, for example, to see all DSP commands, simply run the command GO CMDDSP. This is one of my favorite ways of browsing commands on the system.

Commands = Power
The ease of use of command line access also gives the user a lot of power. Coupled with a higher authority level, a user with command line access can do almost anything on the system. Some commands (like DSPMSG) are harmless, but others can change security configurations (like CHGSYSVAL) or create/modify/delete user profiles (like WRKUSRPRF). To reduce the risk of users running powerful commands, system administrators often remove the ability to run commands by setting the Limit capabilities parameter in the user profile to *YES.

Although this stops users from running commands from a workstation session, there are other ways to run a command. Two of the most commonly used access methods are Remote Command and FTP. For Remote Command, you must have IBM System i Access for Windows installed on your PC. In many environments, it’s installed by default. And, FTP clients are found in almost any operating system.

These remote command capabilities add another layer of complexity to command access. From a security viewpoint, it’s important to monitor which commands are executed on the system, regardless of where they were entered. You should at least monitor commands with the potential to alter or delete data and system configurations.

Auditing Isn’t the Full Solution
One way to track the commands being run by users is to turn on command auditing for specific user profiles using the Change User Auditing command:

CHGUSRAUD USRPRF(OSHAN) AUDLVL(*CMD)

When auditing is on, the operating system writes a CD entry in the system audit journal (QAUDJRN) whenever the specified user executes a command.

There are two important things missing in this solution. First, you won’t know immediately when a user enters a command that could impact the whole system; you’ll only know the next time you run the audit report. Second, there’s no way to control which commands a user can and cannot run.

Control Command Use with Command Security
The best way to control commands is to use PowerTech Command Security. Using Command Security, you identify which commands you want to monitor, specify the conditions under which the command should be secured, and define the actions to take when the conditions are met.

With Command Security, you can:

• Allow the command to execute as it was entered.
• Prevent the command from being executed.
• Notify an administrator when the command is issued.
• Modify the command in a predefined way (from substituting command keywords to replacing the entire command).

There’s no doubt that the need to run commands will remain one of the most important aspects of maintaining a system in the foreseeable future. It’s also important to allow users to run commands in a controlled manner, without jeopardizing the integrity of the system. With Command Security, you remain in total command of your command line.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can I transfer SecurityAudit from one system to another for D/R testing?

A: Yes. However, because the system name and license information is hard coded in the product, you’ll need keys specific to the new machine or partition. You also must run a special command before re-licensing.

Make sure the SecurityAudit product library is in your library list. Enter the LUPDSYSSA command and press F4 to display the command prompt. Enter the System name, Serial# and LPAR ID, and specify Yes (Y) for Recreate License objects. Press Enter.

When the SecurityAudit Main Menu displays, select option 61. Then, select option 4 on the Administration menu to enter the new license code.

Q: Dear Paulie,
How can I monitor a specific user’s commands?

A: You can audit the commands entered by a specific user using the Change User Auditing (CHGUSRAUD) command. Specify the user profile to audit and *CMD for the AUDLVL parameter. Once you start auditing, Compliance Monitor, SecurityAudit, and Interact can provide visibility to the user’s commands by using the CD audit entries in the audit journal.

Note: An easier way to monitor and control user commands is to use PowerTech’s new Command Security. See the articles in this issue for more information.

Learn more with PowerTech Webinars and online training.

Request a demo.

Help/Systems Completes Acquisition of DataThread

On June 3, Help/Systems, the world’s leader in systems management solutions, announced the acquisition of DataThread high-performance database monitoring software from Innovatum. PowerTech, a Help/Systems company, has offered DataThread since 2010 as an addition to its suite of IBM i security products. The acquisition of DataThread offers users another level of security monitoring as part of the PowerTech product line.

DataThread allows you to automate and centralize your IBM i database access and activity monitoring, while providing real-time notification, authorization, reporting, and regulatory compliance capabilities. DataThread’s auditing capabilities help you meet the stringent compliance regulations required by PCI, Sarbanes-Oxley, HIPAA, FDA, and other domestic and international regulations.

“Adding DataThread to the PowerTech product line is very exciting,” said Jim Cassens, Help/Systems Director of Business Development. “It reinforces Help/Systems’ commitment to bringing world-class solutions to the security and compliance market space. It also helps “super-charge” the PowerTech line for growth by adding another solution that’s in high demand by customers who need to satisfy compliance regulations.”

“DataThread is a perfect fit for PowerTech,” added Robin Tatam, PowerTech Director of Security Technologies. “It complements the PowerTech product line to provide a seamless security solution. DataThread is a solid product and we will continue to invest in development to make it an even greater asset for users of the PowerTech security products.”

—————————————————————————————-

Using a Custom Journal for Network Security Audit Entries

By Jill Martin, Product Support Manager

Have you ever wondered what happens to all the events that are logged through the exit points that Network Security monitors? Have you ever tried to pull events from QAUDJRN, just to have it get bogged down by all the other entries stored there? Did you know that you have options?

Network Security comes configured to monitor all traffic through your exit points to a secure audit journal (QAUDJRN by default). What we often find is that users new to Network Security—or even those who have been using it for awhile—may be collecting a lot of data, but aren’t managing that data very efficiently.

Evaluate Your Audited Events
PowerTech made the decision long ago to send event history to a secure repository and store audited events in the system audit journal, QAUDJRN. This works great when you are first getting started with Network Security and aren’t sure what types of events you need to collect and store. Plus, you probably already have a practice in place for cleanup. But, once you have a feel for what is happening on your system, you (or your auditors) might have some different recommendations for how long to keep the exit point data. And, these requirements could differ from the requirements for the other types of entries stored in QAUDJRN (such as system events or traffic related to your high availability software).

Define a Custom Journal

The good news is that changing where this information is stored is a simple three-step process:

1. Identify a new journal to use for the Network Security entries. If you don’t already have a journal defined, create a new journal receiver.

Create a journal receiver for Network Security.

2. Define a new journal specifically for Network Security. You also should define a process for saving and deleting your journal receivers to clean up the entries.

Define a journal for Network Security events.

3. After you’ve created the new journal, use the Network Security Configuration Menu and Work with the System Values screen to change the Log Journal Name and Library to the new journal.

Change the system value to point to the new journal.

Going forward, all reports will pull the Network Security entries from the new journal receivers. Note: If you have entries that previously were logged into QAUDJRN, you may want to request reports over your existing data before changing the system value.

Report on Network Security Events
Network Security can feed events to Interact in real time, or allow Compliance Monitor to print reports over Network Security traffic. These events come from the journal you specified in Network Security and the products continue to interface with the new journal in place. Note: Compliance Monitor reports show only data from the journal currently configured in Network Security.

Once you’ve separated Network Security entries from QAUDJRN, you can manage the archive process independently and improve your report performance because they no longer need to parse through all your other journal entries.

—————————————————————————————-

Register for the IBM i Security Event of the Year

Early Bird Special Expires Soon—Don’t Miss Out!

Have you registered yet for the 2011 IBM i Security Event of the Year? The last date to receive the Early Bird price of $500 is July 29. Don’t miss out on this exciting event—or the great price for registering early. Get more information and register now!

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
What are the system requirements for Compliance Monitor 3.01?

A: A system running the Compliance Monitor 3.01 Consolidator requires the following:

• IBM i (i5/OS, OS/400) version V5R4 or higher
• Java 1.6 32-bit (required minimum)
• 256 MB of disk space
• IBM i V5R4: PTF Group SF99291 (level 18 or greater) installed
• IBM i V6R1: PTF Group SF99562 (level 6 or greater) installed

A pre-checker utility, CM3CHECKER, helps you identify any prerequisites that you are missing. You can download CM3CHECKER separately to make sure your system is ready.

Dear Paulie,
Can I upgrade my existing 2x version of Compliance Monitor to version 3.01?

A: Absolutely! Before you start, run the pre-checker, CM3CHECKER, and back up the Compliance Monitor 2 Consolidator library (PTCMT2) as part of a full system save or using the following command:

SAVLICPGM LICPGM(1PLCMT2) DEV(*SAVF) SAVF(QGPL/CM2BACKUP)

The upgrade process is completely automated. Simply download the Compliance Monitor 3.0 Installer to your PC and follow the install instructions. Once the upgrade completes, your Compliance Monitor 2 users, reports, and groups are available.

Learn more with PowerTech Webinars and online training.

Request a demo.

Inherited Authority Can Sabotage Your System

By Robin Tatam, Director of Security Technologies

Everyone loves an inheritance! Imagine the excitement of discovering that a long-lost uncle has left you a fortune. Or, perhaps the recent Royal Wedding has you wondering where you are in the line of succession for the throne of England! While these possibilities are a long shot for most of us, you can inherit power on IBM i using the age-old IBM i facility called “group profiles.”

Basically, a group profile links users with similar security requirements. It allows a security officer to quickly define object authorities that automatically apply to all group members.

Creating a Group Profile
We recommend that you design group profiles based on the role of the members in the group. For example, you might create a group called HRUSERS to make it easy to authorize multiple Human Resources department employees to a payroll application. Or, create a group profile called READONLY that limits query users to *USE access to the database.

A group profile starts as a regular user profile, created with the CRTUSRPRF command. The promotion to group status comes when another user profile (the member) references the group profile on its “Group Profile” parameter. Having one or more member profiles pointing to the desired group profile makes it a group. (To simplify things, a group profile can’t be a member of another group.)

A user can be a member of up to 16 groups—one primary group and up to 15 supplemental groups. Typically, you don’t want a profile to be in more than a few groups. It just complicates things when you need to determine the order in which to list the groups.

Benefits of Group Profiles
The biggest benefit comes from increased efficiency. Defining the authority of a group to an object also defines the authority of each group member. You don’t have to authorize each group member individually, a significant advantage if there are a large number of members. And, if people join or leave a role, you just add or remove them from the group.

You can assign authority to an object based on the group, and you can override that authority by defining authority for individual members. IBM i checks an individual’s authority before checking the group authorities. If you define a private authority for a user, the user gets that level of access and the group’s authority is NOT checked. If the user has no individual authority specified, IBM i checks the group authority. If the user is in multiple groups, the authorities of each group are consolidated. For example, if Group 1 has *EXCLUDE authority and Group 2 has *USE, the user’s authority is *USE.

You also can specify if the member’s primary group profile should own new objects. This allows other members of the group equal access to the objects. Alternatively, individuals can own the objects they create, and define the amount of private authority granted to other group members.

Follow the Chain of Inheritance
One important thing to remember about group profiles is that a group’s special authorities are inherited automatically by all group members. This is in addition to a member’s own special authorities. So, if a member profile has *SECADM authority, and one of its group profiles has *ALLOBJ and another has *JOBCTL, that member effectively operates with *ALLOBJ, SECADM, and *JOBCTL authorities. This inheritance extends to all groups a member belongs to. While this can be beneficial, it also can have serious implications to the capabilities of the members. For example, it’s possible for members to grant themselves authority to a restricted file by using the group’s *ALLOBJ authority.

Documenting this “chain of inheritance” is a challenge. Audits can miss that a seemingly benign user is actually running with powerful inherited authorities, like *ALLOBJ. The operating system offers only rudimentary reports to display the relationship between a user profile and its associated group profiles. It’s also common for an audit to overemphasize the user class of a profile, and not realize that the class doesn’t do much beyond defining the special authorities the profile receives by default.

Compliance Monitor Identifies Inherited Authority
PowerTech Compliance Monitor eliminates the time and effort needed to determine a user’s true power. Predefined reports identify powerful users—and indicate if special authorities are inherited from a group. It also solves the “user class versus special authority” mismatch. Flexible report filters allow you to define additional criteria, such as command line access or whether the profile hasn’t been used recently. Plus, Compliance Monitor can report this information across all your systems and partitions with a single request.

Compliance Monitor reports let you customize, filter, and export data.

Group profiles can simplify the complex process of authorizing users to objects, and make your security infrastructure more efficient. Compliance Monitor helps ensure that those groups provide the member profiles with appropriate inherited authorities.

—————————————————————————————-

Register Now for the 2011 IBM i Security Event of the Year

By Jill Martin, Product Support Manager

If you want to learn more about overcoming today’s security challenges, plan to attend this two-day security conference. Scheduled for September 22–23, 2011 at the Rio All-Suite Hotel and Casino in Las Vegas, PowerTech has assembled product, industry, and security experts to help you unravel the mysteries of IBM i security.

We’re bringing together a list of world-renowned subject matter experts, including Jeff Uehling of IBM, Townsend Security CEO John Earl, and security consultant Pat Botz. The conference contains a packed agenda of educational sessions covering topics such as an “Introduction to IBM i Security,” “Automatic Encryption with V7R1,” and “Biometric Authentication,” plus an “Ask the Experts” panel.

For more information on the only event dedicated to IBM i security, you can download our Conference Guide and register online. Register before July 29 and receive the Early Bird discount. We look forward to seeing you in Las Vegas.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can Compliance Monitor show me when users sign on to the system?

A: It sure can. By simply modifying or filtering existing reports, you can create just about any report that you might need.

You can find the information you’re looking for in the (T:JS) Job Changes report in the Log File report group. Specify the conjunction AND and filter on the Action field for Start and the Job Type field for Interactive.

Once you’ve filtered the report, rename it and save it to your personal report group for future use.

Dear Paulie,
Do I need to be on an authorization list to run Authority Broker reports?

A: If you are on the POWERABADM authorization list, you have rights to everything in Authority Broker. To limit a person to just the reporting menu, use the POWERABRPT authorization list.

Note: In all Authority Broker Authorization lists you just need to give users *USE rights. No additional authority is needed for the product administrators.

Learn more with PowerTech Webinars and online training.

Request a demo.

PowerTech Releases 2011 “State of IBM i Security” Study

By Robin Tatam, Director of Security Technologies

PowerTech recently unveiled the 2011 edition of its unique “State of IBM i Security” study. Unfortunately, there’s still a lot of room for improvement for the average IBM i shop.

This year’s statistics were aggregated from 243 systems of all shapes and sizes, serving applications to virtually every industry. And, while regulatory compliance is the common driver for many customer conversations, it appears that mandates to secure IBM i servers and data still haven’t been fully realized.

Published annually since 2004, the study highlights six areas of IBM i security configuration:

• System Auditing
• System Security Values
• Powerful User Profiles
• Network Access
• Public Authority
• User and Password Management

PowerTech’s free Compliance Assessment tool is used to collect, analyze, and report on the assessed systems, and a simple opt-in feature allows the data to be shared anonymously with PowerTech. To assess your own server (with or without sharing your findings), request a Compliance Assessment.

Password Management
The average server in this year’s study contained 829 users and 914 libraries, along with more than 300 inactive profiles (those not used in the 30 days preceding the assessment), and 68 profiles with default passwords (the password matches the profile name). With a powerful built-in database, user security is one of the most critical aspects of IBM i security. Large numbers of profiles with default passwords indicate overuse of an unfortunate IBM parameter default setting, and an excessive number of old profiles means there is very little oversight of profile housekeeping.

Powerful User Profiles

Users often are given special authority privileges that far exceed their documented business requirement. It’s unusual to find an IBM i server where base users should be able to access any object (*ALLOBJ), or end the system to a restricted state (*JOBCTL). However, we often see that most servers have an over-abundance of both!

System Security
Security Level 40 (the minimum level recommended by IBM), continues to be the standard on the majority of servers reviewed, but that left almost 60 servers running on a level with known vulnerabilities, including being able to run jobs as another (potentially more powerful) user. With a documented “upgrade” path, and the ability to predict issues before committing, there are few legitimate reasons not to be running at a recommended level. Of course, IBM’s adoption of security level 40 as the current default has contributed to this shift towards compliance.

System Auditing
On a slightly more positive note, we did see an increase in the number of servers that use IBM i built-in auditing. In 2011, the percentage of systems collecting events into the security audit journal (QAUDJRN) was 87%. Of course, evidence suggests that this function is often used primarily to capture system events for high availability solutions, rather than for security. The common lack of commercial forensics capability supports this theory, as it’s difficult to effectively review large event logs manually.

Network Access Control
Surprisingly, almost half of the systems are running without any firewall protection to oversee access from powerful desktop interfaces such as FTP, ODBC, and remote command. In addition to providing a supplemental layer of protection, a commercial-grade exit point firewall is the recommended way to provide visibility to these types of transactions. As a result, there may be a large cross-section of user activity that remains transparent—including executing operating system commands—even on those servers with QAUDJRN actively configured.

Data Access
Public authority to objects and libraries remains very problematic in 2011. Most systems still haven’t been configured to enforce object-level security, instead requiring that a user only needs to provide a valid user profile and password combination. This is a contributing factor to why default passwords represent such significant exposure. The menu-based security model often found in legacy applications broke down with the advent of advanced TCP-based interfaces. Exit point firewalls can mitigate some of the risk associated with little or no object security, but implementing strong object authorities is recommended as the basis of a multi-layered security infrastructure.

This is just a brief overview of the 2011 study. Read the complete white paper here.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can Compliance Monitor show me when someone creates new user profiles?

A: It sure can. By simply modifying or filtering reports that already exist, you can create just about any report that you might need.

The information you need is contained in at least two existing reports. The first (and fastest) is the (T:CP) User Profile Changes report found in the Log File report group. This report shows the Actions for CHGUSRPRF, CRTUSRPRF, RSTUSRPRF, DST reset of QSECOFR, and QSYRESPA API. With some fast filtering on these Actions, you have the ability to create five different reports!

In your case, you need to filter on the Actions field for CRTUSRPRF. (Depending on the release of Compliance Monitor you have installed, you might need to use wildcards in your filter, such as %CRT%.)

Created profile information also is available in the (T:CO) Created Objects report, located in the Log File report group. Simply filter on the Object Type field with %USRPRF%. (Hint: You can use this same filter on the (T:DO) Deleted Objects report to identify deleted user profiles.)

Once you’ve filtered the report, rename it and save it to your personal report group for future use.

Learn more with PowerTech Webinars and online training.

Request a demo.

PCI Compliance for IBM i—Pt. 2

By Robin Tatam, Director of Security Technologies

Last month, we covered the first six of the twelve PCI requirements. This month, we look at the final six requirements and how the PowerTech products can help you meet them.

Requirement 7. Restrict access to cardholder data by business need-to-know

Limiting data access to users with a proven business need may seem obvious, but IBM i users often have overly-powerful user profiles; and open public access makes private data easy to display and even change.

The first step is to establish role-based access controls. Public access always should be configured as deny-by-default, and authorized users granted authority based on their role. PowerTech Authority Broker allows emergency access when necessary, and handles the auditing and reporting necessary for regulatory compliance.

To restrict access through “open” interfaces, such as such as FTP and ODBC, an exit program solution, such as Network Security, allows you to police network interfaces.

Requirement 8. Assign a unique ID to each person with computer access

To access IBM i functions, users need a user profile and password. To ensure accountability, each user must be uniquely identifiable to the system. PowerTech Authority Broker helps you comply with this requirement by allowing you to grant controlled access to users through “special” user profiles. DataThread lets you monitor and audit database changes. And, Compliance Monitor helps you monitor system values and user profiles for compliance to your security policy.

Requirement 9. Restrict physical access to cardholder data

Companies can spend thousands of dollars to secure their data, but ignore the physical security of their servers. Ensure that sensitive areas have access controls, such as key cards and access logs, and visitors are easily identifiable. Monitor entry doors by video surveillance and keep the data from cameras for at least three months.

You also should determine the sensitivity of the data on your storage media, and have a plan for the safe disposal of information.

Requirement 10. Track and monitor all access to network resources and cardholder data

IBM i integrates security into the operating system, making it easy to start auditing user activities without much configuration using the Change Security Auditing (CHGSECAUD) command.

However, performing a forensic analysis on the collected audit entries can be challenging, as IBM does not provide any reporting or notification tools. PowerTech fills in the missing pieces with its security solutions: Compliance Monitor helps you ensure your systems are configured properly; Interact provides real-time monitoring of changes; Authority Broker audits the activities of powerful users; DataThread provides real-time monitoring of database access down to the record and field level.

Requirement 11. Regularly test security systems and processes

PCI requires that you scan your systems quarterly to ensure that alerts are generated and that failures are taken care of. For IBM i servers on an internal network, testing should include connecting via common data protocols such as FTP and ODBC. PowerTech Network Security provides intrusion detection and prevention capabilities via exit points, and can be implemented in combination with the IBM i IDS capabilities.

Integrity monitoring for critical files also is a key component of this requirement. DataThread database-level monitoring works with the object auditing controls in the operating system to fulfill the requirement.

Requirement 12. Maintain a policy that addresses information security for all personnel

Surprisingly, many security-conscious organizations don’t maintain a security policy for their IBM Power Systems servers. Policies not only define the intended standards, they also provide a measure of how well your processes meet those standards. Even if a policy isn’t perfect, it’s a starting point for performing a compliance review.

PCI compliance requires that you have a policy and that you can prove you are following it. You need to do a thorough review of your security policy standards and determine if you are following its requirements. PowerTech’s security solutions help you comply with these requirements, and prove that compliance.

That concludes our review of the 12 PCI requirements. For a more in-depth discussion of these requirements and how PowerTech can help you meet them, download our white paper, “PCI Compliance for Power Systems Running IBM i.”

—————————————————————————————-

Security Officer or Security Nightmare?

By Robin Tatam, Director of Security Technologies

Unfortunately, the security officer (and that includes programmers and system administrators) represents the biggest security threat to many shops. Often, regular users are asked to fulfill security roles without any formal training or experience. They’re just the users who “know the most” and so they become responsible for administering security. According to PowerTech’s annual “State of IBM i Security” study, many users carry powerful capabilities without any associated business need.

With most illegal or illicit activities, the perpetrator usually needs a combination of means, opportunity, and motive.

• Means—Security officers and other power users often have advanced skills and knowledge so they can access applications, manipulate data, and configure system controls—including security controls. If there’s a loophole in your security infrastructure, a security officer probably can find it!
• Opportunity—As the most powerful users on the system, security personnel have constant opportunity. Special authorities, such as *ALLOBJ, grant complete, uncontrolled access to every object on the system.
• Motive—A lack of motive is the only saving grace for most organizations. As system guardians, most security officers take their responsibility seriously. But they’re human. We all like to believe that nothing could ever compromise our scruples, but that mortgage payment or college tuition bill isn’t going to pay itself.

Security officers have a professional responsibility to acknowledge that they need to be secured as much as—actually more than—the data entry clerk. Security controls should apply to everyone.

Authority Broker is the best way to ensure a secure environment. It helps you manage your powerful user profiles, including QSECOFR, while allowing key personnel to perform critical tasks. And, it comes with usage controls, notification, timing restrictions, activity tracking, and reporting.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
What do I need to know about mirroring PowerTech Network Security 6?

A: Unless the replication is a full system save/restore, you should be aware of the following before mirroring Network Security:

• You must have completed a prior install on the target system to create the following objects: profiles, authorization lists, commands in QGPL, PTWRKMGT subsystem, and unregistered exit points.
• Network Security cannot be active on the target system (exit programs must not be registered).
• The target system must have a valid Network Security license; no grace period is available.

Exclude the following objects from mirroring:

• PLK280SPC2—User space (*USRSPC)
• PLK999U—User space (*USRSPC)
• PLK860DA— Data area (*DTAARA)
• PTCAPJRN—Journal (*JRN) and associated receivers
• CAPJRNnnnn—(*JRNRCV)
• PWRJRN—Journal (*JRN) and associated receivers
• PWRJRNnnnn—(*JRNRCV)
• PNSCAPSUMQ—Data queue (*DTAQ)
• PSSTMS—Data queue (*DTAQ)

Learn more with PowerTech Webinars and online training.

Request a demo.

PCI Compliance for IBM i

By Robin Tatam, Director of Security Technologies

Meeting the Payment Card Industry Data Security Standard (PCI DSS) is a fact of life for any organization that processes credit or debit card information. Version 2 of the Standard was released in October 2010, so I thought we’d take a look at PCI compliance on IBM i and how the PowerTech products can help you meet PCI requirements.

The PCI standard consists of 12 main requirements. This month we cover the first six requirements; we’ll complete the set next month.

Requirement 1. Install and maintain a firewall configuration to protect cardholder data

While firewalls have long been regarded as necessary to protect the corporate perimeter, the most recent PowerTech State of IBM i Security study shows that 46% of servers provide no restrictions to internal users.

Exit points allow you to monitor requests that originate through network services such as FTP, DDM, and ODBC. These services provide file transfer, remote data access, and even command entry. As the leading commercial exit program solution, PowerTech Network Security acts as a firewall to the servers’ network openness and provides auditing and user access control through 30-plus network exit points.

Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters

In this day and age, changing shipped defaults might seem like an obvious requirement and one that wouldn’t need to be spelled out. However, the 2011 State of IBM i Security study continues to warn us that servers often are left with IBM-shipped default passwords; less than 11% of libraries restrict public access; and almost 95% of new objects allow anyone to view, change, and even delete data.

PowerTech Compliance Monitor can help you comply with this requirement by reporting on hundreds of security metrics, including system values that control passwords and users with default passwords. It helps you identify which systems are in and, more importantly, out of compliance with your published policy.

Requirement 3. Protect stored cardholder data

Data encryption can be an important part of protecting stored cardholder information. You should encrypt all communications to ensure that confidential data is not transmitted to display screens in plain text. You can use IBM-supplied encryption interfaces—which may require extensive application modification—or a commercial encryption solution.

If you are unable to effectively encrypt data (and you can prove your case), the PCI standards allow for “compensating controls.” One example of a compensating control is PowerTech Network Security, which provides access control to database files from the network, and can be highly effective when combined with traditional controls such as object-level security.

Requirement 4. Encrypt transmission of cardholder data across open, public networks

Similar to Requirement 3, encrypting data when it is transported across open networks is a critical part of data protection. You can use technologies, such as secure socket layer (SSL) and Secure Shell (SSH). The PCI DSS 2.0 standard no longer permits the use of Wireless Encryption Protocol, (commonly found in home wireless networks), since it is easily broken. You can encrypt IBM i databases using IBM-supplied encryption interfaces or by using a commercial encryption solution.

Requirement 5. Use and regularly update anti-virus software or programs

IBM i enjoys the envious reputation of being highly virus-“resistant” (no one wants to go out on a limb and guarantee it as virus-“proof”). However, while its object structure makes a traditional viral infection unlikely, there are many other forms of malicious intent.

According to the PCI standard, any server that could be exposed to malware is required to use up-to-date anti-virus software. Despite its unique infrastructure, many PCI Qualified Security Assessors (QSAs) take issue with IBM i not having such software. And, if you use the Integrated File System (IFS) for file storage, it is possible for the server to host any traditional virus.

Requirement 6. Develop and maintain secure systems and applications

Developing and using secure applications is an important aspect of data protection. While IBM i system patches (PTFs) are obtained directly from IBM, many shops run on an unsupported operating system version, and without a policy for applying patches in a timely fashion.

Change control processes are a key component of complying with this requirement, and numerous commercial applications exist to aid the promotion of application programs into a production environment. PCI requires procedures that review application code for coding vulnerabilities and, starting in June 2012, will require a risk ranking for newly discovered security vulnerabilities.

That covers the first six requirements. For a more in-depth discussion of these requirements, download our white paper, “PCI Compliance for Power Systems Running IBM i.” We’ll cover the last six requirements in the April issue. See you then!

—————————————————————————————-

IBM i Open Source Security Policy Now Available

Part of PowerTech’s mission is to advance awareness of the security challenges faced by companies every day. Because security and compliance issues are constantly evolving, we’ve updated our open source Security Policy for Power Systems running IBM i. The policy includes the elements you need to consider to minimize unauthorized access to proprietary information and technology.

Areas covered in the Security Policy include:

• Physical Security
• Data Recoverability
• Data Access Security
• User Profile Security
• System Configuration
• Network Configuration Settings
• Library Authority
• Auditing
• Plus a list of additional areas you might want to consider.

The Security Policy is available as a PDF file to use as is, and as a Microsoft Word file that you can use a base for defining your own policy. View and download the Security Policy today.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
What do I need to know about backing up Network Security 6?

A: When you perform a SAVLIB on the Network Security library, it saves everything except the following files:

• PLKCAP
• PLKCAPCNT

Both of these files are used for captured transactions. So, if the Summarization process is active, the files are not saved because they are open for update.

To perform a full backup, use the Save While Active parameter on the SAVLIB command to back up the entire library.
For example, enter the following command to save the entire library, plus the two captured transaction files:

SAVLIB LIB(PTNSLIB) DEV(TAP01) SAVACT(*LIB) SAVACTWAIT(30) SAVACTMSGQ(QSYSOPR)

Learn more with PowerTech Webinars and online training.

Request a demo.

Come to Las Vegas—but don’t gamble with your security!

By Jill Martin, Product Support Manager

Save the date! Join us in Las Vegas, September 22–23, 2011, for two days of security-related topics, product-related sessions, and the opportunity to talk to experts in IBM i security!

Today, more companies than ever are under pressure to comply with regulations, legislation, and best practice requirements—and they need help. Users often tell us that they want to learn more about the auditing tools that come with IBM i. And, they’re looking for more and better ways to use the products they’ve already invested in.

Here’s how we can help. PowerTech is bringing together a group of industry, product, and security experts for a two-day IBM i Security Conference.

Want to know what PowerTech has been up to lately? Have ideas for future enhancements? This is a great place to talk to the people making these decisions and driving the product line forward.

In addition to two tracks of informative sessions to choose from, you’ll also have the opportunity to sit down, one-on-one, with an expert who’ll answer your questions or walk through the products. You’ll leave knowing how to secure your system, or with tips and techniques to help you in your next audit.

Watch for more information on this upcoming event, including details on how to register. We look forward to seeing you there!

—————————————————————————————-

Database Monitoring with DataThread

By Paulie Culin, Training and Services Consultant

DataThread, PowerTech’s new database audit and workflow offering, is designed to help you maintain compliance with today’s audit and regulatory requirements. Its unique workflow and notification module help you automate paper and labor-intensive processes in any IBM i environment. And, it does this without any modifications to your applications!

DataThread uses the extensive database management functions of the IBM i DB2 database to detect and capture changes to any database record, retaining only the fields you select.

Here’s a quick overview on how DataThread works.

1. Specify the file and library to watch and the types of changes to track (Change, Delete, Add, Read).



2. Select the fields you want to monitor and specify how each should be tracked (for example, Always or Changes only).
3. Activate the configuration. The DataThread Validation panel displays your configuration.

When DataThread captures changes to the database, you can view them on your system or in a report.

Each DataThread capture contains the following information:

• File
• Library
• Member
• Unique Transaction Number
• Date/Time
• Program Name/Method (ODBC, SQL, DFU)
• Action (Update, Add, Delete, Read)
• User Profile and description (user’s name)
• Electronic signature (if required)
• Signature comment (if required or entered)
• Reason code (user defined, such as APP, REJ, HLD)
• Captured fields (changed values display in red)

You also can add a workflow, such as the following:

• Set record-level conditions
• Set field level conditions, (=, >, <, >10%, <$5000.)
• Notify a person or group
• Send (publish) the capture to a data queue
• Call a program
• Submit a job

You can even require an electronic signature for specific changes.

DataThread helps you meet the most stringent industry requirements. Learn more about DataThread.

—————————————————————————————-

Compliance Monitor 3—IBM i Auditing for Today

By Robin Tatam, Director of Security Technologies

Audits are a way of life in today’s regulated world. One of the best ways to minimize the impact of an audit is with Compliance Monitor 3, the newest version of the most powerful reporting solution available for IBM i.

Here are some of the new things you’ll find in Compliance Monitor 3:

• A powerful browser-based interface that makes it easy to specify report requirements and to display the collected information.
• An “intelligent” pre-checker utility that helps you verify your server meets the requirements for the new version. You can run the pre-checker in advance so your install (or upgrade from a previous version) proceeds successfully.
• Several new reports, including a predefined report category designed to help gaming organizations comply with Nevada’s Minimum Internal Control Standards (MICS). Other new reports cover security system values added in IBM i 6.1, native and IFS object reports, and authority adoption information.
• An automated install process, so you’re up and running faster, and generating reports sooner.

Of course, all the powerful features that previously established Compliance Monitor as the premier audit solution—consolidated reporting across partitions, compliance scorecards, scheduled collections, and powerful filtering and forensic analysis of audit journal events—are still there in Version 3.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
I need to run some security-related reports. Do you have any suggestions?

A: IBM i allows you to monitor security-related events. Here are a few tips if you have the proper authority:

1. Look for QAUDJRN in QSYS to make sure that security auditing is enabled on your system. If it doesn’t exist, use the Change Security Auditing (CHGSECAUD) command to set up security auditing. Specify either *DFTSET or *ALL in the Auditing values parameter. Use theCPYAUDJRNE command to extract audit journal entries, and the Display Security Auditing (DSPSECAUD) command to display information on current security auditing values.
2. You’ll need the QSYSMSG message queue to capture critical system messages. The system automatically sends messages to it instead of QSYSOPR, where they often go unnoticed.
3. Use the Security Tools (GO SECTOOLS) to run reports and work with system security settings. The Security Tools menu offers several useful reports that you can run interactively, schedule, or submit to batch.

Of course, these methods can be cumbersome, time-consuming, and difficult to interpret. PowerTech’s Compliance Monitor simplifies security-related reporting.

Learn more with PowerTech Webinars and online training.

Request a demo.

Innovation and Airline Food: 2010 in Review

By Robin Tatam, Director of Security Technologies

For the first PowerNews of 2011, I’d like to step back from our traditional format and share some personal reflections on my year at PowerTech, and on things to come in the New Year.

New: Receive PowerNews in Print!

PowerTech from the Inside

I’m happy to report that, in 2010, PowerTech and Help/Systems continued to focus on customers. We hosted meetings, where we shared glimpses of our future and listened to your feedback on development and other issues. In response to the sessions, we released a great database monitoring solution. Overall, our customers reiterated what we already knew: we aren’t perfect, but we can be proud of our solutions and service.

Product-wise, 2010 brought a major update to our popular Network Security solution, including exciting features like object-level rule support, and a stronger infrastructure design to support future enhancements. As I write, our team is putting the finishing touches on Compliance Monitor 3, and we’ll roll out further enhancements throughout 2011. I can’t wait to see your reaction to these upgrades.

On the training front, we launched several great online classes in 2010, with more options coming in 2011. Watch for a Compliance Monitor class to complement the existing Network Security and Authority Broker classes. For those with a tight budget, this is an inexpensive way to gain expert training.

Life on the Road

Readers of my blog know that my objectives last year often involved boarding passes and suitcases, as I traveled to cities including Seattle, Orlando, Dallas, and New York. For those keeping track, here are some of my 2010 travel statistics:

If the lighthouse didn’t throw you, consider the number of hours I spent with my 6’ 6” frame crammed inside a Boeing 767.

Longest flight: Minneapolis to London, 4,015 miles
Shortest flight: Minneapolis to Chicago, 355 miles

High-Water Marks

I do whatever it takes to reach my customers. Last year, I rode planes, trains, cars, taxis, shuttle buses, untold miles of moving walkway—even an airboat (I’m not kidding!).

I baked in the sun and froze in the snow, though I managed to evade the Metrodome’s collapsing roof.

On my way, I met great customers and took in fantastic sights. I memorialized many of them in landscape photographs that brighten my office and my blog. I hope you enjoy them as much as I enjoy taking them.

Beautiful Las Vegas, Nevada.

A Steady Pulse

For now, I’m home again. I smile when I think back to one year ago, when our competitors were suggesting that PowerTech had no future. In reality, PowerTech’s heartbeat is stronger than ever, as our recent growth illustrates.

It was a great year, but the best is ahead.

Fire up the airboat.

—————————————————————————————-

7 Habits of Highly Secure Companies: Part III

By Robin Tatam

Please enjoy the final entry in my 7 Habits series. Feel free to go back and review Part I and Part II.

Habit 5: Use Existing Technology

Security companies spend millions of dollars to develop and perfect their solutions, so take advantage of their efforts.

Alternatively, you could hire staff to develop and support your own technology, but auditors frown upon self-policing.

You could also spend hours manually reviewing log entries and events, but automated solutions can notify you of actions. And what about activities the operating system cannot see, such as downloading payroll files via FTP?

In these cases, and many others, commercial security technologies can be extremely helpful. However, you must be sure to deploy them properly, and, in the case of IBM i, leverage your operating system’s built-in security controls.

Habit 6: Monitor Ongoing Compliance

Security isn’t a destination; it’s a journey. But this doesn’t mean you should dawdle. If you manage to elude mandates or regulations, you still have corporate and ethical responsibilities to your clients, customers, and employees.

The easiest way to meet your obligations is to implement and maintain a robust security infrastructure. Ongoing compliance checks help you maintain your high security levels.

Your initial assessment helped shape your security policy and subsequent server configuration; compliance checks should verify that you are doing what your policy states. Find the causes of non-compliant items, and take steps to prevent them from recurring.

In addition to compliance checks, use security tools to stay abreast of important events. Don’t wait until the end of the month to discover you had a non-compliance situation three weeks earlier. A good security solution makes constant analysis less daunting.

The Powertech suite of products.

Habit 7: Plan for the Future

In the tech world, things are never the same tomorrow. Consider the technologies of ten years ago, and the ways in which we secured them.

Since then, we’ve experienced great technological innovation, challenges, and change. Your business must react to change to stay competitive,  and do it while complying with changing standards, laws, and regulations.

Compliance requirements will evolve, but they won’t go away. For example, privacy laws that began in California quickly rolled into forty other states, and a federal law may follow. Always keep your eyes on the horizon.

Master the 7 Habits

By reviewing and mastering the seven habits I’ve presented to you over the past few months, you can become and remain secure, no matter what the future brings.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
I upgraded to Network Security version 6 and imported my security rules. How do I remove the old product libraries?

A: First, locate the old product library(s):

WRKOBJ OBJ(POWER*) OBJTYPE(*LIB)

Next, check for any object locks:

WRKOBJLCK OBJ(POWER5XX) OBJTYPE(*LIB)

If there are NO locks, you are OK to delete the old product libraries.

If there are locks, DO NOT DELETE THE OLD LIBRARY.

You may need to activate the new exit programs in Network Security 6. The activation process will recycle the server jobs, release the locks, and allow you to continue.

Learn more with PowerTech Webinars and online training.

Request a demo.

By Robin Tatam

As part of PowerTech’s ongoing commitment to the IBM i community, I have been taking to the skies, the roads, and even the water (on a couple of ferries) recently. In a jam-packed, two-week tour in January, I presented security information to several user groups, taught a half-day security workshop, and visited a number of PowerTech customer locations. But, that’s just the start of my 2010 odyssey to get out on the road to meet you!

Read down for information on a number of exciting events already planned for the next month or so.

Stay secure!

Online Training

We are ready to launch our new online class for PowerTech Network Security. Each session is an easy-to-fit-into-your-schedule 60 minutes, and comes in segments to accommodate different levels of expertise. The cost for this class is $99 for the basic session; $198 for the 2-part advanced session; or $259 for both (basic and advanced), and will be held at 10:00 a.m. CST on the following dates:

Visit www.powertech.com/services/training/network-security.php for additional information, or to sign up.

Midrange User Groups

First, a big thank you the following groups for their welcoming hospitality in January: Fairfield, Connecticut; Long Island, New York; Fairfield, New Jersey; and Jefferson City, Missouri. It was a pleasure to be able to come and speak to your members on various security topics, and we hope that PowerTech’s support enables you to keep up your important work in the midrange community.

We are excited to be preparing for more user group visits in February and March. If you are in any of the following cities please contact the local group for more information about the session. We are sure they would welcome your support, plus it is a great way to network with other IBM i professionals in your area.

IBM i Security Workshops

Designed to teach the basic concepts of the capabilities built-in to IBM i, our recent security workshop in the St. Louis area, hosted in conjunction with our business partner MSI Systems Integrators (www.msiinet.com), sold out quickly. Don’t miss the opportunity to learn the basics of security, without the hassle and expense of traveling to IBM, when PowerTech comes to your area. We are now finalizing plans to bring “Learn How to Secure Your IBM i Server” to the following cities:

Workshops run from 10:00 a.m. until 2:00 p.m. and we provide lunch. The cost is only $49 per attendee. Seating is limited so register now to guarantee your place!

Jill Martin, Technical Services Manager at PowerTech, will present a 3-hour workshop, “Get a Jump Start Building Your IBM i Security Policy,” in the following cities:

• Las Vegas, NV, March 9
• Irvine, CA, March 10
• San Francisco, CA, March 11

Watch for more information.

Robin Tatam, the new Director of Security Technologies, joined PowerTech’s Eden Prairie, Minnesota office in July 2009. He brings two decades of IBM Power Systems (AS/400, iSeries, System i) and operating system (OS/400, i5/OS, IBM i) consulting experience, including a strong midrange background of RPG and advanced CL programming, Web site creation, and system administration.

For the last six years, Robin has been a top tier consultant for System i security and compliance issues. Robin’s recent projects included teaching commercial classes in security and system administration, performing advanced product implementations, and numerous compliance-oriented assignments. He was a guest on the panel of experts at the PowerTech iNSIGHT Security Conference in Las Vegas two years in a row. In 2009, he taught multiple security sessions at COMMON in Reno, Nevada.

Robin Tatam, Director of Security Technologies

Previously, Robin was an IBM i Security Specialist for MSI Systems Integrators, an IBM Business Partner, where he was named Technology Impact Player of the Year for 2008. He also has worked as a development manager and was a vice-president directing corporate development practices.

Robin has been quoted on System i security trends by ComputerWorld magazine and has published several full-feature technical articles in Midrange Computing magazine. He also authored the MSI System i Security and Compliance Guide and co-authored the IBM Redbook on System i data encryption.

You can e-mail Robin at robin.tatam@powertech.com.