Resolve to Take Security Seriously in 2012

By Robin Tatam, Director of Security Technologies

Now that we’ve rolled through another New Year’s celebration, we’ve left behind one of the worst years on record for data breaches. Privacyrights.org, a consumer advocacy organization, reports that 2011 witnessed a staggering 547 breaches involving more than 30 million records. Companies ranged from small non-profits to industry giants such as Bank of America, Sony, and Epsilon. Interestingly, 86 of those breaches (involving almost 120,000 records) involved insiders with some level of legitimate access. With mitigation costs now surpassing an estimated $200 per record breached, we’re talking about some pretty serious money!

With all of the current investment and focus on legislative compliance, how is this still possible? How can huge multi-national companies continue to fall so hard? It’s actually not that hard to understand. In my opinion, too many companies focus on achieving compliance at the expense of security.

Guidelines Are Simply a Beginning

A simple analogy is to think of obtaining your first driver’s license. As young adults, we study a handbook and take a test to verify that we understand and are compliant with the basic laws of the road. But, do we let newly “certified” drivers loose on busy highways with the expectation that they are now perfect drivers and will never get into an accident? Of course not! The guidelines (hopefully) help us avoid making basic mistakes, but there are many other factors to consider.

One flaw in the guidelines is the assumption that everyone else is adhering to the same rules—something that every speed limit sign and red light camera shows isn’t true. Experienced drivers understand that many things aren’t included in the handbook. We have to expect the unexpected, adapt and use learned experiences to read between the lines, and improvise—sometimes with little or no warning—to avoid an unplanned disaster.

The same is true of computer security. Regulations like Sarbanes-Oxley and HIPAA were never meant to intricately detail how to protect your IBM i database from misuse. These two common regulations (and many others) are basic guidelines regarding access to critical business data. Focusing solely on satisfying compliance can be misguided, and might lead an organization to assume they are secure. In 2011, hundreds of new organizations joined the ranks of those that discovered the reality of making this assumption.

Don’t Sacrifice Security for Compliance

Compliance is an important objective, but it shouldn’t be pursued at the expense of a comprehensive security plan. In fact, taking the time to build and implement a solid security infrastructure will make that objective easier to achieve. New business processes and procedures typically will be required by a compliance standard, but the technology aspect of compliance usually is left to interpretation by an auditor who is often unfamiliar with IBM i. It’s critical, therefore, that you don’t rely on compliance directives as the sole guideline to protecting data access.

Using the analogy of new drivers, testing is important to ensure that we understand and acknowledge the basic rules of the road. However, it’s ultimately the focus on learning and employing good driving skills that’s going to have the greatest impact on the likelihood, magnitude, and consequence of an accident.

Make the Commitment Today

Businesses need to get smarter and become more committed to security. They must allocate a budget to assess and mitigate the largest risks and acknowledge that controls probably will be compromised at some point. The goal is to develop a plan to address possible breach scenarios BEFORE you find yourself in the middle of one. The plan should include the deployment of technology for the timely detection and alerting of a problem, and training of employees designated to respond and react. This is not just theoretical—a number of recent breaches involved warning signs that were not responded to correctly. Many employees never receive adequate training on their company’s security tools, leading to a false sense of security by management.

Look at the Big Picture

Don’t secure only the data at rest in the data center; look at the entire data lifecycle. And, expect the unexpected. Many of last year’s breaches involved collecting credit card information from point-of-sale (POS) devices and ATMs. This came from skimming devices, employee theft, and unauthorized replacement devices at retail store cash registers! We cannot control the intent of the criminal element so we have to devise better ways to deter, detect, and respond. Similarly, lost and stolen laptops might be out of your corporate control, but securing the data stored on them isn’t. And, while we might not classify this like a traditional breach, the Ponemon Institute reports that it happens 637,000 times at U.S. airports every year!

For most organizations, corporate budgets have been established for the upcoming year. If yours doesn’t include money for security-related projects, focus on fully leveraging your existing investments and staff resources for now. Ensure that employees are trained and are optimizing their tools. Remember, while we hope that this year is a vast improvement over last, it’s never too early to start planning for next year.

In 2012, let’s start taking security more seriously.
—————————————————————————————-

Generate and Distribute Audit Reports Automatically

By Robin Tatam, Director of Security Technologies

Remember the humorous MasterCard commercials from a few years ago? In my mind, I see one of them going like this:

• State-of-the-art, 64-bit, multi-core Power7 hardware: $225,000
• Highly securable IBM i operating system: $100,000
• Discovering you can generate and distribute audit reports automatically: PRICELESS

This joke probably isn’t too funny to anyone who’s responsible for generating audit reports from IBM i. Despite the server’s incredible security infrastructure, auditing remains primarily a thankless, manual chore. And, let’s face it, any task that’s thankless and manual probably won’t get done. Even with a commercial audit tool, a user must decide what reports to run, and then compile and interpret the results.

A Basic Audit Scenario

A common report request from auditors is for a list of the powerful users on the system. Your first question is likely to be “what is a powerful user?” Unfortunately, there’s no official auditor’s dictionary (wouldn’t that be nice!)—each auditor has different criteria.

Maybe you can omit IBM-supplied profiles, disabled profiles that haven’t signed on for at least 45 days, and any profiles without a password. They’ll ask for each of those reports separately. Then, don’t forget to include the users from all 15 production IBM i partitions, preferably on a single report so it’s easier to process.

Here’s one way to accomplish this task:

Step 1: Run IBM’s user profile report (PRTUSRPRF) to dump the configuration data for ALL defined users. Print a hard copy of the report, or figure out how to use Navigator for i to download it to your PC.

Step 2: Manually review each user profile to see if it meets the auditor’s criteria—and hope you don’t have too many profiles to deal with! Don’t forget special authorities of the sixteen possible group profiles the user might belong to in case any authority is inherited. Oh, and the report doesn’t include the number of days since prior sign-on, so you’ll have to determine what the date was 45 days ago, and check that manually. And, you’ll also have to manually exclude the “known” users from the report each time.

Step 3: Document the name of the users that remain.

Step 4: Return to Step 1 and repeat for the next server.

Step 5: Aggregate the results into a single report (somehow) and distribute it to the auditor (somehow) in a secure manner.

Step 6: Prepare to prove to the auditor that the information hasn’t been tampered with (since you’re likely to be one of those powerful users). Also, expect to be asked for a lot more than one simple report.

This is a fictitious scenario, but it’s not unrealistic. It doesn’t take very long to realize that the process is tedious, time-consuming, and expensive; not to mention error-prone and arguably considered self-policing.

A Basic Audit Scenario (Revised)

Compliance Monitor has the reports you need. Powerful (and modifiable) filters you can apply to the data make child’s play out of creating custom audit reports. And, its assessment scheduling and distribution function allows you to run reports at regular intervals across multiple systems and distribute them on completion.

Let’s take another look at that scenario, now using Compliance Monitor 3:

Step 1: Point and click to select the systems to assess.

Step 2: Point and click to select from the hundreds of available reports.

Step 3: Specify the run schedule (optional) and distribution requirements.

Step 4: Sit back and relax.

You can send the reports automatically via e-mail as individual files, or bundled into a password-protected (and encrypted) zip file. Report files can be editable, or PDFs that are digitally signed to reassure auditors that the information hasn’t been tampered with. If you prefer, you can place the reports in the IFS for the user to access.

Compliance Monitor offers batch scheduling and e-mail distribution of audit reports. (Click to enlarge)

Compliance Monitor eliminates the burden of audit reporting. Its hundreds of report options give visibility to static information, such as user profiles and system values, as well as dynamic events recorded into the security audit journal, QAUDJRN. Priceless—YES!
—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Some of my Authority Broker reports are blank, even though I know there was activity during the requested time period. What would cause this?

A: Authority Broker records its activities to the security audit journal, QAUDJRN. When you request an Authority Broker activity report, the journal receivers on your system are checked for the entries that correspond to the date and time range specified. If the receivers that contain those entries have been removed from your system, the report will be blank. You’ll need to restore the receiver(s) to get the information you want.

You should consider automating your Authority Broker reports to prevent future problems. Schedule the LEVENTRPT command in a job scheduler, such as Robot/SCHEDULE. Press F4 to display the command prompt panel and complete the command parameters.

Dear Paulie,
How can I determine if the latest version of Compliance Monitor will run on my system?

A: Compliance Monitor Version 3 includes a Windows executable “pre-checker” utility (CM3CHECKER) that determines if your system meets the product’s prerequisites. You can run the pre-checker prior to a new install or an upgrade. The pre-checker uses an installation wizard to send a save file to your system, where you can restore it and run the program. When it completes, it generates a spooled file that identifies any prerequisites you might be missing.

The pre-checker also is available as a separate download from the PowerTech website.
—————————————————————————————-
Learn more with PowerTech Webinars and online training.

Request a demo.

by Robin Tatam, Director of Security Technologies

“When it comes to breaches of security, it’s not a matter of ‘if’ but rather ‘when’.”
—Frank Abagnale

I’ve spoken to many audiences in my security career about how nothing good comes of the mindset that “it’ll never happen to me.” Unfortunately, I was reminded of my own vulnerability recently when I discovered that my beloved road bicycle had been “removed” from my (supposedly) secured underground garage. It’s not just the financial loss; it’s the lost confidence that I have in the security of the garage, and the guarded suspicion with which I now eye the other residents of my fairly small community. Although this type of crime is purely for material or financial gain, it tends to make you question the overall level of security, including your personal safety and that of your family.

I prefer to believe that the vast majority of people are good and honest, and the exceptions are those more driven by greed and selfishness. This personal event served as a good, albeit painful, reminder that it’s naive to assume that people won’t take advantage of a situation from which they might profit. Sometimes that situation might arise from an easy temptation; sometimes from a deliberate and planned act. But, we need to assume that, sooner or later, it will happen to all of us.

Costs of a Security Breach

Data theft typically is harder to detect than traditional theft because stolen data continues to reside on the server it was taken from. The latest PowerTech “State of IBM i Security” study reports that more than 10% of IBM i systems still don’t use the auditing functionality included in the operating system. These companies have zero visibility to security-related events. Many of the others are collecting events—but for purposes other than security forensics; and many have no procedures or training on how to interpret the data they collect. This leaves only a small contingent that is proactively reviewing the logs and knows how to recognize and escalate a critical event.

When a corporate breach occurs, you experience many of the same emotions as in a personal loss. The initial panic of discovery can lead to confusion and, unfortunately, sometimes to blame. This can result in recrimination and even job loss. There are costs associated with the remediation and, according to the renowned Ponemon Institute, these costs now exceed $200 per record breached. If the breach requires disclosure to the affected parties, there’s likely to be an accompanying loss of confidence in the corporate brand and it’s tough to put an exact value on that. Sadly, we don’t put much credence on the costs to prevent, nor the costs to remediate and litigate, until we are in the unenviable position of paying for them.

How a Breach Occurs

A common misconception is that all breaches are initiated from outside the perimeter firewall, and are the result of a user operating with malicious intent.

The reality is that an estimated 60 to 70% of lost, stolen, or damaged data is caused by a user inside the network. After all, if a user profile and password are your primary security control, you probably have a large number of users who are able to access data—and not all via the approved application mechanism. Many data issues are the result of legitimate functions where the user was unaware they were causing an issue; for example, uploading a spreadsheet of data directly to a production file without realizing that the spreadsheet was a filtered view.

You should be aware that your regular business insurance may not cover losses incurred as a result of a data breach; especially if it’s determined that the root cause was inadequate security controls. This forces the organization to shoulder the full burden of the cost, which can run into millions of dollars.

The Best Defense

While no security infrastructure is ever 100% safe, you can remove the IBM i data from residing on the “low hanging branch” and make it more viable for someone to pick a different target. A defense-in-layers approach makes it easier to detect and shut down events before they cause serious harm. This can include object-level security, network exit programs, application controls, and alerting and reporting tools. The more layers you deploy, the more you increase the likelihood that you will prevent—or at least detect—unauthorized activity before an unauthorized user gets at, or away with, the asset. Sure, it’s not free to implement a good security infrastructure, but I think it’s safe to say that, in the long run, it’s cheaper that the alternative.

We acknowledge:
It WILL happen to us eventually.

Oh, and if you’re wondering “Who is Frank Abagnale?,” you can see a dramatization of his life in the 2002 movie “Catch Me If You Can,” starring Leonardo DiCaprio and Tom Hanks. His life as a confidence trickster led to him becoming one of the world’s authorities on fraud.
—————————————————————————————-

IBM i Solution Edition for Help/Systems

Purchase any software solution from Help/Systems (Robot Automated Operations Solution); PowerTech (IBM i security solutions); SEQUEL Software (data access/analysis and productivity software); Bytware (anti-virus and monitoring solutions for IBM i) and enjoy big discounts on training, services, and IBM POWER7 systems.

For details, contact your local IBM Business Partner, or Doug Fulmer at dougfulmer@helpsystems.com, or visit our IBM i Solution Edition web page.
—————————————————————————————-

Learn more with PowerTech Webinars and online training.

Request a demo.

By Robin Tatam, Director of Security Technologies

A Compliance Monitor batch assessment is the same as any other assessment, but it doesn’t require human intervention to run, or to distribute the resulting reports. We’ll show you how easy it is to set up your batch assessments so they run at regularly scheduled times.

1. Sign in to Compliance Monitor using the user profile under which you want your batch assessment to run.
2. Right-click the Consolidator and select Batch Assessments/Reporting.
3. On the Batch Assessments and Report Distribution window, click New to define a new batch assessment. To create a new batch assessment definition from an existing definition, select the assessment name and click Copy. You also can edit an existing batch definition; just double-click the assessment name, or select the assessment and click Edit.

Defining a Batch Assessment
You can define a batch assessment by following these four simple steps:

Step 1: Batch Report Information
Enter a name and description for the assessment. Specify a scheduling option: Not Scheduled (the assessment will be started manually); Use the Consolidator’s internal scheduler; or Use Robot/SCHEDULE (Robot/SCHEDULE must be installed on the Consolidator system).

Step 2: Systems to collect data
Select the Endpoint systems from which to collect data when the batch assessment runs. Click Add Selected to add the selected endpoints to the assessment.

Step 3: Select the reports for this assessment
Select the reports to include in the batch assessment. Selecting a report category (instead of individual reports) allows you to add or remove reports from the category without having to modify the batch assessment definition. The batch assessment runs the reports in the report category at the time the assessment runs.

If your report selection includes object-based reports, you specify object limits using the Object Limits tab. The Consolidator default is preconfigured for some common object types; you can define a new filter to limit the assessment to the objects required by your reports.

If your report selection includes log file reports, you must specify log file criteria using the Log File Options tab. You can limit the assessment by source and the date range of the log file data.

Step 4: Batch Report Output
Specify how to handle the completed reports from the batch assessment. You can store reports as separate files, or combined into a single .zip file, which can be secured with an optional password. You also can specify the format of the files.

Compliance Monitor can e-mail the reports to selected recipients or place them in the IFS.

Click Next to specify access control settings for the batch assessment. Then, click Finish to save the batch assessment definition.

Running Your Batch Assessment
You can run a batch assessment manually to check if it is defined correctly by clicking Run Now on the Batch Assessments and Report Distribution window. This overrides any schedule that is defined for the assessment.

To view the run history (including diagnostics) of a batch assessment, select the batch name on the Batch Assessments and Report Distribution window and click History. To view the run history of all batch assessments, click Show.

—————————————————————————————-

IBM i Solution Edition for Help/Systems

Purchase any software solution from Help/Systems (Robot Automated Operations Solution); PowerTech (IBM i security solutions); SEQUEL Software (data access/analysis and productivity software); Bytware (anti-virus and monitoring solutions for IBM i) and enjoy big discounts on training, services, and IBM POWER7 systems.

For details, contact your local IBM Business Partner, or Doug Fulmer at dougfulmer@helpsystems.com, or visit our IBM i Solution Edition web page.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
I’m cleaning up my system and would like to delete an old Network Security product library. Will this create any problems?

A: Before deleting the library, you first must determine if any of the objects in the library are still in use. You can check for object locks by using the WRKOBJLCK command against the library.

WRKOBJLCK OBJ(library_name) OBJTYPE(*LIB)

If no locks are found, you can delete the library. If the WRKOBJLCK command finds jobs with a lock, do not delete anything. Call PowerTech technical support for further assistance.

Dear Paulie,
How can I autostart Compliance Monitor after an IPL?

A: Simply add the STRPTCMCSL command to QSTRUP. Keep in mind that the endpoint monitors start on their own once they receive a request.

Learn more with PowerTech Webinars and online training.

Request a demo.

By Robin Tatam, Director of Security Technologies

On September 22 and 23, almost 70 IBM i security professionals converged on the Rio All-Suite Hotel and Casino in Las Vegas for the 2011 IBM i Security Event of the Year. The conference brought together a veritable “Who’s Who” of guest speakers, with years of combined security experience on the platform. Speakers included John Earl of Townsend Security, Patrick Botz of Botz & Associates, and Jeff Uehling of IBM. Tom Garcia, founder and CEO of InfoSight, gave an alarming keynote speech on Security in a Web 2.0 World.

One highlight of the event was a presentation by ethical “hacker” Sabino Marquez on social engineering. He showed attendees a number of eye-opening ways that private data can be compromised without any real technical breach.

Other sessions of interest included an Introduction to IBM i Security, Biometric Authentication, Security Best Practices, and Encryption. We also held a series of sessions on the PowerTech product line to help participants become more familiar with our auditing and security solutions. An Ask-the-Experts panel gave attendees the opportunity to discuss their security concerns with all the speakers at once.

Of course, we also made time for some fun and prizes at an evening reception, and with a conference-wide Great Security Mystery game, a variation of the game of “Clue” with an IBM i security theme.

Altogether, the Security Event was a great success and we truly enjoyed meeting and talking with all the participants.

—————————————————————————————-

Beware of Skimming—It’s Closer Than You Think

By Robin Tatam, Director of Security Technologies

If you’ve been following security news this year, you’re probably familiar with the methods that thieves use to steal information. One of the most frightening techniques is “skimming,” the act of collecting credit card data as the card is swiped through a magnetic reader. This means that criminals are intercepting credit and debit card transactions long before the data is able to be secured in the database.

One method used by skimmers is a concealed physical modification to an ATM or point of sale (POS) device. Despite the use of PCI-approved POS devices, these devices have been brazenly swapped out with compromised devices that then pass the card number and PIN information to a nearby perpetrator.

The technology has advanced to where even a diligent employee or consumer is sometimes unable to detect its presence. Keyboard overlays may even supply the associated PIN number over a Bluetooth connection. Sadly, this means that you could very well be the unwitting victim of credit card fraud even before the ATM has had time to dispense your cash.

Anyone Can Be A Target
Often, it’s the smaller retailers who are the targets for this type of attack. One reason might be that they typically have fewer staff, making it an easy task to distract those that are working. Unattended checkout lanes allow an accomplice to move in and tamper with a POS device. No amount of database and server technology can prevent this form of social engineering attack. Even in countries that have migrated toward chip-based cards and readers, thieves have been known to disable the chip-reading sensor, forcing the card owner to swipe the card on the device.

A recent case in the news here in Minnesota illustrates another strategy. It involved a 16-year-old girl who was stealing credit card information from customers who used the drive-thru window at the local McDonald’s where she worked. She hid the skimming device behind the window and copied the information when the customers handed her their card. The thefts weren’t discovered until customers began noticing unauthorized charges to their accounts.

How Do You Defend Against Skimming?
Analyzing card use may be the best way to detect this type of crime, but that means card issuers are forced to work in a reactive mode. One thing is certain: the increasing frequency and sophistication of these types of attacks are going to have card issuers working hard to develop more sophisticated prevention and detection measures.

So, how do you defend yourself against skimming attacks? The best defense is still to be aware of the practice and pay attention when you use your debit or credit card. Look carefully at the ATM or POS device and if something doesn’t seem right, walk away. It’s better to be cautious than be the victim of theft.

—————————————————————————————-

IBM i Solution Edition for Help/Systems

Purchase any software solution from Help/Systems (Robot Automated Operations Solution); PowerTech (IBM i security solutions); SEQUEL Software (data access/analysis and productivity software); Bytware (anti-virus and monitoring solutions for IBM i) and enjoy big discounts on training, services, and IBM POWER7 systems.

For details, contact your local IBM Business Partner, or Doug Fulmer at dougfulmer@helpsystems.com, or visit our IBM i Solution Edition web page.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Before we run a Compliance Assessment, we’d like to know what it creates on our system and how we can remove it when finished??

A: The PowerTech Compliance Assessment installs and runs directly from a PC. The executable program creates a PowerTech program group on your PC and FTPs the product to your system, where it runs the assessment and opens the results in a web browser. The product does not change any system values or attributes.

The Compliance Assessment creates the following objects at install:

To remove the objects, simply enter the Delete Licensed Program (DLTLICPGM) command for product 1PTCA01

Learn more with PowerTech Webinars and online training.

Request a demo.

PowerTech announces the addition of batch scheduling and automated report distribution to Compliance Monitor, its popular security auditing solution.

Compliance Monitor is the premier IBM i audit solution, providing consolidated reporting across partitions, compliance scorecards, powerful filtering, and forensic analysis of audit journal events. The addition of batch scheduling gives you the option to run audit reports at off-peak hours to avoid interfering with production systems. Plus, automated audit report distribution ensures managers have the reports they want to see when they arrive at work.

Batch scheduling joins the valuable features already part of Compliance Monitor 3, including:

• A powerful browser-based interface that makes it easy to specify report requirements and display the collected information.
• Several new reports, including a predefined report category designed to help gaming organizations comply with Nevada’s Minimum Internal Control Standards (MICS). Other new reports cover security system values added in IBM i 6.1 and 7.1, native and IFS object reports, and authority adoption information.
• An “intelligent” pre-checker utility that can verify the server meets the requirements for installation.
• An automated install process so you can start auditing your system sooner.

Learn more about Compliance Monitor 3.

—————————————————————————————-

When Good Guys Turn Bad

By Robin Tatam, Director of Security Technologies

I frequently preach to security audiences about the dangers of “insider threat,” and I think it’s something that can’t be emphasized enough.

While many organizations assume that a breach of their perimeter defenses represents the greatest risk, studies show that the majority of data that’s lost, stolen, or damaged, happens as a result of an authorized user operating inside the firewall. On IBM i, this can be attributed partly to the fact that many organizations base their security on the legacy model of menus and command line restrictions. Unfortunately, with IBM i support of powerful TCP/IP services, a user isn’t always presented with a menu or restricted from executing commands. A user simply has to supply a user profile and password—something that most users are given as soon as they’re hired—to gain full access to the data assets. Each year, our “State of IBM i Security” study shows that many companies use easily decipherable user profile naming conventions and require only simple passwords. Too often, administrators leave doors to their systems open by allowing numerous enabled profiles with default passwords.

While we might acknowledge the possibility of an application user exceeding their authority to access restricted data, or using authorized data in an unapproved way (for example, downloading information to a USB device), what happens when a trusted IT employee goes rogue?

Dealing With Rogue Employees Isn’t Always Easy
A recent article by Tam Harbert in Computerworld magazine, “When Trusted IT Pros Go Bad,” gave some shocking real-world examples that illustrate how the most dangerous users in any environment are those with powerful access and the knowledge to use it. When a user holds a position of trust, it can be that much more difficult to identify and remedy the situation.

The article highlighted the challenges faced by some employers when they were unable to simply fire an employee who possessed the virtual keys to the kingdom. One company went as far as concocting a ruse to send a rogue employee on an urgent cross-country flight! This provided a window of several hours for other staff to change passwords and secure the IT assets he had administrator access to. Such extreme measures became necessary after it came to light that the employee owned a company that had sold more than a half-million dollars in pirated software to his employer.

Another company made the mistake of incorrectly handling the firing of an extremely powerful employee after they discovered evidence of various illegal activities. While the employee’s manager and a security guard hurried to his office, a human resources representative called the employee to tell him to stay put. Unfortunately, suspecting he had been discovered, the employee had time to delete an encryption key ring. This ring contained the only copies of encryption keys for about 25 employees in the legal and contract departments. (The article pointed out the irony in that many companies don’t back up this type of information due to its sensitive nature!) This had the effect of permanently encrypting the data and amounted to an estimated 18 person-years of lost productivity.

Corporate embarrassment can be an additional challenge posed by rogue employees. Companies prefer not to shine a spotlight on the fact that their controls were breached by one of their own. Take the case of the system administrator who brought down a Fortune 500 company with “logic bombs” designed to cause entire banks of servers to crash. Originally a star performer in the IT department, the employee was granted immunity from prosecution in return for her help in fixing the issue, and also with the agreement to never speak publicly about the incident. According to Larry Ponemon, a renowned security researcher, the company didn’t want her “going on Oprah and talking about how she broke the backbone of a Fortune 500 company.”

What Motivates a Rogue Employee?
The motivation for any employee to turn rogue typically falls into one of two categories: financial gain and revenge. When that user operates within the “circle of trust,” it can be difficult to detect illegal activities as they often have greater access and can cover their tracks. Examples of employees seeking financial gain include hacking ATMs to dispense cash but not record the transaction (Bank of America), and stealing valuable computer code (Goldman Sachs). Revenge usually manifests itself in internal damage to the infrastructure or data assets. Attacks in recent years have included code set to destroy data on nearly 5,000 servers (Fannie Mae), and a disgruntled worker who included logic that affected 1,000 computers and caused about $3 million in damages (UBS PaineWebber).

It’s unlikely you’ll ever be able to totally eradicate the risk of malicious intent by powerful and trusted internal users, but you can implement strong controls to ensure that these people are treated with the same caution as any other user. People are human, and a powerful title does not (or rather should not) place someone above reproach or suspicion. That’s certainly a lesson that corporate America has learned the hard way during recent years!

Control Powerful Users With Authority Broker
PowerTech Authority Broker can help you control and manage powerful profiles on IBM i systems. By reclaiming the excessive power and freedom that these administrator-class users often enjoy, and by providing an audit trail of their activities, it becomes easier to build in the necessary safeguards to ensure that you are not the next victim of one of these horror stories.

Editor’s Note: Robin often blogs about the latest security breaches in the news. Follow his blog for his thought-provoking look at the state of security in companies today. He usually includes some pretty cool photos, too.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can I save my report with custom filters in Compliance Monitor, and run it again?

A: Yes! Compliance Monitor is very flexible and allows you to save your custom filters, columns, and sort criteria so you can use them again and again.

The easiest way to get started is to select an assessment that is available through Compliance Monitor. First, run the assessment and, when the report is ready for viewing, open the completed report in the Compliance Monitor browser. Use the Columns/Sorting tab to add or remove columns in the report, and adjust the Sort by options to determine the first, second, or even third level of sorting. Next, use the Filters tab to display the default filters available for this report. You also can create a new filter or copy existing filters to further customize your report.

Once you’ve selected the columns and sort criteria and added your filters, the report displays with your changes. When you close the report, you’ll be prompted to save your changes with a custom name in a custom report group. After you’ve saved your changes, you can request your new custom report to run in the future or schedule it using the new Batch Assessments/Reporting feature of Compliance Monitor 3.

Learn more with PowerTech Webinars and online training.

Request a demo.

PowerTech Releases Command Security

The newest member of the PowerTech line of security products is Command Security, a rule-based security solution that lets you audit and control selected commands.

With Command Security, you can prevent unauthorized users from executing a monitored command, allow only authorized users to execute certain commands, control the situations when a command is allowed, and monitor and secure commands used by other applications.

Plus, Command Security records monitored command use in a secure journal and provides a complete audit trail to meet government legislation and industry regulations.

“Not all commands have the potential for misuse,” says Robin Tatam, PowerTech Director of Security Technologies. “Command Security gives users the flexibility to control just the commands and situations that could compromise system data or security. Plus, it works with almost any IBM i command and can control commands in third-party applications. It’s a great addition to the PowerTech security suite.”

For more information on commands and how Command Security helps you control their use, see “Commands Never Die!” below.

—————————————————————————————-

Commands Never Die! Stay in Command of Your Command Line

By Oshan Indika, Security Consultant, CISSP, CISA

From its earliest days, the primary means of interaction with a computer has been through a command line. Everything was text based and application programs used menu systems for navigation.

Starting in the early ’90s, many operating systems transitioned to a graphical user interface (GUI). But, surprisingly, the command line has survived—especially among power users, administrators, and geeks (like me). Although great strides have been made on the GUI front, there’s still a unique role for the command line in IT.

When it comes to IBM i, the command line hasn’t changed over the years and still plays an important role, maybe more than in other operating systems. IBM has done a great job in improving the GUI capabilities of the OS. However, power users, developers, and administrators still consider the command line their primary mode of interaction with the system. The reason for this popularity may be due to some easy-to-use features:

• Prompting: You can prompt all commands directly from the command line to display its parameters.
• Command Help: Context-sensitive help is available on all IBM i commands.
• Ease of finding commands: The commands use standardized abbreviations, making them easy to find quickly. For example, change is CHG, display is DSP, program is PGM, user is USR, and so on. If you want to see all verb (such as CHG) or subject (such as USR) commands, go to the respective menus by entering GO VERB or GO SUBJECT. In addition, for each abbreviation there is a corresponding menu that starts with the letters CMD. So, for example, to see all DSP commands, simply run the command GO CMDDSP. This is one of my favorite ways of browsing commands on the system.

Commands = Power
The ease of use of command line access also gives the user a lot of power. Coupled with a higher authority level, a user with command line access can do almost anything on the system. Some commands (like DSPMSG) are harmless, but others can change security configurations (like CHGSYSVAL) or create/modify/delete user profiles (like WRKUSRPRF). To reduce the risk of users running powerful commands, system administrators often remove the ability to run commands by setting the Limit capabilities parameter in the user profile to *YES.

Although this stops users from running commands from a workstation session, there are other ways to run a command. Two of the most commonly used access methods are Remote Command and FTP. For Remote Command, you must have IBM System i Access for Windows installed on your PC. In many environments, it’s installed by default. And, FTP clients are found in almost any operating system.

These remote command capabilities add another layer of complexity to command access. From a security viewpoint, it’s important to monitor which commands are executed on the system, regardless of where they were entered. You should at least monitor commands with the potential to alter or delete data and system configurations.

Auditing Isn’t the Full Solution
One way to track the commands being run by users is to turn on command auditing for specific user profiles using the Change User Auditing command:

CHGUSRAUD USRPRF(OSHAN) AUDLVL(*CMD)

When auditing is on, the operating system writes a CD entry in the system audit journal (QAUDJRN) whenever the specified user executes a command.

There are two important things missing in this solution. First, you won’t know immediately when a user enters a command that could impact the whole system; you’ll only know the next time you run the audit report. Second, there’s no way to control which commands a user can and cannot run.

Control Command Use with Command Security
The best way to control commands is to use PowerTech Command Security. Using Command Security, you identify which commands you want to monitor, specify the conditions under which the command should be secured, and define the actions to take when the conditions are met.

With Command Security, you can:

• Allow the command to execute as it was entered.
• Prevent the command from being executed.
• Notify an administrator when the command is issued.
• Modify the command in a predefined way (from substituting command keywords to replacing the entire command).

There’s no doubt that the need to run commands will remain one of the most important aspects of maintaining a system in the foreseeable future. It’s also important to allow users to run commands in a controlled manner, without jeopardizing the integrity of the system. With Command Security, you remain in total command of your command line.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can I transfer SecurityAudit from one system to another for D/R testing?

A: Yes. However, because the system name and license information is hard coded in the product, you’ll need keys specific to the new machine or partition. You also must run a special command before re-licensing.

Make sure the SecurityAudit product library is in your library list. Enter the LUPDSYSSA command and press F4 to display the command prompt. Enter the System name, Serial# and LPAR ID, and specify Yes (Y) for Recreate License objects. Press Enter.

When the SecurityAudit Main Menu displays, select option 61. Then, select option 4 on the Administration menu to enter the new license code.

Q: Dear Paulie,
How can I monitor a specific user’s commands?

A: You can audit the commands entered by a specific user using the Change User Auditing (CHGUSRAUD) command. Specify the user profile to audit and *CMD for the AUDLVL parameter. Once you start auditing, Compliance Monitor, SecurityAudit, and Interact can provide visibility to the user’s commands by using the CD audit entries in the audit journal.

Note: An easier way to monitor and control user commands is to use PowerTech’s new Command Security. See the articles in this issue for more information.

Learn more with PowerTech Webinars and online training.

Request a demo.

Help/Systems Completes Acquisition of DataThread

On June 3, Help/Systems, the world’s leader in systems management solutions, announced the acquisition of DataThread high-performance database monitoring software from Innovatum. PowerTech, a Help/Systems company, has offered DataThread since 2010 as an addition to its suite of IBM i security products. The acquisition of DataThread offers users another level of security monitoring as part of the PowerTech product line.

DataThread allows you to automate and centralize your IBM i database access and activity monitoring, while providing real-time notification, authorization, reporting, and regulatory compliance capabilities. DataThread’s auditing capabilities help you meet the stringent compliance regulations required by PCI, Sarbanes-Oxley, HIPAA, FDA, and other domestic and international regulations.

“Adding DataThread to the PowerTech product line is very exciting,” said Jim Cassens, Help/Systems Director of Business Development. “It reinforces Help/Systems’ commitment to bringing world-class solutions to the security and compliance market space. It also helps “super-charge” the PowerTech line for growth by adding another solution that’s in high demand by customers who need to satisfy compliance regulations.”

“DataThread is a perfect fit for PowerTech,” added Robin Tatam, PowerTech Director of Security Technologies. “It complements the PowerTech product line to provide a seamless security solution. DataThread is a solid product and we will continue to invest in development to make it an even greater asset for users of the PowerTech security products.”

—————————————————————————————-

Using a Custom Journal for Network Security Audit Entries

By Jill Martin, Product Support Manager

Have you ever wondered what happens to all the events that are logged through the exit points that Network Security monitors? Have you ever tried to pull events from QAUDJRN, just to have it get bogged down by all the other entries stored there? Did you know that you have options?

Network Security comes configured to monitor all traffic through your exit points to a secure audit journal (QAUDJRN by default). What we often find is that users new to Network Security—or even those who have been using it for awhile—may be collecting a lot of data, but aren’t managing that data very efficiently.

Evaluate Your Audited Events
PowerTech made the decision long ago to send event history to a secure repository and store audited events in the system audit journal, QAUDJRN. This works great when you are first getting started with Network Security and aren’t sure what types of events you need to collect and store. Plus, you probably already have a practice in place for cleanup. But, once you have a feel for what is happening on your system, you (or your auditors) might have some different recommendations for how long to keep the exit point data. And, these requirements could differ from the requirements for the other types of entries stored in QAUDJRN (such as system events or traffic related to your high availability software).

Define a Custom Journal

The good news is that changing where this information is stored is a simple three-step process:

1. Identify a new journal to use for the Network Security entries. If you don’t already have a journal defined, create a new journal receiver.

Create a journal receiver for Network Security.

2. Define a new journal specifically for Network Security. You also should define a process for saving and deleting your journal receivers to clean up the entries.

Define a journal for Network Security events.

3. After you’ve created the new journal, use the Network Security Configuration Menu and Work with the System Values screen to change the Log Journal Name and Library to the new journal.

Change the system value to point to the new journal.

Going forward, all reports will pull the Network Security entries from the new journal receivers. Note: If you have entries that previously were logged into QAUDJRN, you may want to request reports over your existing data before changing the system value.

Report on Network Security Events
Network Security can feed events to Interact in real time, or allow Compliance Monitor to print reports over Network Security traffic. These events come from the journal you specified in Network Security and the products continue to interface with the new journal in place. Note: Compliance Monitor reports show only data from the journal currently configured in Network Security.

Once you’ve separated Network Security entries from QAUDJRN, you can manage the archive process independently and improve your report performance because they no longer need to parse through all your other journal entries.

—————————————————————————————-

Register for the IBM i Security Event of the Year

Early Bird Special Expires Soon—Don’t Miss Out!

Have you registered yet for the 2011 IBM i Security Event of the Year? The last date to receive the Early Bird price of $500 is July 29. Don’t miss out on this exciting event—or the great price for registering early. Get more information and register now!

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
What are the system requirements for Compliance Monitor 3.01?

A: A system running the Compliance Monitor 3.01 Consolidator requires the following:

• IBM i (i5/OS, OS/400) version V5R4 or higher
• Java 1.6 32-bit (required minimum)
• 256 MB of disk space
• IBM i V5R4: PTF Group SF99291 (level 18 or greater) installed
• IBM i V6R1: PTF Group SF99562 (level 6 or greater) installed

A pre-checker utility, CM3CHECKER, helps you identify any prerequisites that you are missing. You can download CM3CHECKER separately to make sure your system is ready.

Dear Paulie,
Can I upgrade my existing 2x version of Compliance Monitor to version 3.01?

A: Absolutely! Before you start, run the pre-checker, CM3CHECKER, and back up the Compliance Monitor 2 Consolidator library (PTCMT2) as part of a full system save or using the following command:

SAVLICPGM LICPGM(1PLCMT2) DEV(*SAVF) SAVF(QGPL/CM2BACKUP)

The upgrade process is completely automated. Simply download the Compliance Monitor 3.0 Installer to your PC and follow the install instructions. Once the upgrade completes, your Compliance Monitor 2 users, reports, and groups are available.

Learn more with PowerTech Webinars and online training.

Request a demo.

Inherited Authority Can Sabotage Your System

By Robin Tatam, Director of Security Technologies

Everyone loves an inheritance! Imagine the excitement of discovering that a long-lost uncle has left you a fortune. Or, perhaps the recent Royal Wedding has you wondering where you are in the line of succession for the throne of England! While these possibilities are a long shot for most of us, you can inherit power on IBM i using the age-old IBM i facility called “group profiles.”

Basically, a group profile links users with similar security requirements. It allows a security officer to quickly define object authorities that automatically apply to all group members.

Creating a Group Profile
We recommend that you design group profiles based on the role of the members in the group. For example, you might create a group called HRUSERS to make it easy to authorize multiple Human Resources department employees to a payroll application. Or, create a group profile called READONLY that limits query users to *USE access to the database.

A group profile starts as a regular user profile, created with the CRTUSRPRF command. The promotion to group status comes when another user profile (the member) references the group profile on its “Group Profile” parameter. Having one or more member profiles pointing to the desired group profile makes it a group. (To simplify things, a group profile can’t be a member of another group.)

A user can be a member of up to 16 groups—one primary group and up to 15 supplemental groups. Typically, you don’t want a profile to be in more than a few groups. It just complicates things when you need to determine the order in which to list the groups.

Benefits of Group Profiles
The biggest benefit comes from increased efficiency. Defining the authority of a group to an object also defines the authority of each group member. You don’t have to authorize each group member individually, a significant advantage if there are a large number of members. And, if people join or leave a role, you just add or remove them from the group.

You can assign authority to an object based on the group, and you can override that authority by defining authority for individual members. IBM i checks an individual’s authority before checking the group authorities. If you define a private authority for a user, the user gets that level of access and the group’s authority is NOT checked. If the user has no individual authority specified, IBM i checks the group authority. If the user is in multiple groups, the authorities of each group are consolidated. For example, if Group 1 has *EXCLUDE authority and Group 2 has *USE, the user’s authority is *USE.

You also can specify if the member’s primary group profile should own new objects. This allows other members of the group equal access to the objects. Alternatively, individuals can own the objects they create, and define the amount of private authority granted to other group members.

Follow the Chain of Inheritance
One important thing to remember about group profiles is that a group’s special authorities are inherited automatically by all group members. This is in addition to a member’s own special authorities. So, if a member profile has *SECADM authority, and one of its group profiles has *ALLOBJ and another has *JOBCTL, that member effectively operates with *ALLOBJ, SECADM, and *JOBCTL authorities. This inheritance extends to all groups a member belongs to. While this can be beneficial, it also can have serious implications to the capabilities of the members. For example, it’s possible for members to grant themselves authority to a restricted file by using the group’s *ALLOBJ authority.

Documenting this “chain of inheritance” is a challenge. Audits can miss that a seemingly benign user is actually running with powerful inherited authorities, like *ALLOBJ. The operating system offers only rudimentary reports to display the relationship between a user profile and its associated group profiles. It’s also common for an audit to overemphasize the user class of a profile, and not realize that the class doesn’t do much beyond defining the special authorities the profile receives by default.

Compliance Monitor Identifies Inherited Authority
PowerTech Compliance Monitor eliminates the time and effort needed to determine a user’s true power. Predefined reports identify powerful users—and indicate if special authorities are inherited from a group. It also solves the “user class versus special authority” mismatch. Flexible report filters allow you to define additional criteria, such as command line access or whether the profile hasn’t been used recently. Plus, Compliance Monitor can report this information across all your systems and partitions with a single request.

Compliance Monitor reports let you customize, filter, and export data.

Group profiles can simplify the complex process of authorizing users to objects, and make your security infrastructure more efficient. Compliance Monitor helps ensure that those groups provide the member profiles with appropriate inherited authorities.

—————————————————————————————-

Register Now for the 2011 IBM i Security Event of the Year

By Jill Martin, Product Support Manager

If you want to learn more about overcoming today’s security challenges, plan to attend this two-day security conference. Scheduled for September 22–23, 2011 at the Rio All-Suite Hotel and Casino in Las Vegas, PowerTech has assembled product, industry, and security experts to help you unravel the mysteries of IBM i security.

We’re bringing together a list of world-renowned subject matter experts, including Jeff Uehling of IBM, Townsend Security CEO John Earl, and security consultant Pat Botz. The conference contains a packed agenda of educational sessions covering topics such as an “Introduction to IBM i Security,” “Automatic Encryption with V7R1,” and “Biometric Authentication,” plus an “Ask the Experts” panel.

For more information on the only event dedicated to IBM i security, you can download our Conference Guide and register online. Register before July 29 and receive the Early Bird discount. We look forward to seeing you in Las Vegas.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can Compliance Monitor show me when users sign on to the system?

A: It sure can. By simply modifying or filtering existing reports, you can create just about any report that you might need.

You can find the information you’re looking for in the (T:JS) Job Changes report in the Log File report group. Specify the conjunction AND and filter on the Action field for Start and the Job Type field for Interactive.

Once you’ve filtered the report, rename it and save it to your personal report group for future use.

Dear Paulie,
Do I need to be on an authorization list to run Authority Broker reports?

A: If you are on the POWERABADM authorization list, you have rights to everything in Authority Broker. To limit a person to just the reporting menu, use the POWERABRPT authorization list.

Note: In all Authority Broker Authorization lists you just need to give users *USE rights. No additional authority is needed for the product administrators.

Learn more with PowerTech Webinars and online training.

Request a demo.

PowerTech Releases 2011 “State of IBM i Security” Study

By Robin Tatam, Director of Security Technologies

PowerTech recently unveiled the 2011 edition of its unique “State of IBM i Security” study. Unfortunately, there’s still a lot of room for improvement for the average IBM i shop.

This year’s statistics were aggregated from 243 systems of all shapes and sizes, serving applications to virtually every industry. And, while regulatory compliance is the common driver for many customer conversations, it appears that mandates to secure IBM i servers and data still haven’t been fully realized.

Published annually since 2004, the study highlights six areas of IBM i security configuration:

• System Auditing
• System Security Values
• Powerful User Profiles
• Network Access
• Public Authority
• User and Password Management

PowerTech’s free Compliance Assessment tool is used to collect, analyze, and report on the assessed systems, and a simple opt-in feature allows the data to be shared anonymously with PowerTech. To assess your own server (with or without sharing your findings), request a Compliance Assessment.

Password Management
The average server in this year’s study contained 829 users and 914 libraries, along with more than 300 inactive profiles (those not used in the 30 days preceding the assessment), and 68 profiles with default passwords (the password matches the profile name). With a powerful built-in database, user security is one of the most critical aspects of IBM i security. Large numbers of profiles with default passwords indicate overuse of an unfortunate IBM parameter default setting, and an excessive number of old profiles means there is very little oversight of profile housekeeping.

Powerful User Profiles

Users often are given special authority privileges that far exceed their documented business requirement. It’s unusual to find an IBM i server where base users should be able to access any object (*ALLOBJ), or end the system to a restricted state (*JOBCTL). However, we often see that most servers have an over-abundance of both!

System Security
Security Level 40 (the minimum level recommended by IBM), continues to be the standard on the majority of servers reviewed, but that left almost 60 servers running on a level with known vulnerabilities, including being able to run jobs as another (potentially more powerful) user. With a documented “upgrade” path, and the ability to predict issues before committing, there are few legitimate reasons not to be running at a recommended level. Of course, IBM’s adoption of security level 40 as the current default has contributed to this shift towards compliance.

System Auditing
On a slightly more positive note, we did see an increase in the number of servers that use IBM i built-in auditing. In 2011, the percentage of systems collecting events into the security audit journal (QAUDJRN) was 87%. Of course, evidence suggests that this function is often used primarily to capture system events for high availability solutions, rather than for security. The common lack of commercial forensics capability supports this theory, as it’s difficult to effectively review large event logs manually.

Network Access Control
Surprisingly, almost half of the systems are running without any firewall protection to oversee access from powerful desktop interfaces such as FTP, ODBC, and remote command. In addition to providing a supplemental layer of protection, a commercial-grade exit point firewall is the recommended way to provide visibility to these types of transactions. As a result, there may be a large cross-section of user activity that remains transparent—including executing operating system commands—even on those servers with QAUDJRN actively configured.

Data Access
Public authority to objects and libraries remains very problematic in 2011. Most systems still haven’t been configured to enforce object-level security, instead requiring that a user only needs to provide a valid user profile and password combination. This is a contributing factor to why default passwords represent such significant exposure. The menu-based security model often found in legacy applications broke down with the advent of advanced TCP-based interfaces. Exit point firewalls can mitigate some of the risk associated with little or no object security, but implementing strong object authorities is recommended as the basis of a multi-layered security infrastructure.

This is just a brief overview of the 2011 study. Read the complete white paper here.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
Can Compliance Monitor show me when someone creates new user profiles?

A: It sure can. By simply modifying or filtering reports that already exist, you can create just about any report that you might need.

The information you need is contained in at least two existing reports. The first (and fastest) is the (T:CP) User Profile Changes report found in the Log File report group. This report shows the Actions for CHGUSRPRF, CRTUSRPRF, RSTUSRPRF, DST reset of QSECOFR, and QSYRESPA API. With some fast filtering on these Actions, you have the ability to create five different reports!

In your case, you need to filter on the Actions field for CRTUSRPRF. (Depending on the release of Compliance Monitor you have installed, you might need to use wildcards in your filter, such as %CRT%.)

Created profile information also is available in the (T:CO) Created Objects report, located in the Log File report group. Simply filter on the Object Type field with %USRPRF%. (Hint: You can use this same filter on the (T:DO) Deleted Objects report to identify deleted user profiles.)

Once you’ve filtered the report, rename it and save it to your personal report group for future use.

Learn more with PowerTech Webinars and online training.

Request a demo.

PCI Compliance for IBM i—Pt. 2

By Robin Tatam, Director of Security Technologies

Last month, we covered the first six of the twelve PCI requirements. This month, we look at the final six requirements and how the PowerTech products can help you meet them.

Requirement 7. Restrict access to cardholder data by business need-to-know

Limiting data access to users with a proven business need may seem obvious, but IBM i users often have overly-powerful user profiles; and open public access makes private data easy to display and even change.

The first step is to establish role-based access controls. Public access always should be configured as deny-by-default, and authorized users granted authority based on their role. PowerTech Authority Broker allows emergency access when necessary, and handles the auditing and reporting necessary for regulatory compliance.

To restrict access through “open” interfaces, such as such as FTP and ODBC, an exit program solution, such as Network Security, allows you to police network interfaces.

Requirement 8. Assign a unique ID to each person with computer access

To access IBM i functions, users need a user profile and password. To ensure accountability, each user must be uniquely identifiable to the system. PowerTech Authority Broker helps you comply with this requirement by allowing you to grant controlled access to users through “special” user profiles. DataThread lets you monitor and audit database changes. And, Compliance Monitor helps you monitor system values and user profiles for compliance to your security policy.

Requirement 9. Restrict physical access to cardholder data

Companies can spend thousands of dollars to secure their data, but ignore the physical security of their servers. Ensure that sensitive areas have access controls, such as key cards and access logs, and visitors are easily identifiable. Monitor entry doors by video surveillance and keep the data from cameras for at least three months.

You also should determine the sensitivity of the data on your storage media, and have a plan for the safe disposal of information.

Requirement 10. Track and monitor all access to network resources and cardholder data

IBM i integrates security into the operating system, making it easy to start auditing user activities without much configuration using the Change Security Auditing (CHGSECAUD) command.

However, performing a forensic analysis on the collected audit entries can be challenging, as IBM does not provide any reporting or notification tools. PowerTech fills in the missing pieces with its security solutions: Compliance Monitor helps you ensure your systems are configured properly; Interact provides real-time monitoring of changes; Authority Broker audits the activities of powerful users; DataThread provides real-time monitoring of database access down to the record and field level.

Requirement 11. Regularly test security systems and processes

PCI requires that you scan your systems quarterly to ensure that alerts are generated and that failures are taken care of. For IBM i servers on an internal network, testing should include connecting via common data protocols such as FTP and ODBC. PowerTech Network Security provides intrusion detection and prevention capabilities via exit points, and can be implemented in combination with the IBM i IDS capabilities.

Integrity monitoring for critical files also is a key component of this requirement. DataThread database-level monitoring works with the object auditing controls in the operating system to fulfill the requirement.

Requirement 12. Maintain a policy that addresses information security for all personnel

Surprisingly, many security-conscious organizations don’t maintain a security policy for their IBM Power Systems servers. Policies not only define the intended standards, they also provide a measure of how well your processes meet those standards. Even if a policy isn’t perfect, it’s a starting point for performing a compliance review.

PCI compliance requires that you have a policy and that you can prove you are following it. You need to do a thorough review of your security policy standards and determine if you are following its requirements. PowerTech’s security solutions help you comply with these requirements, and prove that compliance.

That concludes our review of the 12 PCI requirements. For a more in-depth discussion of these requirements and how PowerTech can help you meet them, download our white paper, “PCI Compliance for Power Systems Running IBM i.”

—————————————————————————————-

Security Officer or Security Nightmare?

By Robin Tatam, Director of Security Technologies

Unfortunately, the security officer (and that includes programmers and system administrators) represents the biggest security threat to many shops. Often, regular users are asked to fulfill security roles without any formal training or experience. They’re just the users who “know the most” and so they become responsible for administering security. According to PowerTech’s annual “State of IBM i Security” study, many users carry powerful capabilities without any associated business need.

With most illegal or illicit activities, the perpetrator usually needs a combination of means, opportunity, and motive.

• Means—Security officers and other power users often have advanced skills and knowledge so they can access applications, manipulate data, and configure system controls—including security controls. If there’s a loophole in your security infrastructure, a security officer probably can find it!
• Opportunity—As the most powerful users on the system, security personnel have constant opportunity. Special authorities, such as *ALLOBJ, grant complete, uncontrolled access to every object on the system.
• Motive—A lack of motive is the only saving grace for most organizations. As system guardians, most security officers take their responsibility seriously. But they’re human. We all like to believe that nothing could ever compromise our scruples, but that mortgage payment or college tuition bill isn’t going to pay itself.

Security officers have a professional responsibility to acknowledge that they need to be secured as much as—actually more than—the data entry clerk. Security controls should apply to everyone.

Authority Broker is the best way to ensure a secure environment. It helps you manage your powerful user profiles, including QSECOFR, while allowing key personnel to perform critical tasks. And, it comes with usage controls, notification, timing restrictions, activity tracking, and reporting.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
What do I need to know about mirroring PowerTech Network Security 6?

A: Unless the replication is a full system save/restore, you should be aware of the following before mirroring Network Security:

• You must have completed a prior install on the target system to create the following objects: profiles, authorization lists, commands in QGPL, PTWRKMGT subsystem, and unregistered exit points.
• Network Security cannot be active on the target system (exit programs must not be registered).
• The target system must have a valid Network Security license; no grace period is available.

Exclude the following objects from mirroring:

• PLK280SPC2—User space (*USRSPC)
• PLK999U—User space (*USRSPC)
• PLK860DA— Data area (*DTAARA)
• PTCAPJRN—Journal (*JRN) and associated receivers
• CAPJRNnnnn—(*JRNRCV)
• PWRJRN—Journal (*JRN) and associated receivers
• PWRJRNnnnn—(*JRNRCV)
• PNSCAPSUMQ—Data queue (*DTAQ)
• PSSTMS—Data queue (*DTAQ)

Learn more with PowerTech Webinars and online training.

Request a demo.