Archive for October, 2009

The Top 10 IBM i Security Risks You Need To Fix Now—Webinar 12/16/2009

Posted in Webinars on October 29th, 2009 by Christopher – Be the first to comment

Although your IBM i server is one of the most securable platforms available today, it doesn’t come that way from the factory. PowerTech’s “State of System i Security” study has shown that most organizations still fail to take adequate steps to secure their critical data, or the server itself.

PowerTech has compiled a “Top 10″ of the most common and important IBM i security risks. Attend this informative Webinar to learn how you can identify potential security exposures on your system. You’ll gain an understanding of the top ten security vulnerabilities and some recommendations about how to fix them.

Attendees are eligible to receive a FREE compliance assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, December 16, 2009
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
robin-headshotRobin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

jill-martin-headshotJill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Protect IBM i (AS/400) Data from FTP, ODBC and Remote Command—Webinar 12/9/2009

Posted in Webinars on October 29th, 2009 by Christopher – Be the first to comment

PowerTech’s annual “State of System i Security” study shows that the vast majority of organizations are still reliant on menu security to protect their data. Unfortunately, users have access to numerous interfaces that completely circumvent these controls, and facilitate easy ways to view, update, and even delete data directly in the database. If you are required to comply with any type of regulation, or if you simply want to ensure the integrity of you application data, learning about the openness of these interfaces is critical.

Attend this informative webinar to learn more about IBM i security and how to close the “backdoors” not covered by traditional menu security schemes, as well as how to implement policy to restrict access to only those users who need it.

Attendees are eligible to receive a FREE compliance assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, December 9, 2009
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
robin-headshotRobin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

jill-martin-headshotJill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

FREE For 30 Days—Unauthorized Access To Your Company’s Private Data!

Posted in PowerNews on October 29th, 2009 by Josh – Be the first to comment

By Robin Tatam

When I began my career on the AS/400 more years ago than I care to reveal, life was simple—“dumb terminals” ruled the computing kingdom and sub-file displays were considered cutting edge. Application menus blocked users from direct database access and security conscious administrators could set up a profile to limit user capabilities to a few basic commands.

Then, things got complicated. First, everyone flocked to programmable workstations, better known as Personal Computers (PCs). As a result, business software, including spreadsheet applications, developed rapidly. And, because core line of business applications were still running on the AS/400, file transfers between PCs and servers became common.

Pandora’s Box
IBM responded to the new market demands for open database access by building TCP connectivity into the AS/400 (now re-branded as the iSeries). In addition to the traditional 5250-based ‘green screen’ applications, the iSeries could now be accessed through File Transfer Protocol (FTP), Open Database Connectivity (ODBC), Distributed Data Management (DDM), and other interfaces. No one thought much about the security ramifications, but it was like opening Pandora’s Box!

Fast forward through a few server name changes to the current day…

Because all of these interfaces connect directly to the server’s database, the menus that historically restricted green-screen users were not effective. The “secure menu” has become a thing of the past—now, we must rely on resource (object) security to protect data. Object security, an integral part of the operating system, is rock solid and works with every interface that IBM Power Systems support. Yet, as the PowerTech annual State of System i Security study reports every year, object security is rarely fully implemented and is easily circumvented by powerful user profiles. That’s why most industry studies of lost, stolen, or corrupt data, point to internal corporate users as the culprit.

Object security is recommended for the core layer of protection. Unfortunately it is a “one-size-fits-all” approach because it does not distinguish between different user interfaces. If you implement the best practice recommendation of ‘deny by default’ for green-screen access, you really can’t use legitimate PC tools to access the data. For example, a user with change-level access to data with a menu-controlled green-screen application will have that same access with powerful SQL-based applications such as FTP and DDM.

FREE: Unauthorized Access to Sensitive Data for 30 Days!
Don’t think a user could take advantage of those authorities? Think again. A PC-based FTP program, such as the one shown in Figure 1, provides full graphical access to any authorized or unsecured library or IFS directory. This application cost less than $40 and came with a free 30 day trial!

Figure 1. Authorized drag-and-drop access to sensitive data.

Figure 1. Authorized drag-and-drop access to sensitive data.

To make matters worse, several of these network interfaces let users submit and execute host commands, as well as run commands and edit database files. Object security is still in effect for the command and any objects that the command uses. But, it is important to understand that a user profile’s “limited capabilities” setting (used to restrict command line functionality) may not be honored outside of the green screen. For example, depending on the specific operating system level, the FTP server either honors the setting or ignores it.

Finally, network requests are not logged or audited by the operating system. More and more customers are auditing user and system events with QAUDxxx system values. But, these values don’t monitor network activities—the most you can learn is when a file is opened, not what request was made of its data.

A Hodgepodge of Options
Because of the clear danger of unwanted system access through network interfaces, can we still use these interfaces for legitimate business reasons? And if so, how do we control them? Several methods are available to help secure these interfaces, each with its own pros and cons.

  • You can prevent some services from starting by using the GO TCPADM command menu or Navigator for i (formerly known as iSeries Navigator). Verifying that someone does not restart the services, or forgets to shut them down after using them temporarily, is an issue. Plus, server requests are not visible for reports or alerts. And, you are dependent on the underlying object security model.
  • You can use the IBM i commands plus the Application Administration portion of Navigator for i to select which functions individual users control. This allows you to override some settings normally restricted by operating system security. On the downside, it offers no visibility, no alert mechanism, and no reporting. Plus, not all services are covered by functions.
  • You can define exit programs for most network interfaces. You use the Work With Registration Information (WRKREGINF) command to define the name and location of an exit program for each service. (An exit program, similar to database trigger program, is called by the associated exit point when the server receives a request. The exit program receiving details about the incoming request should determine the legitimacy of the request and log the activity.)

Exit programs are not synonymous with security—the functions performed by an exit program are defined by the programmer who created it. Some exit points allow exit programs to approve or deny requests; others simply perform a programmed function. For example, the ‘create user profile’ exit point might call a program to create a work library for a new user. While it is possible to write your own exit programs, many organizations don’t want the cost and effort of developing and maintaining complex, security-sensitive applications with potential performance implications.

The Professional Solution
If, like most organizations, you decide to use a professional network security solution, we recommend PowerTech Network Security. As the leader in security solutions, PowerTech makes all of the necessary functionality available as a standalone solution, or as part of the PowerTech Compliance Suite—a collection of several popular solutions for securing Power Systems running IBM i.

When you install and activate Network Security, network requests to the server are visible instantly. The information is stored in a secure IBM repository for analysis and reporting. For user and application requests that involve server access, including remote commands, you can issue alerts for immediate notification and response.

Imagine being able to report on a user accessing your Integrated File System (IFS), including the directories navigated and the files viewed or deleted. How reassuring to know that if an FTP user attempts to target a secured production file, the unauthorized access attempt is blocked and the system administrator is notified automatically!

Network Security also offers the ability to have a request run under an alternate profile. You can implement ‘deny by default’ methodology while granting temporary access to pre approved requests. For example, you could set authorities on a library to *EXCLUDE, but still allow a specific file to be downloaded and logged by your accounting group.

Or, you could take an unrestricted user profile with *ALLOBJ special authority and downgrade it to read only capabilities for production data. Both of these “on-the-fly” security changes are transparent to the user and remain in effect only during specific requests.

Figure 2. Analyze, control, and report on a user's network activities.

Figure 2. Analyze, control, and report on a user's network activities.

For more information on PowerTech Network Security, or to receive a FREE compliance scan of your system (including a review of your network vulnerability), visit the PowerTech website at www.powertech.com.

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. A frequent speaker on security topics, he is co-author of the IBM RedBook, System i Security – Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

The State of System i Security—Webinar 12/2/2009

Posted in Webinars on October 28th, 2009 by Christopher – Be the first to comment

PowerTech publishes a popular study of the configuration of System i servers each year, called The State of System i Security. Now in its sixth year, we continue to see many of the same vulnerabilities reported to us via an anonymous auditing process.

The report includes a review of six main audit categories:

  • Network access
  • System values
  • User settings
  • Administrative rights
  • Public authority to data
  • Event auditing

Attendees are eligible to receive a FREE compliance assessment, as well as a copy of the full 2009 study.

View this informative webinar to gain insight into the 2009 edition of the study, and to learn what steps your own organization should take to address the same commonly overlooked and dangerous security exposures.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, December 2, 2009
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
robin-headshotRobin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

jill-martin-headshotJill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Breaches, Breaches, Everywhere … and not an end in sight!

Posted in Security on October 27th, 2009 by Robin – Be the first to comment

Security terms like “data breach” are probably known to most households and businesses, but many of us don’t realize just how prevalent the problem really is. We’ve become accustomed to news reports of large data exposures, and to receiving letters in the mail indicating that our private information may have been compromised.

Just as with most things, we slowly become desensitized to recurring news of data loss events, and often choose to accept those events as an inevitable part of life that we have no control over. We only start to pay attention when we see the effect of a breach impacting our personal finances, our jobs, or an organization that we do business with.

Privacy Rights Clearinghouse (PRC) is a nonprofit consumer information and advocacy organization, and a source that I frequently quote when speaking to groups about the topic of information breaches and data leak protection. PRC maintains a chronology of data incidents involving private or confidential data, and it certainly makes for interesting reading.

October was another busy month for breach activity. While you probably didn’t hear about these events in the mainstream media, as of this writing PRC lists no fewer than 12 separate events of compromised information. Some of the data compromised included U.S. Social Security numbers and patient medical information. Breached organizations this month include the U.S. Army, BlueCross BlueShield, and several education and medical institutions. The breaches occurred through a number of common data leak conduits, including discarded documents, lost USB thumb drives, and stolen laptops. One event was the result of an incorrectly disposed of disk unit that contained 76 million (yes, million!) records on US military veterans.

So with this many data breaches occurring in any given month, it still amazes me that IT teams even now have to sell management on the value of securing data assets. When we conduct compliance assessment scans, we still come across the “it will never happen to us!” mentality. We also hear “it’s okay since my users don’t know how to do that,” which is almost as bad. Trust me when I say: It can happen to you, and it only takes one user who knows how to do it to bring the whole organization crashing down.

If all of this breach information still isn’t enough to spur you to move forward with your own security initiative, then perhaps you’ll be interested in this week’s news about the $275,000 fine leveled against ChoicePoint, one of the nations largest data brokers (http://www.ftc.gov/opa/2009/10/choicepoint.shtm).

For more information on PRC, or to view their continuously expanding list of data incidents, visit their Web site at www.privacyrights.org.

How to Survive a Data Breach—Webinar 11/18/2009

Posted in Webinars on October 22nd, 2009 by Christopher – Be the first to comment

Statistics suggest that it’s not a matter of if you will suffer some form of corporate data loss, but when. Giant corporations, with a significant investment in security infrastructure, have found themselves on the wrong side of the headlines. If it can happen to them, it can happen to you! Building a plan that encompasses both security and compliance controls, as well as incident planning ensures that you minimize the risk, and know how to react if the worst case scenario occurs.

Join this webinar to hear discussion of:

  • Common causes of a Data Breach
  • Security Incident Response (SIR) planning
  • Manic response vs. Measured response
  • Breach cost projection / price of protection
  • What types of IBM i activities can (and cannot) be audited
  • What mechanisms are available to perform IBM i audit data forensics and intrusion alerting

Attendees are eligible to receive a FREE compliance assessment.

Products Featured
PowerTech Compliance Monitor
PowerTech Interact

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, November 18, 2009
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
robin-headshotRobin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

jill-martin-headshotJill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Securing and Controlling Your Powerful Users—Webinar 11/11/2009

Posted in Webinars on October 22nd, 2009 by Christopher – Be the first to comment

One of the greatest challenges that an organization faces when securing an IBM i environment is protecting the system from the very people who are also charged with its care: programmers, administrators, and security officers. While these power users often need access to restricted objects and commands, they rarely need that level of access 24 hours a day, and definitely not without accountability.

Join this important session to learn about the vulnerabilities associated with powerful users. Discover Authority Broker, an award winning approach to regaining the control that your auditors demand, while still allowing your administrators and programmers to do their jobs.

Attendees are eligible to receive a FREE compliance assessment.

Products Featured
Authority Broker (with live demo)

Presenters
Main Presenter: Jill Martin, PowerTech
Co-presenter: Paul Culin, PowerTech

Wednesday, November 11, 2009
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
jill-martin-headshotJill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Paul ‘Paulie’ Culin is a security advisor with the PowerTech Group. As a product expert, his role at PowerTech includes managing numerous client training and implementation engagements, as well as hosting security presentations, webinars, and product demonstrations.

How To Prevent A Data Leak—Webinar 11/4/2009

Posted in Webinars on October 22nd, 2009 by Christopher – Be the first to comment

A data breach is a leak of information into a non-trusted environment, and discovered occurrences are growing exponentially. Data leakage can be the result of accidental or malicious intent, but unlike any other form of “loss” often leaves the compromised data intact and therefore a challenge to discover.

Robin Tatam, Director of Security Technologies for PowerTech, is pleased to extend a warm welcome to Tom Garcia, President and CEO of InfoSight. Tom will be joining as a co-host for this session on Data Leak Prevention (DLP), and brings a wealth of in-depth knowledge and experience in the areas of Compliance and Risk Management.

Attend this Webinar to get insight into:

  • What are data leaks, and how do they occur
  • What business costs result from data leaks
  • How your IBM i (AS/400) can be the source of a leak
  • How to prevent data from leaving your organization without your knowledge
  • What to look for in a data leak prevention (DLP) solution

Attendees are eligible to receive a FREE compliance assessment.

Products Featured
PowerTech Network Security (no live demo)

Presenters
Robin Tatam, PowerTech
Tom Garcia, InfoSight

Wednesday, November 4, 2009
8 a.m. Pacific / 10 a.m. Central / 11 a.m. Eastern
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
robin-headshotRobin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

tom-garcia-headshotTom Garcia is a compliance and security expert in the banking and financial industry. Tom founded InfoSight, Inc. in 1998, and under his leadership, the company continues to expand nationally. InfoSight provides leading-edge compliance, information technology, and managed security solutions for banks, credit unions, and other regulated industries. Tom can be reached at tom.garcia@infosightinc.com.

“It’s the 4th quarter, with only minutes left on the clock!”

Posted in Security on October 20th, 2009 by Robin – Be the first to comment

The PowerTech corporate offices in Eden Prairie, Minnesota, recently celebrated the arrival of October with a noticeable drop in outside temperatures, and a chilly blanket of several inches of snow. I’m told that hardy Minnesotans embrace these seasonal changes, but, coming from Iowa I know what the word “embraces” translates to: thick jackets, heavy boots, and a car that groans like a wounded animal when you try to start it in the morning!

It’s also the kick-off for the traditional fourth-quarter push for companies to allocate the remainder of their budgets. While this year has seen extensive financial hardship for individuals and companies alike, it has been an interesting one for a security solution provider such as PowerTech. While many technology initiatives were put on hold, or eliminated completely, many organizations have recognized that this type of economy is when you should be investing in security, as hardship often leads to a significant rise in security threats to your data.

A reduction in the workforce often stretches remaining resources to the limit, and manual tasks become an invasive burden on those companies already running with a lean staff. Who has time to manually pour through server event logs, when a day is consumed with “more important” tasks that someone else used to do?

The departure of users who had unrestricted access to corporate data provides an unparalleled threat of data leakage. With an increase in the number of disgruntled employees, even read-only access—once seen as the Holy Grail of data protection—is enough clearance to drag-and-drop a file onto a PC, and then smuggle it outside the borders of the organization through a variety of channels. USB thumb-drives now cost well under $100 for a 32GB model; enough space to hold almost seven DVDs worth of data! Internet-based e-mail services, such as Gmail and Yahoo, operate outside the control of corporate e-mail systems, and provide a lightning-fast conduit to transfer data out of the workplace. What’s most challenging about data theft detection is that the object that was stolen still can be found where you left it!

As you set your sights on the arrival of 2010, and a new decade of positive economic change, you might want to start working on that IBM i security initiative that you’ve been meaning to get to for the last few years. Give PowerTech a call! We have solutions that not only help prevent data leakage, but also ease the burden of monitoring system and security events—even in real-time.

Now, does somebody around here know where I can get a remote-starter for my car?

Don’t Gamble with Your Audit

Posted in Auditing on October 13th, 2009 by Robin – Be the first to comment

It’s always an eye-opening experience to speak with an auditor about the intricacies of auditing an IT environment. I respect their views, and I can only imagine how difficult it is trying to be an expert on the wide variety of technologies found in an average enterprise.

Last week, I spent a couple of days at the ISACA conference in Las Vegas, meeting and talking with auditors from around the country. While some had heard of the System i (or iSeries or AS/400), it was very evident that there weren’t any subject matter experts on hand. I was left wondering: “How can anyone receive an effective audit of a platform that IT auditors have such limited knowledge of?”

PowerTech security experts perform a healthy number of audits each year, but there are not many firms with our professional capabilities. Yet, we’re barely scratching the surface of the immense number of organizations that must maintain compliance with the seemingly-endless list of regulations and legislations found throughout the world. What about the others—are they just ignoring the mandates? Or, are they being subjected to questionable recommendations made from a comparison to an old checklist compiled from numerous online sources. I fear it’s probably a mix of the two!

PowerTech developed the wildly popular Compliance Assessment tool to perform a review of six major areas of vulnerability. We have made this tool available to users as a free service, and now include one-on-one time with a security expert to help interpret the findings. The auditors I talked to were extremely excited to know that there was someone out there to help make their lives easier, and to be an expert they can talk to when they encounter a System i. I’m excited and encouraged at the opportunities that brings to the PowerTech table as we continue to grow, and as we continue to service the IBM i community with world-class security solutions.

While you might not think of an IBM i-savvy auditor as a benefit, the fact that you’re talking with someone who understands real-world vulnerabilities, as well as the inherent strengths of security on the platform, adds protection to your corporate data. And the availability of a speedy tool that provides an educated view into the infrastructure makes your IBM i data even safer.

And, after all, isn’t that the purpose of a security audit in the first place?