Although the IBM i is one of the most securable servers available, it doesn’t come that way from the factory. PowerTech’s State of IBM i Security study has shown that most organizations still fail to take adequate steps to secure their data or the server.

PowerTech has compiled a list of the ten most common and important IBM i security risks. We will share them with you to help you identify your own vulnerabilities and prioritize their correction. Attend this informative Webinar to gain insight into the top ten security vulnerabilities and recommendations of how to fix them.

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, August 25, 2010
10 a.m. Central Time (15:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin is Product Support Manager for PowerTech and brings a strong System i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Everyone knows that security is important, but getting started on the road to compliance can be confusing and intimidating. Understanding common vulnerabilities helps you focus your attention and resources on the areas that need the most help.

We all want “best-practice” security, but what are top organizations doing to achieve and maintain it? Attend this session to learn the details about how to develop the seven habits that are part of daily life for secure organizations.

You’ll learn how to:

• Break the Ostrich Syndrome
• Develop a Security Policy
• Assess Current Standing
• Perform Security Event Logging and Review
• Use “Best of Breed” Technologies
• Monitor for Ongoing Compliance
• Plan For The Future

This session examines what each of these habits means to the IBM i, and helps you make sure that you don’t become the next security statistic.

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, August 11, 2010
10 a.m. Central Time (15:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin is Product Support Manager for PowerTech and brings a strong System i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

For the past seven years, PowerTech has compiled audit data trends from over 1,500 servers into the annual “State of IBM i Security” study. Each year, the study identifies many of the same vulnerabilities, suggesting that IBM i shops are still not where they need to be in terms of security and auditing.

Join us for this Webinar where you’ll learn how to get started auditing your IBM i server, and how PowerTech’s compliance assessment tool can perform a personalized review of your environment—in under 15 minutes!

You’ll learn about auditing these critical areas:

• System Values
• Network Access, such as FTP and ODBC
• User Profiles
• Special Authorities
• Event Auditing

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, July 28, 2010
10 a.m. Central Time (15:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin is Product Support Manager for PowerTech and brings a strong System i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

UPDATE: New 2010 study released.

PowerTech publishes a popular study of the configuration of IBM System i servers each year, called The State of IBM i Security. Now in its seventh year, we continue to see many of the same vulnerabilities reported to us through an anonymous auditing process.

The report includes a review of six main audit categories:

• Network access
• System values
• User settings
• Administrative rights
• Public authority to data
• Event auditing.

View this informative Webinar for insight into the 2010 edition of the study and to learn what steps your own organization should take to address the same commonly overlooked and dangerous security exposures.

Attendees are eligible to receive a FREE Compliance Assessment, as well as a copy of the full 2010 study.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, July 14, 2010
10 a.m. Central Time (15:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin is Product Support Manager for PowerTech and brings a strong System i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Hi everyone!

Visiting with customers is one of my favorite activities, so I was excited that last week’s Midrange Mixer in Rochester, MN brought in a lot of IBM i users. This time, the event was hosted at the famous Michael’s restaurant (as designated by the hundreds of celebrity photos hanging in the main hallway) in downtown Rochester. We welcomed a large number of customers and prospective customers for cocktails, hors d’oeuvres, and Jeopardy-style games. I must say, it’s amazing how much easier those questions are to answer when you are NOT sitting in the hot seat!

The evening’s table conversations were very stimulating, with numerous companies seeking assistance with their security projects. PowerTech’s recent introduction of Network Security Version 6 and other enhancement projects in the works were a topic of discussion, as was our great no-charge compliance assessment solution. I know Tom Huntington encountered a similar response regarding multi-platform scheduling, and other Help/Systems specialties. I must say, it’s good to hear about healthy business initiatives again.

Thanks must go to our own Heath Kath, Technical Sales Consultant for SEQUEL Software, for his willingness to don the (in)famous Robot suit, and stand out on the streets of Rochester to welcome everyone to the party! (Thanks also go to my over-six-feet tall parents for ensuring that the suit does not fit me!)

If you are also embarking on a new security project, drop me a line to find out how PowerTech can put our resources to work for you. With skilled security engineers, and our well-known security software solutions, we have the tools to get the job done right—regardless of your security or compliance objectives.

As part of summer, we are slowing our weekly Webinar schedule to approximately two per month. Look for our security workshops and Webinars to resume their normal schedule in September. As always, the PowerTech Website and PowerNews electronic newsletter are a great source of information, and both sources have the upcoming event schedule for June, July and August.

Speaking of summer, I am taking time off work next week to take my kids on a highly anticipated vacation to the southern climes of Boca Raton, Florida. Following my visit to Orlando for COMMON last month, I saw what a fabulous place this would be for a family trip to the beach. Thanks to my foreign exchange student “brother” for his hospitality at the beautiful ocean-front resort he manages in Deerfield Beach.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

Last week, I mentioned that many companies struggle with starting security projects due to a lack of any clear direction or action plan. I introduced the idea of performing an assessment, and mentioned one of the options is to start with our own no-charge Compliance Assessment solution.

I have had a number of follow-up questions regarding this approach, so this week I thought that I would delve a little deeper into the PowerTech Compliance Assessment process.

First and foremost, this is a tool that runs on Microsoft Windows. Of course, there is an IBM i component to collect the host data, but it is installed by the tool as it runs, and is removed again after it completes. This means no footprint is left behind on the server. If your change management process does not allow for software installation, we can work with you to catalog the things that are installed and deleted.

PC requirements:

• Windows 2000, Windows XP, or Windows Vista
• Java Virtual Machine (JVM), version 1.5 or later
• Internet Explorer version 6.0 or later, or Mozilla Firefox (2.0 or higher is preferred)
• Adobe Flash version 9 or later is required to view the report

IBM i requirements:

• OS/400 V5R1 or later
• Access to a powerful user profile with *ALLOBJ and *SECADM
• A network connection to the system with ftp access

The software is installed from an automatic installation process that comes from a download link that we provide. You have 7 days after you run the first assessment to run it again (as many times as you wish). This works well to provide an updated baseline based on some simple changes that may be enacted.

There are six areas of review, each represented by their own tab in the assessment application:

Auditing

This is a review of the event capture configuration provided in the operating system. PowerTech’s annual security study indicates that 20% of IBM i shops are still not performing any form of auditing, and many more are not collecting data that would be sufficient for a forensics review.

User Access

One of the largest exposures I see when performing assessments is the lack of visibility to requests for data from network interfaces, such as ODBC and FTP. IBM provides a supplemental layer to the operating system called exit points, and this checks to see which exit points have registered exit programs monitoring them.

User Security

One of the best defense mechanisms you can use is strong user and password rules. A review of your profile environment provides feedback on the number of profiles that have not recently been used, profiles with default passwords, and highest number of invalid sign-on attempts. An analysis of your password rules is also included.

System Security

There are a number of security-related system values, and ensuring that they are all set appropriately is an important step in securing your system. We’ll review these settings, as well as some best practice recommendations.

Public Authority

A legacy of many IBM i applications is that we often rely on menu security, and user profile command restrictions to prevent unauthorized data access. A look at the public authority on your application libraries will reveal if they are vulnerable to access from outside of the application.

Admin Rights

Unnecessarily powerful profiles plague many IBM i shops, and is one of the most frequently cited issues by auditors. There are eight special authorities that should be reserved for administrators, and this section will review the number of users granted each of them.

Two tabs are designed to put a “bow” on the assessment package. The Summary tab provides an executive-level view of the general state of compliance to best practices. Intuitive red/yellow/green “traffic light” style indicators provide a visual gauge for non-technical people. The Recommendations tab summarizes the key observations, which can be printed and shared. I don’t usually spend much time in this section when working directly with customers, as I take my role in the assessment process to provide observations and recommendations that pertain to the specific environment.

If you meet the PC requirements listed above, check out our online sample report or, better yet, have an assessment performed on your own system. Did I mention that it doesn’t cost anything?

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

As hard as it is to believe, today is already the last day of school for my two children, Jordan and Sydney.  Another academic year down, and a summer vacation about to begin.  At this point, both kids have no real plan for what the summer will hold, but that isn’t going to stop them racing into their highly anticipated time off!

Their enthusiasm, despite the lack of a solid game plan, started me thinking how many people start a security project with similar gusto, but also without any real direction on where to begin (or end).  Not only can this be expensive, but it is also likely to be an inefficient use of skilled resources, and will lead to frustration and possibly even abandonment of the project as being “too complicated.” As such, I though I would share one way that I have seen customers successfully embark on such a project.

As with any project, the first step is to establish the project goal or objective.  In a security project, the objective is usually to become secure or to become compliant.  If you are a frequent reader of the PowerTech blog, you will know that these two objectives are not necessarily the same, but are terms that are often used interchangeably.  From there, identify the tasks needed to achieve the objective, and then prioritize and schedule those tasks.

Okay, so back to our IBM i security project.  If this is a new type of initiative for your organization, then determining the tasks, as well as the priority of the tasks, can be a daunting process.  If you have ever spent any time looking at risk management, you know that you want to assign levels of risk based on the likelihood of an event occurring, in conjunction with the cost and effort of mitigating the exposure versus the cost of recovery if the event were to occur.  High risk items should be mitigated first.  Low risk items should be mitigated last, or perhaps not at all if the risk is considered acceptable.

One of the best ways to identify the tasks is with a formal review of your IBM i environment.  PowerTech has two popular offerings to assist with this process:

Security Assessment Tool

We have devised an automated assessment tool that performs a high-level review of six key security-related metrics on IBM i.  The assessment findings are presented instantly to your team via a rich browser-based application, and a comparison is made to common best-practice standards to provide direction on mitigation.  PowerTech provides access to the tool for 7 days, plus a security specialist to help interpret the findings, all at no charge for the first partition.

Security Assessment Service

After using the automated tool, perhaps a “deep dive” review is deemed necessary.  This fee-based offering can be customized to your own business requirements, but is typically a five day engagement involving a security specialist performing a comprehensive review of the IBM i configuration.  The resulting report details a prioritized list of concerns, along with background information on why an item is a concern.

Now that the exposures are known, it is much easier to assign the priority of the remediation tasks and to assign the costs to mitigate them.  Some items, such as network access to data and applications, is one of the biggest vulnerabilities we see, but it can also be one of the easier high-risk items to resolve.  Other concerns, such as overly powerful users, might take more planning and manual effort to mitigate.

Beyond the class-leading software solutions that PowerTech is renowned for, we can assist with virtually any task in an IBM i security project.  Our security specialists have experience and expertise in mitigating risk in many areas, including system configuration and applications.

Don’t allow your enthusiasm to be dampened by the lack of a solid game plan.  Starting with an assessment can prevent delaying the start of a project as important as this.  After all, your application data is one of your most valuable business assets.

Drop me a line at robin.tatam@powertech.com for more information, or visit www.powertech.com.

Cheers!

- rt