Well, last week was COMMON time again. This year the host city was Anaheim, CA, home of Disneyland—known to kids and football players as the happiest place on earth. While I didn’t personally spend any time at the theme parks, I did enjoy the beautiful shoreline at Laguna Beach and Huntington Beach, as well as a quick stop in LA and the ever-strange Hollywood.

The COMMON exposition was a great success for the Help/Systems brands, PowerTech, Robot, and SEQUEL, with visits from dozens of customers from several countries, and many new prospects who were eager to learn about security, automation, and business intelligence solutions. We also raffled off a Kindle Fire and several iPods to several lucky attendees—thanks to all of you that signed up for the drawing and if you didn’t win, better luck next time!

I also had an opportunity to chat with several members of the domestic and international press community about the “State of IBM i Security” study. The 2012 edition was released to coincide with a popular session that disclosed some of the eye-opening findings. Of course, the booth wasn’t complete without a visit from Help/Systems’ infamous Robot who posed for tons of pictures with customers, and even some IBM’ers and other expo vendors!

While my colleagues held down the booth, I presented four educational sessions on various security topics, including introducing a capacity crowd to an award-winning session on configuring IBM i audit controls. It’s one of the most enjoyable roles that I have as it provides the ability to share knowledge and watch the security “light” turn on for 75–100 people in an interactive classroom setting.

As always, the evening events were a blast and well attended, considering the beautiful location. They included a speaker awards night, and a live band night celebrating the music capital of the World: Austin, Texas, where COMMON will be held in 2013.

If you’ve ever dreamed about being a presenter at COMMON, the “call for sessions” is now open for the September conference in Columbus, Ohio. You never know; it could result in a photo similar to the one of yours truly being inducted into COMMON’s “Speaker Hall of Fame” by RPG guru Susan Gantner and COMMON’s President, Pete Massiello.

To wrap up, I hope all of the Moms and Mums out there had a wonderful Mother’s Day; I lost mine to cancer back in 1993, and I truly miss her every single day.

If you’d like more information on PowerTech’s security solutions, visit www.powertech.com or contact me at robin.tatam@powertech.com.

Cheers!

- rt

The highly anticipated 2012 “State of IBM i Security” study is available for immediate download at www.powertech.com.

Each year, PowerTech audits hundreds of servers, using our Compliance Assessment tool. Clients have the option of sharing their statistical information—minus any application or identifying data—for inclusion in our annual study. Although the statistics are collected from different servers each year, making year-to-year comparisons difficult, the volume of assessments and the variety of server sizes demonstrate a legitimate insight into how customers approach IBM i security.

So What’s the Scary Part?
While there are more statistics than we can cover here, I want to give you a sneak peek at some interesting highlights from the six areas covered in the 2012 study, which included:

• 122 servers
• 992 users per server (average)
• 493 libraries per server (average)

Powerful Users—Most IBM i environments suffer from the exposure of overly powerful users. The study shows an average of 58 users with *ALLOBJ special authority (which provides full access to every object, including other user profiles), and 199 users with *JOBCTL (which allows the system to be brought to a restricted state).

Password Management and User Security—A staggering 60 users, on average, had default passwords; and more than half of those were enabled and ready for use—we can only speculate by whom!

Data Access—Unlike most operating systems, where no authority means no access, IBM i provides a default level of authority called *PUBLIC. We found that 81% of libraries defer the decision on public authority for new objects to the QCRTAUT system value. Unfortunately, in 90% of cases, that system value is configured to provide every user with the ability to read, change, and even delete data.

Network Access Control and Auditing—Many organizations still rely on legacy user restrictions such as menus, application security, and command-line restrictions. However, modern interfaces such as FTP and ODBC provide direct access to the database. IBM i allows users to designate exit programs to supplement native object security, but 66% of servers remain wholly unprotected by even a single exit program. And a third of those with exit programs cover only one exit point out of the 27 possible.

Auditing—Despite the fact that IBM i contains a comprehensive auditing facility, almost a quarter of the servers surveyed are not using it. This means zero visibility to critical system events like unauthorized access attempts, data files being saved or deleted, and changes to system values. Of the 74% of systems that are collecting audit data, many do not audit all of the recommended events, and only a small percentage had a recognizable audit reporting tool installed.

System Security—While IBM’s migration to a default of security level 40 has increased the compliance to this minimum recommended level, almost a third of systems are running at lower levels, exposing servers to several well-known vulnerabilities.

The scariest part for most experts is that, in the nine years since the first edition of the study was published, many statistics haven’t shown any significant signs of improvement. Despite the overwhelming evidence of weak configuration, and the fact that some of the most critical enterprise data is found on these servers, we continue to conclude that companies are not giving the necessary attention to IBM i security.

Does the Story Have a Happy Ending?
Although the study shows ongoing challenges in the deployment and configuration of security controls, none of these issues represents vulnerabilities in the operating system. In fact, IBM i is one of the most securable operating systems available. But users must realize that the server doesn’t ship from the factory in a secured configuration and that simply booting it up won’t make it secure.

It’s up to you to ensure that your server meets applicable regulatory or legislative standards, or simply best practices. Use your awareness to start a project to review and remediate your security vulnerabilities—before you become a statistic.

Next Steps
My suggested action items include:

• Download the complete 2012 “State of IBM i Security” study at www.powertech.com.
• Request a Compliance Assessment to determine how your configuration measures up.
• Increase your knowledge of IBM i security. PowerTech has a number of white papers and articles available on our website.

You also can participate in a discussion on security, including the 2012 study findings, at Help/Systems’ Solutions Summit scheduled for September 18–20 in Minneapolis.

Cheers!

- rt

April saw the release of Symantec’s 2012 Internet Security Threat Report. If you’ve never reviewed this document, I would highly recommend that you download and study it. One key observation states that organizations “need to be successful every time against criminals, hackers and spies. The bad guys only need to be lucky once.” Wise words indeed!

Based on our own work with clients, we continue to observe that many organizations are still in denial when it comes to the likelihood that critical data or server infrastructure will be compromised. We have put most of our faith in our organizations’ perimeter defenses, leaving the IBM i servers vulnerable to attack from within. Full integration of many of the facilities in IBM i—including the database—means that access is based on a single set of credentials. Sadly, profile and passwords settings often invite abuse of what is arguably the most important defense within IBM i.

Symantec observes that the “insider threat will also create headlines, as employees act intentionally—and unintentionally—to leak or steal valuable data.” It’s more important than ever that we, as IBM i security officers, assume that the primary threat will come from those that have been given (or gained) legitimate credentials to the server. We can no longer accept the excuse that “I never thought Mary would do that!” as a defense argument. Sure, we all want to trust that people are honest and that no one ever makes mistakes, but we can’t bank on it. If that were the case, the multi-billion dollar insurance industry would cease to exist!

While the 52-page report focuses primarily on information from the previous year, it does go on to make some predictions about the future and advises on industry best practices. One such practice is to employ a defense-in-depth approach with multiple systems that overlap and mutually support one another to guard against failures in any one protection method. These defenses should help support—but also control and audit—appropriate access to servers based on an employee’s role in the organization.

PowerTech has 16 years of experience as the IBM i security market leader, and we’ve developed a variety of solutions to detect unauthorized access attempts, and to manage the activities of authorized users. Proven solutions are available to mitigate powerful special authorities, control command line usage, and audit application data access, to name a few. Our continued investment means that we can now also manage the propagation of role-based profiles across an organization’s entire IBM i infrastructure.

If you’re interested in making sure the bad guys don’t get in, and would like information on any of the solution modules within the growing PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

I’ve always known that the local IBM i community is a relatively small group, but they couldn’t be more dedicated to the platform. Now that I spend time traveling to every corner of the country, I believe that extends without limit to geography. Regardless of whether I’m talking to programmers, administrators, or C-level managers, the commitment from those who have discovered and loved ‘i’ is as strong as ever. It’s the NEW generation that we have to ensure understands the value of this platform.

Last week, I presented a session on the “Top 10 Security Vulnerabilities” to the MUGWNY user group in Buffalo, New York. This is my second time visiting the group and I appreciate their repeat hospitality. I was encouraged to see attendance was strong and look forward to returning again soon, and hope that when I do, all Top 10 things have been eliminated from their organizations!

The final countdown to the biggest user conference of them all—COMMON—is on! I’m really looking forward to heading out to Anaheim, California, to reconnect with old friends as well as industry colleagues (and many who are both). In addition to hanging out with the team at the Help/Systems booth, I also will be presenting the following sessions and cordially invite you to learn about:

Getting Started on the Road to Compliance
Monday, May 7, 2012                  9:30 – 10:45 a.m.

The State of IBM i Security, 2012
Monday, May 7, 2012                 2:00 – 3:15 p.m.

Configuring and Using IBM i Auditing Features
Tuesday, May 8, 2012                8:00 – 9:15 a.m.

7 Habits of Highly Secure Organizations
Wednesday, May 9, 2012          9:30 – 10:45 a.m.

On a fun note, I inadvertently broke a PowerTech “World Record” this morning! Another billion-dollar industry giant recently turned to us for advice on their PCI initiative. Barely an hour after an online introduction to our entire software portfolio and our popular PCI Compliance white paper, the customer eagerly joined the PowerTech family. Welcome aboard! Sometimes it just takes an introduction to the best solutions. ☺

If you’re dealing with compliance challenges of your own and would like information on any of the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

Last year, U.S. taxpayers filed more than 142 million tax returns.  That represented about a 1% decline over the prior year, however there was a 3% increase in the number of returns that were filed electronically. Electronic submissions now represent approximately two thirds of the returns and this is expected to continue to grow.

This week marks the return of tax time in the United States, and citizens are divided between those awaiting a spring bonus and those that begrudgingly have to pay back in. While most of us prefer to live in the company of the former, you will want to be aware of a growing problem where criminals are filing tax returns that are using stolen social security numbers to claim deductions and walk away with YOUR refund! Unfortunately, once the government has processed a refund it can be difficult to find a resolution despite evidence that social security numbers have been abused. The problem has become so prolific in recent years that there is actually a team assigned to process identity theft claims.

One victim, interviewed by a news source, remarked that there was only one only surefire way to ensure that that doesn’t happen: try to make it so that there is no refund to be claimed at the end of the year!

After returning from Boston, I turned around and headed out this week to Niagara Falls, New York, to work with a customer on their security initiative. While in town I’ve been invited to speak about the “Top 10 security issues of IBM i” at the Buffalo regional user group. It’s already been a fun trip; meeting some folks that are new to the amazing IBM i platform, as well as enjoying the spectacular sight of the three Niagara waterfalls. My photograph this week was taken from my hotel as I was blessed with a spectacular sunset behind the Canadian side of Niagara. My view includes Rainbow Bridge spanning the gorge between the two countries, and the endless mist that rises around the intense Horseshoe Falls.

I was excited to hear earlier this week that I am being inducted into COMMON’s speaker “Hall of Fame,” based on scores for sessions presented at least year’s annual meeting in Minneapolis. I am excited to be headed to Anaheim in a few weeks for the 2012 meeting and conference, so if you are going to be there stop on by and say “Hi!”

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

Last week, I discovered that the New England states know how to host an incredible IBM i conference! I returned from Framington (near Boston) after a fantastic two-day exposition and conference. I was honored to have been invited to teach four classroom sessions, with topics that ranged from a sneak peak at the 2012 release of our popular “State of IBM i Security” study all the way to a “how-to” on configuring IBM i auditing controls.

It was so fun to speak to almost a hundred session attendees, as well as visit with customers and prospects at the Help/Systems booth. I enjoy conducting live education sessions more than anything in my job description; it provides a basis for our product direction, as well as an opportunity to help solve business challenges for customers that didn’t know a solution was close at hand. We’ve already fielded several phone calls from attendees looking for demonstrations of one or more of the PowerTech solutions. The casino night was a blast, and I’m proud to say that I won 330,000 (albeit fake) dollars at blackjack!

While I was in town I was fortunate to explore some of Boston’s history-laden heritage, with a tour of the “Freedom Trail,” a path that leads through downtown and includes views of such significant American landmarks as Faneuil Hall and the gravesite of Samuel Adams. The photographs I’ve included are an attempt to convey a touch of the grandeur of the city’s incredible architecture and juxtaposition of old and new, as well as the grave site of the famous revolutionary, Paul Revere.

Speaking of “old and new,” you might have heard about the newest occurrence of an old problem. On March 30, Global Payments, a credit card processor, announced that they had been massively breached. Of course, there is still much speculation regarding the cause, scope, and culprits, but some sources are already indicating that the scope extends into the millions (of cards) and that the number has started to “mushroom” as signs surface that the breached card information is being used.

Fortunately, Global Payments reports that they were alerted to the intrusion by their security processes. Although it’s a shame that the controls didn’t also prevent the data loss, every minute that passes after a breach occurs magnifies the problem. Security controls should be deployed to help monitor system, user, and application accesses, and alert the administrators to anomalies. Interestingly, many conference attendees were still reliant on basic menu and application security, and were alarmed that access to their critical information might be as close as an FTP login using a default password.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

It feels like the last few weeks have been busier than any during my tenure at PowerTech. Numerous services engagements are running concurrently—some product related, some operating system security—as well as preparations for at least four different conferences (WMCPA, NEUGC, COMMON, and Help/Systems’ own Solutions Summit). We’re also putting the final touches to some product updates and preparing the 2012 State of IBM i Security Study.

More than 120 servers contributed data to this year’s study and, unfortunately, many of them exhibited the same security vulnerabilities found in prior years. While awareness of security is undeniably on the rise, many organizations are still failing to put the necessary safeguards in place to reduce the risk of a data breach. While the average cost of a breach might be down from prior years, it is still not a situation you want to find yourself in. Stay tuned for the formal release—and more insight into the findings—in the next few weeks.

Next week, I’ll be out in the Boston area visiting customers and then teaching four security sessions at the Northeast User Groups Conference, a technical conference hosted by the power systems users groups of Connecticut, Maine, New Hampshire, Rhode Island, and Vermont. If you’re signed up to attend, please stop by the Help/Systems booth and say “Hi!”

I haven’t been to Boston for almost twenty years. The last time was for a Daly & Wolcott conference (now Infor). I still remember how beautiful the city was and how strangely self-conscious I was to be a British citizen—what with the “whites of their eyes” and all that. I’m really excited to be back in “Beantown” and I’ll try to return with some new photographs to share with you.

I was made aware this week that my blog was #8 on Alex Woodie’s “Best i Blog Bets: A Top 10 List.” I’m honored to have made the cut, as did Tom Huntington, my colleague here at Help/Systems. He slid in at #7, so we won’t be speaking any time soon! Just kidding Tom; after all, you’ve spent waaaay more years in the industry than me ☺ I love ya, Mr. Robot!

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

After several years of increases, the renowned Ponemon Institute recently announced a decrease in the per-record cost of a data breach, down from $214 to $194. The reversal is not entirely unexpected as Dr. Larry Ponemon predicted the likelihood of an eventual decrease. Although too early to see if this will be the new trend, the cost reduction may be partly attributable to less shock-value coming from a breach. At some point, breaches are happening with such frequency that we’re becoming numb to it. Personally, I know that I’m no longer surprised by the obligatory “your data might have been compromised” letter or news headlines, and can believe that some of the legal costs and remediation costs might be reduced slightly. However, in the long run, these reductions might be outpaced by the seeming increase in the frequency and size of the breaches.

No company wishes to join the increasingly less-exclusive “we’ve been breached” club and so it remains critical that the response to events be swift and decisive. Controls need to be deployed to ensure that unauthorized activities are detected in time to be able to minimize their impact, as well as create an audit trail for forensic analysis.

To help companies understand some of the methodologies they can use for securing IBM Power Systems servers running IBM i, I recently attended a regional user group conference in beautiful Lake Geneva, Wisconsin. The WMPCA group is a very active group from Milwaukee and this is the 28th year that the group has hosted the annual conference. Featured speakers included COMMON’s president, Pete Massiello, development guru Jon Paris, Susan Gantner, and Aaron Bartell. And, of course, I was on hand to teach a session on how to audit an IBM i server.

My photo this week is of the gaming room at the Baker House, a spectacular inn and restaurant on the banks of Lake Geneva. Built in 1885 as a summer mansion, the renovated inn boasts sumptuous accommodations and an incredible display of original features such as the floors, fireplaces, and woodwork.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

After my recent blog entries about how ridiculously mild the winter has been in Minnesota this year, you might be forgiven for thinking that today’s images are how I spend my day in our offices in Eden Prairie. While it is supposed to surpass 70 degrees this week, my pictures are from Cabo San Lucas, Mexico, where I spent a few quiet days last week recharging my batteries. I got to enjoy hot sun, crashing surf, and the amazing sight of pods of whales returning north along the Pacific coastline.

Although it’s hard to believe that almost a third of 2012 has already passed, it’s never too late to kick off your security initiative (okay, after a breach might be a tad too late!). Instead, consider partnering with PowerTech to streamline your IBM i security tasks so that you also have free time to practice: “Dos Corona, por favor!” After being badgered by timeshare salespeople masquerading as hotel concierges, shuttle bus drivers, and activity organizers, I can personally guarantee that there will be nothing but ethical representation from all of the PowerTech sales team!

On another note, I turned 42 years old this week. It’s amazing that I actually feel more career energy than I did when I was 24. I have never been a serial jobseeker, but I know that I’ve found a company that I’m proud to stand and say that I represent. Sure, Help/Systems has quirks, like all companies, but I’m more excited to work than I have ever been in my 23-year IBM i career. I’m able to witness firsthand how our products actually help people improve what they do. From the amazing automation products in the “Robot” line, to the data querying power of SEQUEL, (and, of course, the security functions found in the PowerTech products), it’s easy to invest your heart when there’s belief in both what you are selling and the company that you are selling it for.

I’m sure you have questions about security. Everyone on the IBM i platform has questions, especially when they discover the server is shipped and (typically) installed in an open configuration. Modern regulations may force some to assess the situation, but data protection affects every organization. Even if you don’t have disclosure concerns, I imagine you have applications that need to be working and available to your users. Without configuring IBM i security controls, and deploying trusted tools designed to leverage and extend those functions, you might find yourself trapped by an incoming tide!

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

- rt

After one of the mildest winters I can remember, we finally got a quick shot of Mother Nature last week. Freezing rain under a blanket of several inches of snow reminded us of how Minnesota can embrace the winter season with style. Of course, it didn’t last long as weathercasters correctly predicted incoming temperatures above 50 degrees!

At the office, we’re busy planning for the Help/Systems Solutions Summit user conference scheduled for September 18–20 in Minneapolis. There’ll be a security track through the conference, including numerous PowerTech sessions hosted by key personnel. In addition, we’re also expecting to roll out certifications to allow you to test your understanding of the PowerTech products, just as many of you have done previously with Help/Systems’ Robot certification program. If you’d like to be able to brag about your success at achieving a PowerTech certification, don’t forget to bring your #2 pencil!

After a brief hiatus, we’re also working on scheduling more of our popular webinars. They’re not going to be as frequent as in the last couple of years as we’re planning more live “appearances,” but we want to continue to deliver the security message. We are also contemplating some on-demand webinars and e-training classes as we see demand for those growing—especially in international markets. Let me know if you have any security topics you’re interested in hearing about.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt