Hi everyone!

Last week, I mentioned that many companies struggle with starting security projects due to a lack of any clear direction or action plan. I introduced the idea of performing an assessment, and mentioned one of the options is to start with our own no-charge Compliance Assessment solution.

I have had a number of follow-up questions regarding this approach, so this week I thought that I would delve a little deeper into the PowerTech Compliance Assessment process.

First and foremost, this is a tool that runs on Microsoft Windows. Of course, there is an IBM i component to collect the host data, but it is installed by the tool as it runs, and is removed again after it completes. This means no footprint is left behind on the server. If your change management process does not allow for software installation, we can work with you to catalog the things that are installed and deleted.

PC requirements:

• Windows 2000, Windows XP, or Windows Vista
• Java Virtual Machine (JVM), version 1.5 or later
• Internet Explorer version 6.0 or later, or Mozilla Firefox (2.0 or higher is preferred)
• Adobe Flash version 9 or later is required to view the report

IBM i requirements:

• OS/400 V5R1 or later
• Access to a powerful user profile with *ALLOBJ and *SECADM
• A network connection to the system with ftp access

The software is installed from an automatic installation process that comes from a download link that we provide. You have 7 days after you run the first assessment to run it again (as many times as you wish). This works well to provide an updated baseline based on some simple changes that may be enacted.

There are six areas of review, each represented by their own tab in the assessment application:

Auditing

This is a review of the event capture configuration provided in the operating system. PowerTech’s annual security study indicates that 20% of IBM i shops are still not performing any form of auditing, and many more are not collecting data that would be sufficient for a forensics review.

User Access

One of the largest exposures I see when performing assessments is the lack of visibility to requests for data from network interfaces, such as ODBC and FTP. IBM provides a supplemental layer to the operating system called exit points, and this checks to see which exit points have registered exit programs monitoring them.

User Security

One of the best defense mechanisms you can use is strong user and password rules. A review of your profile environment provides feedback on the number of profiles that have not recently been used, profiles with default passwords, and highest number of invalid sign-on attempts. An analysis of your password rules is also included.

System Security

There are a number of security-related system values, and ensuring that they are all set appropriately is an important step in securing your system. We’ll review these settings, as well as some best practice recommendations.

Public Authority

A legacy of many IBM i applications is that we often rely on menu security, and user profile command restrictions to prevent unauthorized data access. A look at the public authority on your application libraries will reveal if they are vulnerable to access from outside of the application.

Admin Rights

Unnecessarily powerful profiles plague many IBM i shops, and is one of the most frequently cited issues by auditors. There are eight special authorities that should be reserved for administrators, and this section will review the number of users granted each of them.

Two tabs are designed to put a “bow” on the assessment package. The Summary tab provides an executive-level view of the general state of compliance to best practices. Intuitive red/yellow/green “traffic light” style indicators provide a visual gauge for non-technical people. The Recommendations tab summarizes the key observations, which can be printed and shared. I don’t usually spend much time in this section when working directly with customers, as I take my role in the assessment process to provide observations and recommendations that pertain to the specific environment.

If you meet the PC requirements listed above, check out our online sample report or, better yet, have an assessment performed on your own system. Did I mention that it doesn’t cost anything?

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

As hard as it is to believe, today is already the last day of school for my two children, Jordan and Sydney.  Another academic year down, and a summer vacation about to begin.  At this point, both kids have no real plan for what the summer will hold, but that isn’t going to stop them racing into their highly anticipated time off!

Their enthusiasm, despite the lack of a solid game plan, started me thinking how many people start a security project with similar gusto, but also without any real direction on where to begin (or end).  Not only can this be expensive, but it is also likely to be an inefficient use of skilled resources, and will lead to frustration and possibly even abandonment of the project as being “too complicated.” As such, I though I would share one way that I have seen customers successfully embark on such a project.

As with any project, the first step is to establish the project goal or objective.  In a security project, the objective is usually to become secure or to become compliant.  If you are a frequent reader of the PowerTech blog, you will know that these two objectives are not necessarily the same, but are terms that are often used interchangeably.  From there, identify the tasks needed to achieve the objective, and then prioritize and schedule those tasks.

Okay, so back to our IBM i security project.  If this is a new type of initiative for your organization, then determining the tasks, as well as the priority of the tasks, can be a daunting process.  If you have ever spent any time looking at risk management, you know that you want to assign levels of risk based on the likelihood of an event occurring, in conjunction with the cost and effort of mitigating the exposure versus the cost of recovery if the event were to occur.  High risk items should be mitigated first.  Low risk items should be mitigated last, or perhaps not at all if the risk is considered acceptable.

One of the best ways to identify the tasks is with a formal review of your IBM i environment.  PowerTech has two popular offerings to assist with this process:

Security Assessment Tool

We have devised an automated assessment tool that performs a high-level review of six key security-related metrics on IBM i.  The assessment findings are presented instantly to your team via a rich browser-based application, and a comparison is made to common best-practice standards to provide direction on mitigation.  PowerTech provides access to the tool for 7 days, plus a security specialist to help interpret the findings, all at no charge for the first partition.

Security Assessment Service

After using the automated tool, perhaps a “deep dive” review is deemed necessary.  This fee-based offering can be customized to your own business requirements, but is typically a five day engagement involving a security specialist performing a comprehensive review of the IBM i configuration.  The resulting report details a prioritized list of concerns, along with background information on why an item is a concern.

Now that the exposures are known, it is much easier to assign the priority of the remediation tasks and to assign the costs to mitigate them.  Some items, such as network access to data and applications, is one of the biggest vulnerabilities we see, but it can also be one of the easier high-risk items to resolve.  Other concerns, such as overly powerful users, might take more planning and manual effort to mitigate.

Beyond the class-leading software solutions that PowerTech is renowned for, we can assist with virtually any task in an IBM i security project.  Our security specialists have experience and expertise in mitigating risk in many areas, including system configuration and applications.

Don’t allow your enthusiasm to be dampened by the lack of a solid game plan.  Starting with an assessment can prevent delaying the start of a project as important as this.  After all, your application data is one of your most valuable business assets.

Drop me a line at robin.tatam@powertech.com for more information, or visit www.powertech.com.

Cheers!

- rt

It’s already been a fun Spring here at PowerTech, including a visit to a Minnesota Twins baseball game in their new outdoor stadium, and a boat cruise on Lake Minnetonka with the local ISACA chapter. With the return of the weekly “weenie cart”(a fundraiser hot-dog stand run by Help/Systems’ Fun Committee), and temperatures up in the 90s, we are barreling towards Summer like no tomorrow!

It actually has seemed like a short week for me, as I headed out on the road again. This time, I am paying my first visit to the SEQUEL office in Schaumburg, Illinois, a suburb of Chicago, to conduct my next security workshop. I am really having fun with these events, and I love spending time with security officers and administrators anxious to learn more about securing an IBM i server platform. We are discussing future locations for our next workshop and it seems that Dallas, Texas, is currently at the top of the list—probably sometime later in the summer. I believe this workshop is one of the best ways to get a half-day of IBM i security education, so let us know if you would like to see your city on the list.

This morning, I am paying a visit to a Chicago-based customer to discuss their security projects, and then flying the short hop back to Minneapolis after lunch.

Back in the office, the team is putting the final touches to the June edition of our electronic newsletter, PowerNews. If you are not currently receiving it, be sure to sign up at www.powertech.com. In addition, I wanted to to share with you that development is now underway on the next release of Compliance Monitor, and I got an exciting sneak peak before leaving on Tuesday. Having been a developer for part of my career, I know things don’t happen overnight, but I am excited to see how this project is shaping up.

For those of you reading this in the U.S., have a safe and enjoyable Memorial Day holiday weekend. For those of you overseas, this is a day where we commemorate the men and women who have made the ultimate sacrifice for their country. I am excited to be spending part of the upcoming weekend visiting my host family from my time as a foreign exchange student “several” years ago in Bellevue, Iowa. I can’t wait to seem them as it has been five years since my last visit—way too long!

Cheers!

- rt

Hot on the heels of the Network Security 6.0 release, I sat down with Jill Martin to discuss events leading up to the launch.

Hi Jill! Thanks for giving me some time this morning to talk about NS 6. Webinar attendees probably know you well, but why don’t you give us a quick introduction?

Sure! My name is Jill Martin and I am the PowerTech Product Support Manager. I have been with Help/Systems for about twelve years and have worked in a number of capacities, including product trainer, sales representative, and most recently as part of the PowerTech team.

So, tell me what responsibilities you have as Product Support Manager?

As manager of the technical support staff, one of my main roles is overseeing the support you receive if you ever call in to PowerTech. I also worked closely with the development team over the last couple of months to prepare for the release of Network Security version 6.0.

So what is the big “hook” with Network Security version 6?

A couple of things really. First, we added the ability to set rules based on an object. What I mean by that is that we have created the incredibly powerful capability to be able to set rules that pertain to an object. This means it’s now possible to restrict and audit access to an object regardless of the syntax of the incoming request. In SQL for example, Select fld1, fld2 from myfile was previously seen as a different request than select fld1 from myfile. As humans, we could look at that and know it was pulling the same data, but the server couldn’t. This capability adds to the powerful transaction-based rules that Network Security has long been admired for.

We also have added a new selective activation process, so customers can decide which exit points are secured. This allows a staged approach to integrate Network Security into the operating system, something that is often important in large IT shops.

In addition, we have done a lot of infrastructure changes to ensure that the product works efficiently, and that the user interface is more intuitive. Some of these changes won’t really be seen directly by customers, but they are an important part of planning for future enhancements that we are designing.

Did we have dedicated programmers working on this product?

On a project of this size, we assign a lead developer who oversees the development aspect of the project. Obviously that is someone who is intimately familiar with the PowerTech Network Security solution. We also have other developers that are familiar with security solutions and have additional resources who are are assigned “as needed,” based on the tasks identified in the project plan. Of course, these folks all report through the development chain to a manager who is responsible for product design and coding.

So how do you test a pending product release?

All Help/Systems products go through a stringent testing process that includes unit testing, integration testing, systems testing, and acceptance testing. We have a number of dedicated testers—people whose sole job is to test new development projects. They build a test plan and divide up the different sections between themselves. There is also a support person involved because they know what customers want and how they use the software. Gregg Bury was the support person, and he spent some time reviewing the functionality and the usability of the interface, and making recommendations on improvement.

So what things did the testers look at?

They tested the changes and did regression testing to the core product to review every panel and function to identify whether there were any outstanding issues from prior releases. They also did performance and stress testing using scripts.

Did they test at every release level?

Absolutely, they tested at every release that we support—currently V5R4, V6R1, and V7R1

Presumably as the testers locate issues, they prioritize them?

They do; they rank items using a priority scheme and those with a priority 1 or 2 are the things that were addressed first.

As far as making the code available to customers, how is that done?

Well, the download page has already been updated to show the new level of the code. As far as getting the code onto a customer’s machine, that is one of the changes between the last release of 5.3 and the current release of 6.0. In 5.3, we had a save file that was downloaded to a PC and then manually extracted, sent to the server, and installed from there. With version 6.0, we have a self-extracting installer. It uploads and installs the code on the server, and performs the cleanup, leaving only the administration guide on the user’s PC.

Does the customer have to know anything about their configuration to perform that install?

Yes, they need to sign on with a user profile that has the necessary authority to perform an upload and a restoration of the application. The Installation Guide walks them through the necessary requirements and steps.

So there is a new Administration Guide?

Yes, there is.

Where can existing customers find it?

They can go to the support area of the PowerTech website, under the “customer login” link in the top navigation bar. The documentation is all listed at the top of the product download page. If someone doesn’t remember their support log-in, they can contact support at support@powertech.com

Did we do a BETA program?

Well, typically Help/Systems does more of a managed release or limited ship. We do not like to give a product to customers until we feel we are on top of the release. In this case, we had a few customers who offered to help because they needed one or more of the new features. So, we had a few people using the product and giving us feedback.

How do existing v5.x customers upgrade to Network Security version 6?

The product installs into a new library, which allows the system to remain protected during the installation process. There is a command to merge rules into Network Security version 6, and the activation process allows the redirection of the exit programs to the new version in the new library.

What do the developers do after a product is released?

First they celebrate! Then they go through a number of post-project processes. There is a documentation review to analyze our methodologies and to make any necessary improvements going forward. After that, they begin to look at the next project and the development manager re-deploys the development resources based on the next project plan. The good news/bad news with working for a company as creative as Help/Systems is that we never rest. In fact, there are already requirement lists for Network Security 7.0 that we are looking at.

Where can customers learn more about Network Security 6.0?

There is a “new features” document that is a great place to start. It shows what’s new, and what’s changed. For example, the authorization lists that we use to define the capabilities of the administrators have changed names. A customer will want to review who has access to the product—the documentation discusses all of that.

We are planning to do a “What’s New” Webinar in the coming weeks to talk about the new features in Network Security 6.0. Our Web-based Network Security training class will be based on version 6.0 later this year.

What about support of the new product version?

The support staff have all been trained on the new version and have been working with the software on our internal systems, as well as with the “early-ship” customers. Our international staff have also been working with the new version.

Any closing thoughts?

Just that we are very excited to have this new Network Security release now shipping. And, I’m looking forward to building the feature list for the next release.

So there you have it—an introduction to a PowerTech product release. If you have any extra questions for Jill, please send them to jill.martin@powertech.com

Cheers!

- rt

Although it is normally nice to return home after a stint of living out of a suitcase, it was definitely a shame to leave the sun and surf of Orlando. There must be something about someone who lives in a “cooler” part of the world heading to warmer climates, as last week literally flew by. Today is rainy and cold in Minneapolis, and I am already aching to hop the quick three-hour flight back down to the sandy beaches. (Not that I spent any time there during the conference, of course!)

In all seriousness, the COMMON annual meeting was a great success for us. Three days of exposure at the expo talking to existing customers about their successes, as well as new faces that are learning how PowerTech can bring so much value to IBM i security projects.

While it seems a few of the attendees were unaware that PowerTech is a member of the Help/Systems family until they saw the joint booth and marquee, the number of people that walked by and indicated that they were already running tools from either one or both sides of the house was very impressive. Of course, we are not resting on our laurels: Today marks the official release of version 6 of Network Security, our leading exit point solution. While talking to expo attendees, it was also fun to discover when they were running just one of the PowerTech tools and to introduce them to another one of the modules.

I also enjoyed presenting three educational sessions on security topics to COMMON attendees:

• 7 Habits of Highly Secure Organizations

• State of IBM i Security Study 2010

• How To Prevent a Data Leak on IBM i

There were over 1000 attendees at this year’s event; up significantly from last year’s event in Reno, Nevada. As an exhibitor, this was quite noticeable from the foot traffic passing through the expo. Next year’s event in Minneapolis, MN will (hopefully) provide IBM with a great opportunity to represent the platform with resources from Rochester, MN. All of the Help/Systems companies will have a strong presence there, as always.

As I mentioned, Network Security’s new release began shipping this week. To celebrate, I will try to scoop an interview with Jill Martin, PowerTech’s product support manager, to tell us a little about the process of getting a product release out of the door, as well as some of the background on what is new and improved. Watch for that next week…

Last but not least, congratulations to Chris Smith of Wells Fargo, lucky winner of our Windows 7 Netbook giveaway last week.

Cheers!

- rt