Injecting the i into Cybersecurity
COMMON, the worldwide Power Systems user group, just wrapped up their 2019 spring conference in Anaheim. If you weren't able to make it to the event—or if you missed security expert and IBM Champion Robin Tatam's special session at the IBM booth—keep reading for a fresh take on cybersecurity for the IBM i operating system.
Sometimes a message is so important and yet so ignored that you feel compelled to find a new way to deliver that message. For almost 20 years, a team of platform aficionados has been publishing a report on the state of security for our beloved IBM i platform and yet we still sleep under a blanket of blissful ignorance when it comes to adequately inoculating it from the ever-growing threat of a cyberattack.
My name’s Robin Tatam and I’m an SME for COMMON in the area of security, and I am also a certified Information Security Manager and platform veteran of almost 30 years. It’s my pleasure to be invited to the IBM stage to talk to you this this evening about a topic I’ve named “Injecting the i into Security.”
Normally my presentations are training-oriented with a seemingly never-ending parade of slides to back me up, akin to the near 400 sessions you’ll find here at COMMON. Like many people, my truth is that I’m not a fan of most PowerPoint presentations. I cringe when I see fly-in animations for text or hear the sound effect of a spectacular car crash as the slides change—although that’s possibly the sound I’ll have to contend with at the conclusion of this talk.
Crafting a minimalist presentation can be especially tough for a speaker facing a technical audience, but I sometimes get to bask in the challenge and enjoy studying different styles from true masters of presentation delivery, such as Apple’s Steve Jobs. Splattering a slide with enough bulleted verbiage to fill an entire chapter of a technical manual tends to misdirect the listeners' focus away from the speaker and does little to assist with fact retention. Rather, I see value in cultivating slides that brighten the room rather than distract; to do nothing more than subconsciously uphold the theme of the message that I’m sharing with my audience—think of them as virtualized decorative plants in the corner, if you will.
I do have notes in hand today to help keep me on track with my message and the schedule, but I’m going to present without the safety net of PowerPoint. So why would I do that to myself?! It’s actually the foundation of a pleasant day dream that I have that the idea I’m sharing with my audience is so critically profound that everyone listening will be fully engaged with ME; more mesmerized by the actual message than by the Jackson Pollack of fonts peering ominously from behind my head and shoulders.
I’d like to start by sharing a number with you: One Hundred and Sixty-Eight. To the Chinese, the number 168 is believed to be lucky because the sentence that it sounds like in Cantonese means “one path to prosperity.” To me, the number 168 is motivating but far less lucky. Does anyone have an idea of what 168 signifies to IBM i? Well, according to the 2019 edition of the State of IBM i Security Study, it’s the average number of profiles on each server carrying the power of All Object special authority. For those that may be unfamiliar, *ALLOBJ can be translated to “one path to permission.” It’s a global user authority that permits access to any and all objects on the server; without hesitation and without reservation. And to have an average of 168 of them on each partition is A LOT!
One of my responsibilities at HelpSystems includes knowing that number. And while the number has changed in each of the 16 years that HelpSystems has published it in study, it usually changes by very little, meaning that this is a pervasive problem. And it’s far from the only pervasive problem. Security exposures on an IBM i server tend not to be the result of a gargantuan design error on the part of IBM. Rather they tend to be the result of years—even decades—of technical neglect.
Let me be crystal clear: What I am saying is that the server is not vulnerable due to some undocumented breakdown of the operating system. And I’m not saying that simply because I’m an IBM Champion or because I’m standing atop IBM’s stage. What I am suggesting is that most of us don’t have the controls correctly configured. Sure, I agree that the OS ships with a few questionable defaults and it could be argued that this was the genesis of our problems. But it’s far from being even a good excuse.
That software vendor that sold us our ERP or distribution application in 1997 didn’t really help matters by not configuring security on their objects—or worse, telling us that the users needed to be overly-powerful to avoid any influx of authority-related support tickets. Sure, there is outside culpability to be shared here but we must also acknowledge that we’ve never seriously tackled a resolution. Some people prefer to remain uninformed, hiding behind the veil of plausible deniability, Others believe there is no risk because the server is inside the firewall or users are not technically adept. Some simply felt that our security hands were tied by forces beyond our control. To be frank, we simply haven’t owned it. And until we do, we won’t push back against the finger pointing and, most likely, we won’t be very secure.
Is Cybersecurity a Lost Cause?
Pick up any virtual "newspaper" on any day of any year and you’ll likely find stories related to hackers, malware attacks, and data breaches. Bear in mind that frequency has desensitized us so that only ground-breaking breaches hit the front page and for every record-setting event there are thousands of others that don’t even make the back page. You’ll also occasionally read about global organizations being dragged through the regulatory coals due to a breach that they’ve unwillingly—or unwittingly—endured. This list now reads as a veritable “Who’s Who,” so you could be forgiven for a momentary lapse in good sense, falling victim to the dangerous thinking that it’s already a lost cause.
I mean, if Experian and Sony and Home Depot can go down in cyber-flames despite massive cybersecurity budgets, what chance does the average small- to mid-sized organization have? Even my Grandma knows that cybersecurity threats are growing exponentially. And the number of skilled resources trained to battle them are also growing, but at a much slower rate. We really can’t control the increase in threats, and we can’t quickly access additional, qualified people, so it’s imperative that we are creative with the resources currently at our disposal to ensure that they become more efficient and more effective.
Industry surveys—and plain commonsense—inform us that security is now more important than ever before. I want today to be the day that we no longer exclude IBM i from those realizations. I’m up here to shine a spotlight on the fact that we must STOP being dismissive of the risk facing IBM i and we must STOP being over-confident in the data protection afforded by outdated security methodologies. Believing we are safe behind the firewall and not connected directly to the internet is not going to save us. Believing that our data is of no interest to bad actors is not going to save us. Relying on green-screen menus is not going to save us. And thinking our own users won’t accidentally mess up, or try to cheat, is not going to save us either. No, the only thing that is going to save us is owning it.
Moving Forward Begins with a Simple Step
The road to security redemption can be a long and winding one but starts with one simple step forward: reviewing the server’s configuration. Part of that should involve reaching out to our software providers to ensure that their application aligns with security best practices and that, in turn, we have correctly implemented them. And when we discover along the way that we mostly likely need to spend money to take corrective action then don’t be afraid to propose that requirement to management.
Speaking of management, my job often entails discussing security with differing levels of staff, ranging from operators to programmers to the CIO and even CEO. In those discussions, I’ve never heard anyone state that they’re seeking a scapegoat for configurations that were outdated perhaps historically invalid. Instead of fearing blame and retribution, your professional worth to the organization will be far greater if you clearly understand what the risks are and what the remediation steps—and cost—may be. And then openly sharing that information with your stakeholders in a professional and timely manner.
You may ultimately be denied a budget request but assuming and withholding insight and knowledge in turn denies your leadership the opportunity to make fully informed business decisions, and that makes you partially responsible for the outcome. If the leadership chooses to deliberately ignore or excessively delay the appropriate response, you can sleep well knowing that you have taken your responsibility seriously. And perhaps take your skills and transition to a company who genuinely cares about protecting its digital assets.
Perhaps you’re not in a position to make budgetary requests. But you ARE an integral part of the IBM i community and that gives you an unwritten responsibility to apply your unique knowledge of this amazing platform to ensure that your team has considered all of the controls that are at their disposal. From there it’s a matter of correctly deploying and configuring the ones deemed necessary to ensure the integrity and the protection of the applications and data.
If you feel that you don’t currently possess the prerequisite knowledge, then you’re at the entry gates of the perfect event to start this career enhancing journey. There are many security sessions at COMMON that’ll introduce you to the need for and the appropriate response to the ever ever-growing and ever-evolving cybersecurity threat. We hosted a security panel earlier this afternoon which I enjoyed immensely but there are many more security-centric sessions available for you to attend. Networking with experts and your peers is another fabulous benefit of events such as PowerUp. And online resources such as articles, books, blogs, and webinars are also readily available that can give you a thorough introduction to the topic.
IBM’s server technology is amazing! I know it and I‘m pretty sure that you know it. Our future may be in advanced machine learning and AI; however, for now, technology does exactly what technology is told. The Power hardware, firmware, and IBM i operating system are incredibly robust, but everything can be lost in an instant if the wrong settings are applied. In fact, the only publicly documented case of a data breach involving an “AS/400” came as a result of administrator credentials discovered in plain view inside of a configuration file on a breached internet web server. Is that a failing of the breached IBM i? Of course not! But until we become part of the solution instead of part of the problem then these things are likely to continue.
We need to open our minds to the rewards and the risks of no longer tethering our system through simple, point-to-point cabling technologies like twinax. We’re no longer connecting exclusively with dumb terminals that present data in a single, proprietary format. That world vanished back in the 1990s after the introduction of TCP-based connectivity. But the mindset about securing our information apparently remains difficult for us to change. Last year, I saw more than a half-dozen systems with a minimum password length of 1. Most people laugh uncomfortably when I share such frightening examples of ridiculous misconfiguration, partly because we know we’re often not much better. But we can be!
It's Time for a Change
I love seeing the growing number of “Fresh Faces” of IBM i but it’s undeniable that the majority of our community is maturing. Those of us who can be described this way tend to want to stick to what we see as our prime years but it’s imperative that we catch our thinking up with the current decade. It’s no longer 1992 and yet we continue to secure with the technological equivalent of leg warmers and compact discs. This is now a FULLY interconnected world and our server is likely only a few hops away from highly-skilled, highly-funded attackers from Russia, North Korea, or China; or a frustrated or careless user in our head office in Dayton, Ohio. The time has come to acknowledge that the traditional controls of menus and even command line obscurity don’t fully protect the database. Certainly not from users that are not officially sanctioned. And while object-level security—were we to actually implement it—has proven to be a robust, final layer of defense, it is unable to differentiate between users who leverage their credentials across different access methods.
While I am tall, dark and shrouded in mystery, I’m not the Grim Reaper! I wish today is that you leave feeling motivated to DO something. My intent is to convey this as a message that is fueled by years of personal enlightenment of what can be achieved. Make 2019 the year that we eliminate complacency from our ranks and begin repairing the corners that we’ve so deeply and negligently cut for decades. Set a path that benefits from all of the operating system functionality and enablement technologies that have been gifted to us over the years: field procedures for seamless encryption, exit points for network access control, RCAC for field-level security and masking, and Authority Collection to eliminate the guesswork when implementing object security, to mention just a few.
Don’t expect to resolve everything overnight. There are likely to be small steps that can be taken immediately that will have a very real impact on lowering risk. Other initiatives may be more long-term goals, but strategically planning for better security is a project that’s worth embracing, ideally with the assistance of people that have done it before. And those people DO exist—in fact, a number of them are here with us this week in Anaheim.
So there you have it. YOU now get to choose if you wish to ignore or act on this information, but I implore you to use this event as a springboard to knowledge and better preparedness.
Either way, Leave the conference knowing that it’s time for our valued community to wake up and smell the *PUBLIC authority settings. Because they’re probably still wide open!
Thank you for your time, I’m Robin Tatam.