© 2010 The PowerTech Group, Inc.
All Rights Reserved
The following scenario is a representation of a typical audit review. Unfortunately, the problems discussed here are commonly reported by auditors. Don’t get caught with these top 10 audit issues! The system referenced below is a composite average based on some of the typical findings from PowerTech’s iSeries Security Study 2005. (Download the PowerTech iSeries Security Study for more on audit issues.)
During the Information Systems Security Audit of the XYZ AS/400s, I observed systems that appeared to be primarily managed by and for the technical staff. Judging by the capabilities in the user profiles, securing the systems has never been a priority. This situation is typical where the technical staff has had problems keeping the application systems up and running, and kept in a fire-fighting mode of operation. I do not know that this is the case at XYZ, but it could account for the poor security implementation. During the rush of application development, it is common to brush aside security issues in the interest of writing, testing and debugging application programs.
In short, the AS/400s at XYZ cannot be considered as secure.
It is axiomatic to say that good security is like an onion. Layered security provides the best protection because it does not rely solely on the integrity of any one element. Multiple layers of security end up costing potential outside intruder's time and dollars as they must do battle with and defeat successive layers of barriers. In the real world, multiple layers of security often cause an attacker to get bored, frustrated, or to simply run out of time before an actual penetration can occur. In the case of this AS/400, there appear to be only two layers of security for an outside attacker, and none for an inside attacker.
In the case of an outside attacker, the attacker must first breach the firewall, or some unguarded piece of communications equipment (such as an internal PC with a modem), and then acquire a valid profile/password combination to the AS/400. At XYZ, acquiring a profile/password combination is painfully easy, so you are currently relying only on your firewall. The AS/400 profile/password fix is quick and easy, and outlined in this document.
70% of all data breaches occur from inside the firewall! An inside attacker would face almost no impediment because by definition they would already have access to either the network, or the AS/400, or more likely both. On this AS/400, several user profiles could be used to sustain a productive attack against virtually all of the system’s data and programs. The sole method of security appears to be user profile and password based, with a few users also subject to the restrictions that a 'Menu Security' system can enforce. Users with access to such ubiquitous tools as FTP, IBM’s Client Access, or tools using the Microsoft ODBC standard, are not regulated or even monitored. Because of the broad reliance on menu security, and the abdication of object authority rules, network access to this AS/400 is open and unfettered.
This executive summary contains what is deemed to be the eleven most pressing concerns on this typical AS/400.
The security concerns and auditor findings listed below reflect the results of a typical audit review. For each of the security concerns listed, the applicable PowerTech recommended report(s) is also provided here for easy reference:
Users with Special Authorities
There are 30 user profiles (not counting the default IBM supplied “Q” user profiles) that bear this special authority. There is no way to secure a system against a user who has *ALLOBJ special authority. Access to *ALLOBJ special authority should therefore be regulated to a select few IT staff members.
Users with Default Passwords
There are 20 user profiles (including some IBM supplied profiles) in which the password for the user exactly matches the profile name. So, for example, you can sign on to the production AS/400 system as QUSER with a password of QUSER and have access to data and programs.
Network Security Exit Porgrams
Data access tools such as ODBC and FTP provide for direct access to the data without respect to the controls that are built into the menu system. Using the excess authorities outlined in items one (above) and four (below), every member of the OBJOWNR 'Business application like Infinium, JDE, etc.' group profiles will have complete access to all of the data in their respective applications. The applications are relying solely on their “Menu Security” systems to keep users from viewing, changing or deleting data. This restriction is inadequate on a modern AS/400 because of the proliferation of client based data access tools that will provide users with unfettered access to AS/400 application data. Users should be restricted to using only sanctioned data access methods such as the menus by deploying exit programs that control a users access to the system.
Library Object Authority Information
End users have far too much authority to application data because all of the end users belong to the OBJOWNR group profile that owns the data (thus conveying to every end user “ownership” authority). The practice of having the Application Object Owning Profile set as the same profile as the end user's Group Profile is common among software application vendors (Infinium, JDE, etc.), but it places data at tremendous risk of data loss, theft, or damage from end users. It is not reasonable to assume that all of the users will only access AS/400 resources through the traditional application menu.
Security Related System Values
QSECURITY = '30' provides object level authority, but leaves several well-known security holes in the OS/400 operating system. OS/400 needs to be at QSECURITY level 40 (at least) in order for OS/400 object authority to truly work. This alone makes this an insecure system.
Security Related System Values
The System value QCRTAUT is set to *CHANGE, and the library parameter CRTAUT set to *SYSVAL. The combination of these values conspire to make *PUBLIC authorized to change every new object created on this AS/400. Of even greater concern, *PUBLIC has *CHANGE or higher authority to most libraries. Users with access to the system using tools such as FTP or Windows Network Neighborhood could delete portions of these libraries, or even the entire libraries.
Job Descriptions that Specify a User Profile (Main Menu option 13)
At QSECURITY level 30, an end user needs only *USE authority to an OS/400 Job Description in order to assume the identity of the user profile that is named in the Job Description. This AS/400 has dozens of job descriptions that have a powerful user profile named in them. Many provide *ALLOBJ special authority. At QSECURITY level 30, any valid user (*PUBLIC) has opportunities to assume the authority of a profile that has *ALLOBJ special authority.
Security Related System Values, QAUDCTL
The Security Audit journal (QAUDJRN) was not active when I arrived at XYZ. The Security Audit journal plays a critical role in documenting security related events, but since XYZ was not auditing events, I did not have access to any historical security data. It is the best source of accurate, unimpeachable history on the AS/400. Turning the Security Audit journal on would provide invaluable information should you ever experience a negative security event.
The high level system library XYZSYS allows any user to add new objects to the library. Since XYZSYS is higher than the IBM system library QSYS in the Library list of each job, this provides an easy means to insert a Trojan Horse in the XYZSYS library.
In order to maintain a reliable software system, change must be vigorously controlled. In the absence of an automated change control system, software patches are applied haphazardly and degrade the reliability of the system. At XYZ, an automated software change control system should be implemented to help insure the reliability and stability of the applications.
© 2010 The PowerTech Group, Inc.
All Rights Reserved