The 2013 findings show that IBM i user provisioning is a significant source of vulnerability, with averages that include:
- 79 users had default passwords -- 50 percent of which are enabled for use
- 197 enabled users had command line permissions
- 31 servers didn’t require users to change passwords
- 9 servers permitted an unlimited number of sign-on attempts
“Every year I expect the results to improve,” notes Robin Tatam, PowerTech director of Security Technologies and the study’s author. “But 10 years after the first release, we are still finding vulnerabilities from poor profile management and little to no IBM i network security.”
In addition to IBM i user provisioning errors, the study also found that 79 percent of servers don’t monitor network access, which means that anyone with an enabled user profile can directly access business-critical data via interfaces such as FTP and ODBC without authorization.
The 2013 findings were compiled from over 100 Compliance Assessment audits on IBM i servers of varying sizes and across multiple industries, including financial, retail, and manufacturing.
“It’s critical to recognize that security for the server does not come preconfigured,” Tatam says. “IBM i remains one of the most securable platforms, but this ‘load-and-go’ perception puts organizations at risk for data loss, fraud, or worse.”
Tatam emphasized that the weaknesses identified in the study can -- and should be -- corrected with proper configuration settings, administration, and an IBM i security policy.
"Most IT security people spend their time worrying about the latest 'zero day' and other obscure vulnerabilities, but hackers are more pragmatic, taking the low-hanging fruit, which they can harvest with an army of script robots," notes Mel Beckman, POWER IT Pro technical director and security expert.
"Default passwords are the simplest way for hackers to gain access, followed by brute-force attacks using lists of popular user IDs and passwords. The third most popular successful hacker avenue is social engineering: just calling a user up and asking for a user ID and password while posing as a technical support rep. If IT folks would just spend ten percent of their energy on these common exploits, they would make penetrations much less likely," he adds.