SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - March 26, 2014 - The Threat - Invisible Data Theft on IBM i

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i March 26, 2014 - Vol 4, Issue 5

	Feature Article The Threat - Invisible Data Theft on IBM i By Dan Riehl - SecureMyi.com How many times has your most sensitive data file been downloaded today? For most of us, the honest answer is "I Don't Know". That's Exactly Right! How could you possibly know? Our great IBM i (iSeries and AS/400) has long been considered a security strongbox—a hacker's worst nightmare. Some even consider it to be unhackable. This gross misconception has caused some of us to become complacent in our due diligence related to the security and integrity of our systems and sensitive data. But IBM i security cannot rely upon it's perceived obscurity as sufficient protection in a world of potentially malicious insiders and highly trained and well-financed cyber criminals. According to the Open Security Foundation Data Loss Database, since 2013, almost a billion people have had their personal or credit card information hacked, stolen, lost, or misplaced. Hundreds of high profile computer-related data thefts occur every year; often numerous occurrences per day. To view those of public record, you can visit the OSF's Data Loss Database. According to their Data Loss Database's published list of compromised companies, we can tell that some of these major incidents are occurring at IBM i shops, both large and small. Securing the data on the IBM i is made especially difficult by our ubiquitous tools(e.g. FTP, ODBC, DDM) that access our data but leave no footprints. How can you reasonably expect to protect the sensitive information in your care when it can be accessed without your knowledge? Invisible Data Access Methods When a thief steals your car, you know it. But how can you know when someone has stolen a sensitive database file? The file is still there and there are no traces of any access to the file. But, that doesn't prove that the file hasn't been breached or stolen. IBM ships the IBM i with a variety of data access tools, many of which access data invisibly. We often add third-party data query tools, and we even write our own data access methods using socket programs and the database APIs. Although non-IBM data access tools might reside on your systems, I want to focus this article on the built-in IBM-supplied tools that access data, and do not leave a trace of the activity. If I download a database file using FTP or the IBM i Access for Windows file transfer facility, there's no built-in audit trail of that activity. There is no FTP log for the FTP server and no logging or history of IBM i Access for Windows file transfers. These file transfers are invisible, even to the system administrator. If I use one of these common tools to download an employee personnel file, a payroll file, a customer file, or any other file to my PC, you can't know it. Neither the IBM FTP server nor the IBM-supplied file transfer facility makes or keeps a record of that activity. What about using ODBC applications, Distributed Data Management (DDM), and other data access methods shipped as part of IBM i? All data movement using these services is invisible. *Read More*
In This Issue Featured Article - Invisible Data Theft Security Shorts - Save Spooled Files Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i OSF - DataLoss DB PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Live Security Related Webcasts and Training for IBM i March Events Five Things Your Security Administrator Should Tell You Live Webcast - Presented by Powertech Wednesday, March 26 1:00pm CT More Information and Register to Attend Automatic Encryption with FIELDPROC Live Webcast - Presented by Townsend Security Wednesday, March 26 1:00pm CT More Information and Register to Attend April Events Coffee with Carol: Cloud Security Review with Carol Woodbury Live Webcast - Presented by Skyview Partners Wednesday, April 2 10:00am CDT More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Training Workshop - April 8-11 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend May Events May 4-7 - COMMON - A User Group 2014 Annual Conference and Exposition - Orlando, FL More Information and Register to Attend Coffee with Carol: with Carol Woodbury Security Considerations for Application Development including PCI Requirements Live Webcast - Presented by Skyview Partners Wednesday, May 14 10:00am CDT More Information and Register to Attend June Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Training Workshop - June 2-6 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend
Security Shorts - Get a Full Backup of your Spooled Files By Dan Riehl Even when you use the SAVE Menu option to "Save the Entire System", your Spooled Files are NOT saved. None of the bulk SAVE operations on the IBM supplied SAVE menu will save your spooled files. If you need to restore your system, or a specific spooled file, you are "toast" if all you use is the SAVE menu option. Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents(the spooled file reports) in the output queue. Since the V5R4 upgrade, many of us have not updated our backup routines to take advantage of this new support. Instead, when we save a library or an output queue, we still only save the output queue object, but not the spooled files contained in the output queue. The following command saves all objects in the PRODLIB library, including all the spooled files in all the output queues that reside in the library: *SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(ALL)** When you do a SAVLIB(Save Library) or SAVOBJ(Save Object) command, you must specify SPLFDTA(ALL) in order to save the spooled files in the saved output queues. The parameter SPLFDTA(ALL) is the key to saving the spooled files. I encourage you to update your backup routines to begin saving your spooled files. But, perhaps you are using the IBM supplied SAVE menu to perform your backups, and not a home grown backup program. Or perhaps your vendor supplied backup software does not give you the option to save your spooled files. If that is the case, then here is a simple solution. Below is the source code for a Control Language program you can use that will save all of the output queues on your system and will save all of the spooled files in those output queues. This would be a nice program to add to your weekly backup routine. Note: In this program you must replace 'TAP02' with the name of your backup device. PGM /* Save Spooled Files / DCL VAR(&MSGID) TYPE(CHAR) LEN(7) DCL VAR(&MSGF) TYPE(CHAR) LEN(10) DCL VAR(&MSGFLIB) TYPE(CHAR) LEN(10) DCL VAR(&MSGDTA) TYPE(CHAR) LEN(100) DCLF FILE(QADSPOBJ) MONMSG MSGID(CPF0000) EXEC(GOTO ERROR) DSPOBJD OBJ(ALL/ALL) OBJTYPE(OUTQ) + OUTPUT(OUTFILE) OUTFILE(QTEMP/QADSPOBJ) OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ) LOOP: RCVF MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDIT)) SAVOBJ OBJ(&ODOBNM) LIB(&ODLBNM) DEV(TAP02) + OBJTYPE(OUTQ) SPLFDTA(ALL) GOTO LOOP ENDIT: RETURN ERROR: RCVMSG MSGTYPE(LAST) MSGDTA(&MSGDTA) MSGID(&MSGID) + MSGF(&MSGF) SNDMSGFLIB(&MSGFLIB) MONMSG CPF0000 /* Just in case / SNDPGMMSG MSGID(&msgid) MSGF(&msgflib/&msgf) MSGDTA(&msgdta) + MSGTYPE(ESCAPE) MONMSG CPF0000 /* Just in case */ ENDPGM When it comes time to recover a deleted spooled file, or an entire output queue, you can use the command RSTOBJ(Restore Object) to restore the saved output queue, including the spooled files.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Intro RPG IV Programming Intro RPG/400 Programming IBM i COBOL Programming Interactive Programming Workshops Introduction to System Operations Expanded System Operations Workshop System Administration and Control Expanded Security Workshop Control Language Programming IBM i Concepts and Facilities Concepts & Control Language Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017