SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - November 14, 2012 - The World's Easiest IBM i Heist?

Tweet
November 14, 2012 - Vol 2, Issue 19

	Feature Article The World's Easiest IBM i Heist? By Robin Tatam Robin is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. Robin is a subject matter expert for COMMON and a frequent speaker on security topics. I anticipated that they'd conduct a background check when I applied for the job at the bank; however, I only had to submit to a common drug test. I may be a lot of things, but a "doper" isn't one of them. Fortunately, it didn't expose that I'd been fired from my previous three jobs for helping myself to money in the register. I requested access to the walk-in safe after I had been working at the bank for a few days. Interestingly, it turns out my front door passkey was duplicated from someone who had already been granted access so I am already set up. Of course, if I ever forget my key, there are quite a few spares still lying around from employees that no longer work here. There are solid locks on the outside doors to keep the public out when we're closed, but no one worries too much about employees (I assume they're all employees) coming and going as most of them don't know much about the "behind the scenes" movement of the money. Besides, most employees have been around for years and no one thinks that they'll ever do anything bad. Surveillance cameras are mounted on the ceiling, although none of them are anywhere near the back door; an entry that's accessible to all of us with a passkey. The funniest part is that I found out that the bank doesn't even bother to use any of these cameras! At one time a few were hooked up, but the video tapes were reused after only one day and I heard that some got accidentally thrown away by the janitor. I figured no one was reviewing them anyway as there's no screen on the VCR that's there to record the video stream. I was quickly discovering that this job would be far more profitable than I'd imagined . . . Okay, it probably sounds like I'm setting the scene for the world's easiest bank heist. I certainly wouldn't invest a dime of my hard-earned money with an institution that overlooked security like this one does, but you might be surprised to know just how many organizations approach IBM i security in a similar lackadaisical fashion. Many companies do require potential hires to submit to a drug test. While this is certainly commendable, it obviously won't identify anything other than substance abuse. Investigating an applicant's work history won't help because many employers are too concerned with the legality of disclosing private information to release anything more than the dates of employment. That privacy concern even exists when—or perhaps especially—if the employee's departure was due to misconduct. When a business uncovers illegal or unethical activity such as fraud, theft, and even workplace harassment or violence, it's not uncommon to simply fire the employee to avoid embarrassment and further scrutiny. Without insight into an applicant's work history, it's quite possible that undesirable traits will remain hidden throughout the hiring process. Under IBM i, new user profiles are rarely created from scratch. Typically, copies are made from a "similar" profile which may lead to inconsistencies regarding the authorities that the employee obtains. Copying (and later copying that copy) frequently results in the over-assignment of authority, especially when the source profile belongs to a more tenured user. This is the equivalent of duplicating the passkey that inadvertently authorized the nefarious employee's access to the safe! Read More.
In This Issue Featured Article - Easiest IBM i Heist? Security Shorts - Auditing New Objects Featured Video - 1982 Security in 2012 Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Thank You! To Our Great Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Skyview Partners, Inc Sponsor Cilasoft Security Solutions	IBM i Security and Audit Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes Raz-Lee Software Announces Self Service Password Reset for IBM i Raz-Lee Security has announced the availability of Password Reset, a user password self-authentication product which enables IBM i (AS/400) based companies to provide their users with a quick, reliable and easy-to-use process for resetting their passwords. See more Information from Raz-Lee. IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Reduce the Cost and Effort of IBM i Auditing Live Webcast - Sponsored by Powertech Wednesday, November 14 1:00 PM CST More Information and Register to Attend IFS Security: Don't Leave Your Server Vulnerable Live Internatinal Webcast - Sponsored by Powertech Thursday, November 15 8:30 AM Columbo Time : 2:00pm Australia EDT More Information and Register to Attend Ad-Hoc File Transfers: Easy and Secure Live Webcast - Sponsored by Linoma Software Thursday, November 15 12:00 PM CST More Information and Register to Attend Decrease Downtime and Reduce IT Cost - Automate your IBM i monitoring with absMessage Live Webcast - Sponsored by Software Engineering of America (SEA) Tuseday, November 20 12:00 PM CST More Information and Register to Attend
Featured YouTube Educational Video IBM i Security The Pitfalls of Relying on a 1982 Security Scheme in 2012 Cannot Access YouTube from your office? Download the video in wmv format.
Security Shorts - Auditing Newly Created Objects By Dan Riehl The IBM i has excellent built-in auditing capabilities. You can audit various types of important events, you can ausit user activity, you can audit object access, and you can audit access to IFS "objects". I have used the object auditing facilities quite heavily. But, the other day I was stumped. I was asked the question "How do you turn on auditing for newly created files and directories in the IFS?" I knew that there was a way to do this, but the method did not come readily to mind. After searching the web and performing quite a bit of testing, I now have the answer to that question. I hope that the information is helpful to you. Auditing Newly Created QSYS.LIB Objects The System value QCRTOBJAUD specifies the global default value for the auditing level specified for newly created objects. The shipped value is NONE, meaning, newly created objects will not be audited at the global/system level. You can override the QCRTOBJAUD system value at the library level by specifying the CRTOBJAUD* parameter of the CRTLIB(Create Library) and CHGLIB(Change Library) command as shown here. *CHGLIB LIB(MYLIB) CRTOBJAUD(CHANGE)** When a library is created, the default value for the CRTLIB's CRTOBJAUD parameter is SYSVAL, but can be set as desired to ALL, CHANGE, USRPRF, NONE or SYSVAL. *CRTLIB LIB(MYLIB) . . CRTOBJAUD(CHANGE) So, now, whenever a new object is created in MYLIB, the object's OBJAUD** value will automatically be set to CHANGE. Auditing Newly Created IFS "Objects" The IFS /root* file system is used to store various types of files, directories, folders and documents. Often sensitive data is stored there in MS/Excel spreadsheets, Word documents, images, audio, pdf reports, and many other types of files. In addition to being the global setting for the QSYS.LIB file system, the system value QCRTOBJAUD is also the global setting applied to IFS directories. If you want to turn on auditing for all newly created IFS "objects", you set the system value QCRTOBJAUD as required to ALL, CHANGE or USRPRF. Within the IFS, this global setting can be overridden at the directory level using the CHGATR(Change Attribute) command as shown here. CHGATR OBJ('home/myuser') ATR(CRTOBJAUD) VALUE(CHANGE)* If you want the CRTOBJAUD auditing attribute to be applied to subdirectories also, include the SUBTREE(ALL) option of the CHGATR** command. So, the key to managing auditing for newly created objects in the IFS is the QCRTOBJAUD System Value when used in conjunction with the CHGATR command. With the CHGATR command, you specify the *CRTOBJAUD attribute and corresponding value for the selected IFS directory, and the associated sub-directories.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Special Winter Class Discounts RPG IV Programming January 7-11 Watch for additional classes as they are added to the 2013 Schedule www.400School.com

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017