A recent PowerTech Group study of System i shops concludes that many companies are lagging behind when it comes to implementing proper security measures on their systems. Rich Loeber, president of iSeries security product provider Kisco Information Systems Inc., shares his thoughts on the study.

Over the years, IBM has done a good job of selling the public on the idea that the System i is “the most secure processor available today.” However, the company has not done nearly as good of a job explaining how to make the system secure. Doing that takes work, some of which is not necessarily intuitive. Someone needs to be put in charge of the security setup of the system and design an approach to security for the installation. Often, security takes a back seat to other more pressing needs for the company … until a disaster happens.

Another observation I have is that security efforts are very much focused on the network and keeping outsiders out of the system. But studies clearly reveal that nearly as many security breakdowns happen from inside sources as from outside hackers. Too often it is the insider with too much access to the system who compromises sensitive information. With the advent of convenient storage media, some that you can pass off as a fob on a key chain, the inside threat cannot be ignored.

The system is only as secure as the implementation of the security features. I5/OS may be the most secure operating system around, but if it is not used correctly, you might as well have any OS in place. I have customers who’ve purchased our network security product, SafeNet/400 and have had it in place for years without activating it to control access. They’re just logging activity, when the software has the ability to control activity and prevent unauthorized access attempts. When I hear of one of these accounts, I try to chide them into taking the software up to the next level of protection, but I’ve had little success with these attempts.

One of these days, there is going to be a TJ Maxx or Hannaford security breakdown that’s tracked to System i, and all those who’ve been touting the box’s strong security are going to be back-pedaling like mad.

I don’t really know what to do about this except to sing this song over and over again. I write a monthly column on System i security for Search400.com and I regularly raise these basic issues with my readers. I think that may be my small contribution — educating System i users on what they have and how to use it.

Bytware, the System i security software company that brought you the i5virus game, has another ad campaign in the works that will include some interactive Flash games.

MoshiMoshi (”moshi moshi” is a traditional telephone greeting in Japan) will be launched at the Common conference in Nashville later this month, and will follow the trials and tribulations of the various characters in a fictional corporation. As the different characters come across various dilemmas involving IT security, users playing the game can decide what the characters will do. Some of the characters have humorous names — the accountant’s last name is “Sudoku,” for example, while the boss’s last name is “Ono.” As people play the game, their decisions for what the characters should do will affect how the game continues and ends.

The games will take place in eight episodes over eight weeks — one a week — with prizes awarded each week to users who play the game. Some potential prizes will include educational literature, free software licenses, and free security consulting.

System i5 security vendor Bytware Inc. has wrapped up its i5 online game, where contestants navigated YouTube videos and searching for clues on different Web sites to solve a fictional System i security mystery, all the while learning about PHP and i5/OS security.

The grand prize winner, who gets a Nintendo Wii, was Anna Musella-Chiasson, a senior iSeries analyst with Canadian company CGI. There were also four winners of $100 gift certificates at Apple: Kristina Alcorn, a senior systems engineer at the Automotive Retail Group in Troy, Mich,; Suzanne Dahms, the executive VP at Union Bank in Lake Odessa, Mich.; John Pfitzner, a programmer at EFCO Corp. in Monett, Mo.; and Patrick Sczypiorski, an applications systems manager at Velvac in New Berlin, Wis.

The game will remain online, although Bytware didn’t say for how long.

Most people know that the System i and i5/OS are known for solid security features, but do you know what those features are?

I’m sure plenty of you do, but a new IBM Redbook details i5/OS’s native network security features, as well as envisioning some scenarios for network security, password elimination, i5/OS IP packet filtering, and more.

There is only one week remaining in the i5 virus game, an interactive game developed by Bytware to raise awareness of System i security and using PHP on the platform.

The game, which The iSeries blog wrote about earlier this month, got its start at the Common Focus event in October. It starts out with a YouTube video and takes players to various Web sites, including Bytware, IBM, McAfee and php-security.org. The goal is to crack a System i security mystery involving an imaginary financial services firm. Solving the mystery could win you a Nintendo Wii and iTunes gift cards.

The i5virus: A Game of Espionage and System i Security is a game developed by Bytware to get its name out there and perhaps liven up the days of System i administrators.

The mystery game, which started last month, offers contestants a chance to unravel the clues and win prizes such as an iPod and a Nintendo Wii. The story follows a fictional company whose System i server has been hacked into. Players follow clues by visiting different Web sites, watching videos on YouTube, and learning about PHP and i5/OS security. It’s a process that Bytware is hoping will lead you not only to the end of the game but also to its System i security software products.

The game begins with a YouTube video.

The PowerTech Group Inc. has long banged the drum on System i security, saying that most lapses in the space have to do with people, not the hardware or software.

The System i security software company has done System i security surveys in recent years. One last year looked at data from 177 security assessments on System i, iSeries and AS400 boxes, and found a few things:

• 95% have more than 10 users with root authority, threatening data on the system.
• 77% have more than 20 users whose passwords are the same as their user names.
• 91% don’t control or audit changes made through PC access.

These are lapses you want to avoid. On Wednesday (that’s tomorrow), PowerTech will host a free 30-minute webcast on meeting requirements of auditors who want companies to better manage user access. You need to register with PowerTech to join.

System i security vendor Raz-Lee Security Inc. announced Monday support for SSL enforcement in iSecurity Firewall, a move Raz-Lee says constitutes a major improvement in Firewall. Although many sites allow Telnet access without SSL, they often insist that ODBC access use SSL capabilities. Often times though, different types of equipment in company’s branch offices include differing levels of SSL support, giving rise to the need for security tools.

Shmuel Zailer, CEO of Raz-Lee Security said that previously “the only way to implement user to port rules was to use the OS/400 Port Restriction capabilities [which often] resulted in unacceptable performance degradation.”

Additionally, Zailer said that ” OS/400 Port Restriction does not have simulation capabilities and its logging file is not part of the standard log files provided by OS/400.” The activity log file produced is part of iSecurity Firewall’s standard log file and simulation mode is available prior to “live” implementation, preventing what may be serious networking errors.

John Ghrist at the System i Network looks at why there aren’t more biometrics vendors on the System i.

Ghrist asked one of the few System i biometrics vendors out there, Valid Technologies, about it:

I put that question to Greg Faust, Valid Technologies’ CEO. “There aren’t more biometrics vendors in the entire enterprise market space, let alone the System i market, because companies at the enterprise level are slow to adopt new technologies,” he opined.

Ghrist added that biometrics should catch on with System i users because of its ease of use: No longer would there be passwords upon passwords to remember. Simply stick your finger down, have it read your unique print, and be on your happy, System i way. I have another theory why biometrics isn’t taking off on the System i or other enterprise platforms such as the mainframe or Unix boxes. Security on those servers is much better compared to x86 distributed servers, and so right now there is no need for biometric enhancements.

Help/Systems has announced the release of Robot/Security, its i5/OS-based security monitoring and auditing software. More information at the Help/Systems Web site.