Security Compliance Boot Camp - Click Here to Register

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Carol Woodbury's IBM i & i5/OS Security Tip
Sensitive Commands
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 May 2009 
Greetings!
 
Every so often I get asked for a list of "sensitive commands" that need to be secured.  This request always puzzles me a bit.  That's because if you control who has special authorities - especially *ALLOBJ special authority and have a good object level authority scheme in place, specifically securing a set of commands is usually unnecessary.  Let's take a closer look.
What We Can Rely On
When it comes to who can run what some people would consider to be "sensitive commands," IBM has already done a lot of the work for us.  IBM ships many commands considered "dangerous" or sensitive as *PUBLIC *EXCLUDE, examples include Power down the System (PWRDWNSYS) and End TCP/IP (ENDTCP).   The complete list commands that ship as *PUBLIC *EXCLUDE is in the Security Reference manual, Appendix C.  In addition, many commands require the user to have one or more special authorities.  The commands that allow the user to create, change and delete user profiles are an example of this type of command.  To create a user profile, the user must have *SECADM special authority.  If you limit what profiles have *SECADM, you've controlled who can successfully run the user profile-related commands.  Finally, many commands require the user to have authority to one or more objects.  For example, there's no need to secure the Edit Object Authority (EDTOBJAUT) command if you have a good object level security scheme in place.  With a good security architecture, most users won't have sufficient authority to an object to be able to change its authority.  The objects to which a user must be authorized as well as the special authorities required by each command are documented in the Security Reference manual, Appendix D.
 
Locking the Windows
Attempting to protect your system and data by securing commands is a bit like locking your doors but leaving the safe where your jewels are stored wide open.  Many ways exist to access data.  Attempting to lock down every command that may do harm or allow inappropriate access to data will consume huge amounts of your time and will likely not fully protect your system and data.   New access methods (i.e., commands) are added each release.  So not only do you have to find all new commands added each release you need to be looking at APIs as well.  A better use of your time is to secure the objects themselves.  Then, regardless of the method used to access them, you know they're secured appropriately. 
 
The Exceptions
I do have a couple of exceptions when it comes to my "no need to secure commands" mantra.  Sometimes you just don't want certain activity to occur.  For example, perhaps you have a policy that says that, for performance reasons, absolutely no queries are to be run on the production system - only on the data warehouse system.  Or, perhaps you have such a large system that bringing up the Work with Active Jobs (WRKACTJOB) screen is not practical.   When you're trying to prevent some action, I do recommend that the associated commands be secured. 
 
The other exception is when your auditors demand it.  I've seen auditors require that the Create, Change and Delete User Profile commands be secured.  To the auditor it didn't matter that they required *SECADM special authority to run successfully.  In his mind, having those commands as *PUBLIC *USE was an exposure.  In that case, I'd try to explain the situation but sometimes it's just easier to secure the commands as to fight that battle.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
How SkyView Partners can Help
Taking control of what profiles have been assigned special authorities can greatly limit who can run powerful or sensitive commands.  SkyView Policy Minder for IBM i & i5/OS makes it easy for you to keep track of these users and can, in one step, automate the process of identifying any new profiles assigned a special authority since the last compliance check was run.
 
The library and directory categories of Policy Minder allow you to regularly check how objects are secured, helping you ensure that additional private authorities have not been assigned, the *PUBLIC authority altered or the authorization list changed for critical objects such as files.
 
Finally, Policy Minder has a specific category for commands so that you can automate the checks to ensure specific commands are secured according to your auditor's or your procedural requirements. 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
News Article:
 
"Many Users Say They'd Sell Company Data For The Right Price"
 
DarkReading
by Tim Wilson
24 Apr 2009
 
In subway survey, 37 percent of workers say they could be bought.
 
Would you sell your company's secrets to a stranger for $1.5 million? More than one-third of employees surveyed last week said they would -- and some of them said they'd do it for less.
 
In their annual visit to London's railway stations, researchers from the InfoSecurity Europe conference asked 600 commuters whether they'd sell their company's sensitive data in exchange for various forms of compensation. Last year, the researchers got many railway riders to give up their passwords for a chocolate bar.
 
This year, the researchers offered the workers an escalating range of theoretical bribes ... 
 
 
SkyView Partners Solutions
 
SkyView Partners is dedicated to providing software to help you tackle your security compliance and policy issues. 
SkyView Policy Minder is an IBM i & i5/OS security compliance management tool that automates security policy compliance monitoring and delivers comprehensive security administration functionality.  With Policy Minder you can monitor compliance with security policy and quickly return your security configuration to comply with the established security policy.
 
SkyView Risk Assessor is an automated IBM i & i5/OS security diagnostic tool that analyzes security information from more than 100+ "risk points" across i5/OS & OS/400.  With Risk Assessor you see your systems security settings compared to security best practices. The output lets you understand vulnerabilities and determine adjustments to security policy.
 
 
Free Webinar 
 
"Reduce the Cost and Complexity of Compliance"
by Carol Woodbury 
 
 
During this webinar Carol Woodbury demonstrates how SkyView Policy Minder allows you to document your policy, discover differences between the current settings and your policy requirements and fix the settings to match your policy requirements. 
 
Carol will show actual examples of some of the more than 20 manual security compliance processes that she has encountered at clients and how  these processes have now been replaced and automated using SkyView Policy Minder, cutting compliance costs dramatically.
 
About Carol Woodbury ...  
 
Carol Woodbury
 
Carol Woodbury is President and co-founder of SkyView Partners Inc. a company specializing in security policy and compliance software and services.   Carol is a system security expert, a noted author, an award-winning presenter and architect of the SkyView products. 
About SkyView Partners ...
 
SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance. 
 
For more information
 
 425-458-4975
 
© Copyright 2009 SkyView Partners Inc.
All rights reserved.