How “Smash and Grab” Compromises IBM i

A thief reaches into an open car window and helps himself to an iPad on the front seat; a leather jacket is snatched from a sale rack outside a department store; and a purse is silently lifted from the back of a restaurant chair while the owner is engaged in conversation.

Sadly, most of us have heard—or possibly even been a victim—of these types of opportunistic crimes. They may be perpetrated by an average person unable to resist a split-second temptation or a hardened criminal who’s willing to drive a vehicle through a storefront to gain access to the merchandise inside.

Less extreme, but more common examples include pocketing lost property or squatting on an unsecured WiFi connection. Some readers may disagree that these are examples of criminal acts, justifying such actions with the “finders keepers” defense and citing that WiFi should be secured if people aren’t allowed to use it.

We each have our own “ethics meter” which advises us in the battle of Risk vs. Gain. Studies have shown this imaginary meter re-calibrates under certain life conditions such as (the threat of) job loss, chemical dependency, economic uncertainty, addiction, or strong emotions like jealousy or anger.

In computer terms, crime can also be opportunistic: the exploitation of a TCP port discovered open to the internet; a trusted employee modifying an ACH transfer file prior to its transmission to the bank; or perhaps a newly hired programmer downloading credit card data that they were granted access to in order to resolve a database problem.

During an audit a few years ago, I revealed to the client’s security team that corporate payroll information on every employee, including the CEO, was being archived in an output queue (called PAYROLL) for weeks at a time.  Due to poor configuration, this information was accessible to every employee. The team crossed their fingers that no one had accidentally stumbled upon the information and was secretly taking advantage of it.

“Smash and grab” crimes are typically committed before anyone realizes what’s happening or reacts to stop it.  An alarm is unlikely to prevent these offenses, but without any deterrent, a criminal may continue to repeat or increase the scope of the offense.  In my earlier example, if the iPad thief thought he was not at risk of discovery he might have paused to rifle through the rest of the contents and possibly have stolen the vehicle itself!  Without an alert to warn anyone, our wayward programmer might continue to download decrypted card data over an extended period of time.

Unfortunately, many examples exist where this has happened because no one noticed that something was wrong.  Data breach investigations rarely uncover specifics immediately.  It’s more likely to be a complicated and painstaking process to forensically determine the source and scope of the breach.

Computers introduce an additional security challenge: stolen data still appears undisturbed in its original repository on the server.  Compared to traditional theft, detection is often far more difficult as there is no missing item to flag that a theft has even occurred.  There is only the possibility that unauthorized access may have occurred and some or perhaps all of the data was exposed.  Recipients of a typical breach notification letter will undoubtedly recognize the vagueness of this message.

Some organizations try to justify a lack of security on the naive belief that every employee is unwaveringly honest or insufficiently technical to exploit possible vulnerabilities.  This mentality dramatically increases the likelihood that the business will eventually suffer a catastrophic breach from someone taking advantage of that trust. While we prefer to believe everyone we hire is upstanding and trustworthy, one should never gamble an entire business on it.

Reminding users—perhaps as part of the log-on procedure—that their access may be monitored is a simple, yet effective technique for discouraging opportunistic behavior.  It has an effect similar to that of a window sticker advertising that a house is monitored by an alarm company or a street sign that warns of traffic cameras, even if it isn’t entirely true.  In fact, when cameras were first deployed on British roads, the cost of the technology was so prohibitive that a few cameras were moved around between numerous camera housings.  Drivers had no reason to believe that the housing was empty so erred on the side of caution and obeyed the traffic laws.

Some organizations prefer covert monitoring over public warnings.  This approach may be more effective at catching versus simply deterring users—especially users who might be skilled enough to navigate around publicly advertised controls.  Neither approach will probably deter a professional criminal, but will assist law enforcement personnel in determining scope and cause of illegal activity.

Should users be monitored without cause? This question elicits heated debate about personal privacy versus the right to monitor people.  As someone who takes pride in his business ethics, I allow myself to be monitored for the same reasons I’m not offended by airport security checkpoints. No, I am not excited about taking off my shoes and belt and unpacking my laptop but, assuming it’s done respectfully, I’m willing to undergo a reasonable level of scrutiny since i) I have nothing to hide and ii) it ultimately impacts my safety.

Monitoring computer users may prevent unauthorized activity, which would otherwise have resulted in serious financial implications that could impact employee job security.

Experts often recommend implementing security in layers.  Any one layer is unlikely to prevent or halt all unauthorized activity but combining multiple layers increases the likelihood that a criminal will move on to a less secure target or be discovered.  In fact, some layers are referred to as “honey pots” and are specifically designed to identify and capture criminals.  To secure the iPad, the layers might consist of closing windows, locking doors, moving valuables out of plain sight, or using the device GPS to aid the recovery if the other security layers are breached.

The following list identifies examples of basic IBM i techniques that can (and should) be used to prevent data vanishing through an open window:

• Enforce strong password rules and eliminate any use of default passwords.
• Limit user access (as-needed only) and remove command line access.
• Implement profile switching instead of granting access to privileged accounts.
• Establish appropriate object-level security for database information.
• Deploy exit programs to control access from network interfaces such as FTP and ODBC.
• Review system settings and reconfigure ones not promoting best practices.
• Log security events and alert security personnel when events occur.

Some of these items don’t require additional software to be developed or purchased and should be incorporated into every IBM i security plan. Commercial security solutions, such as those developed by Fortra, leverage and extend the OS’s core functionality and aid in the process of layering security.

As data guardians, security personnel have to deal with I.T. assets that are under constant threat. The source of the threat originates from humans. The threat level is determined by the accessibility and perceived value of the data, as well as the existence of multiple security layers to enforce restrictions. Regardless of the presence or absence of regulatory mandates, security teams have a responsibility to ensure that servers, applications, and data remain available and accurate for the use for which they exist.