Spreading the System i security message

Rich Loeber

I am amazed at how many companies and organizations I run into where computer security is lax and nobody seems to care very much. Just this morning I heard from a business associate who is just getting started in a new position. He told me that this company's System i is connected directly to the Internet with no protection at all, not even a firewall. He demonstrated to his new boss how he could quickly hack into the system, track down the ID and password of a security officer and then sign on using that profile. I won't tell you how he did this, but it was not rocket science. They are shopping for security protection for their System i now, but how did they get to this point to begin with?

Ensuring security on i runbook: Becoming a System i security officer Six common System i security lapses Is your AS/400 secure?: How a hacker could get valuable information from your system System i security policy: Time for a check up System i security report round-up

What these organizations need is a "security evangelist." Someone who knows what the problem is and really believes in the message. The dictionary contains several definitions of evangelist, and the one I'm thinking of is "a person marked by evangelical enthusiasm for or support of any cause." If you don't believe the message, then you can't sell it to your organization's decision makers.

I then thought back over my 40+ year career to try and pinpoint those places where I bought into the computer security message. I can think of three events that really convinced me that this is a legitimate issue.

When I started in the computing field in 1965, computers were new and companies that had one liked to show it off. It was not unusual to have a glass-enclosed computer room with open access to the public to walk by and watch the computer in operation. Then there was a Vietnam war protest bombing of one of these computer centers and, overnight, they were boarded up and physically secured.

Around the same time, in 1973, came the Equity Funding fraud. This was a computerized fraud scheme where a financial conglomerate engaged in fraud on a huge scale to maintain a high stock price and fool Wall Street and investors. At its height, the scandal involved as many as 100 employees who used their computer system to create fictitious insurance policies. At one point during the fraud, someone estimated that if the insurance policies being written continued at the same growth rate, they would end up writing more policies than there were people in the US.

These two events, which happened quite close to each other, got me thinking that computer security was a real issue, not just something being touted by IBM to sell more of their services.

The last event that turned me into a security evangelist was reading the book The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll. This book, published in 1990, starts with a college IT guy from Berkeley, Calif., trying to track down a 75-cent billing error. His search leads him into the then-new world of computer hackers on a global basis.

If you don't believe in the computer security message, you can't convince others. I became convinced by just keeping my eyes and ears open to what was going on around me. If you're working in the computer security field, you need to be an evangelist and get everyone at your organization on board. If you don't believe the message, how can you expect everyone else to? I think this is what's needed today. There is still just too much laxness in the field.

If you have security was stories you'd like to share, let me know. All email messages will be answered, and I might even use some of your stories in future articles.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file iSeries security tips Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.