Annual state of IBM System i (AS/400) security study

The PowerTech Group, Inc. today released its fifth annual review of the state of security on IBM’s System i platform (also known as AS/400 or iSeries). This year’s study is based on the results of over 200 system audits that were conducted by PowerTech over the last 12 months.

According to industry research, the System i is used by more than 90 percent of the Fortune 1000 alone, and is known to host sensitive and confidential data such as credit card numbers, Social Security numbers, and other private data. Although IBM has architected the System i with industry leading security capabilities, the PowerTech research shows that the System i security is often poorly configured and poorly managed by companies that use it.

As good as the operating system is at protecting data, any system will only be as strong as the policies and practices deployed to keep it safe. Listed below are a few examples of the study findings that trouble auditors and executives alike:

• 68% of systems allow any user to change data on the System i using PC applications like MS Excel and MS Access. These systems also did not audit this vulnerability, which effectively hides it from oversight.
• Out of an average of 751 users, 9% of all users have privileged (root level) access authority.
• 30% of systems are not using the system security auditing tool inherent in the system.
• Over half of the systems have more than 16 users with default passwords (Password = User name) that could be easily determined by any attacker.