Keeping Up With Security Threats To IBM i

July 27, 2015 Alex Woodie

When it comes to security, the IBM i server is a different beast, as you well know. It’s not subject to the same sorts of malware attacks that afflict Windows, Linux, and Unix systems. But thanks to its unique architecture, it has its own peccadillos when it comes to security, and understanding those strengths and weaknesses is critical for keeping up with security on the platform. A new tool from Skyview Partners should ease the work.

In most organizations, the IBM i server runs the application of record, and as such stores the organization’s most vital data. This fact, in of itself, makes the server a juicy target for any criminal looking to turn data into dollars. However, while the IBM i server and its databases are critical, few shops put them on the network in front of the firewall. You’re much more likely to find a Windows or Linux box hosting a website or serving as a file or print server. This makes just getting a sign-on screen much harder, let alone trying to steal data.

The IBM i server’s role as a back-office workhorse means it’s subject to different threats. While the front-end Windows and Linux servers are much more likely to be poked and prodded by hackers arriving over the Internet, the IBM i server is more susceptible to internal threats. Chinese and Russian superhackers get the headlines, but the fact is that three out of four security breaches are perpetrated by disgruntled employees and other credentialed workers. This puts the IBM i server directly into the danger zone.

IBM i security expert Robin Tatam warns companies not to take the internal threat lightly. “The big threat is from those people who have already obtained what is in essence the gold standard of what every hacker is after, which is a set of credentials that work,” the PowerTech director of security technologies recently told IT Jungle. “We’ve already handed those to employees, typically during the first few days of their hiring.”

HVAC Matters

Some of the biggest security breaches of late were perpetrated by hackers who got their hands on legitimate user IDs and passwords. For example, the massive data breach at Target in late 2013 was the result of a cybercrimnal operation that used an email phishing scheme to steal sign-on credentials from a heating, ventilation and air conditioning (HVAC) subcontractor that regularly worked at Target and had access to its internal network.

The combination of social hacking skills, poor security awareness of subcontractors, and well-disguised malware placed into point of sale (POS) systems proved deadly for Target, which lost card data for tens of millions of customers and suffered losses of hundreds of millions of dollars (not to mention the ouster of its CEO). Since then, we’ve heard of breaches at many other large companies, including Home Depot, Anthem, JP Morgan Chase, and the Office of Personnel Management (OPM), which maintained detailed histories of every federal employee who’s ever received security clearances from the government.

While the news is dour, Tatam warns not to succumb to breach fatigue. “People are so used to now hearing, ‘OK what breach is it today?'” he says. “There’s a risk that they become complacent.” With the shock value of the breaches wearing off, some companies are considering the momentary bad publicity that their brand suffers just another cost of doing business. As a result, they may not invest as much time and resources into bolstering security.

Regulation Nation

Breach fatigue may be real, but companies across many industries are getting plenty of motivation not to become complacent thanks to stringent new regulations governing IT security, such as the Payment Cardholder Industry Data Security Standard, or PCI DSS.

If the prospect of an auditor poring through your internal systems to judge compliance with PCI DSS doesn’t strike fear into your IBM i administrator’s heart, then he probably isn’t paying attention. IBM i shops report an uptick in visits by auditors, for PCI DSS and other regulations.

To address the need for better preparation for PCI DSS audits, Skyview Partners, which was recently bought by HelpSystems and is a sister company to PowerTech, recently launched a new release of its Risk Assessor software designed to help IBM i shops survive an audit by improving their security posture (or at least becoming more aware of it).

Risk Assessor 2.5 also brings new capabilities for investigating permissions that users have on the IBM i platform. The advent of role and column access control (RBAC) is a powerful new security feature in IBM i 7.2 that restricts what data users can see, but figuring out who can see what may not be as straightforward as auditors would like. (Things rarely are straightforward for auditors who are investigating IBM i shops; they’re much more used to Windows and Linux systems).

SSL on IBM i

Secure Sockets Layer (SSL) has taken hits over past year as critical vulnerabilities have been exposed in the popular encryption technology. IBM i shops haven’t borne the full brunt of the problems, thanks to IBM staying on top of the situation and being proactive in the move to TLS, the successor to SSL. But IBM i shops haven’t been completely shielded either, because many third-party software vendors have not yet moved beyond SSL.

Skyview says its updated tool adds a new report that makes it easier to examine and remedy settings related to recently exposed vulnerabilities in SSL. The company says the new reports are timely, as the most recent version of PCI DSS (version 3) requires organizations to eliminate use of SSL.

According to Skyview co-founder Carol Woodbury, the new reports should help customers examine IBM i security settings in greater detail, with the goal of surviving a PCI DSS audit.

“Security is a top priority for many CIOs, but it’s a target that’s constantly shifting,” says Woodbury, the former OS/400 security architect for IBM and currently vice president of global security services for HelpSystems. “We delivered these new reports based on strong customer requirements that we stay current with the latest laws and regulations. Risk Assessor 2.5 makes it possible for organizations to respond to changing compliance requirements and leverage IBM i’s evolving security capabilities.”

IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

Heartbleed Exposes The Vulnerability Of An IBM i Mentality

Tags:

Best Practices for Doing IBM i Cloud Backup & DRaaS Right

In the technology business for 30+ years including more than a decade in cloud backup and disaster recovery, we’ve learned a few things along the way. Here are best practices to follow – and land mines to avoid.

RELIABILITY. Up to 71% of restores from tape contain failures.

BEST PRACTICE: Use disk-to-disk technology for backups.

With disk-to-disk technology, your backup data resides on disk drives, proven to be far more reliable than tapes. When your backup completes, you know the data is secure and accessible on the disk drive. With tapes you never really know if your data is usable until you try to restore it, at which point it’s too late.

BREADTH OF OFFERING. Choice in product and service offerings meet your business’ needs.

BEST PRACTICE: Don’t settle for less than what you need.

Vendor offerings vary widely. Some are designed primarily for consumers and others for enterprise data centers. Choose a solution that scales and offers the features you need to provide the level of service you expect. De-duplication and delta-block technologies will improve performance, reduce your data footprint and save you money. Find out if their de-duplication offering is at the file level or the block level. Make sure the solution can back up servers, PCs, and laptops as well your applications.

SECURITY. 60% of organizations using tapes don’t encrypt their backups.

BEST PRACTICE: End-to-end encryption with no “back door.”

Using encryption with tape makes backups run slowly and often takes too long to fit within a backup window. As a result, most people simply turn encryption off, creating a security risk. Even with the physical safety of disk-to-disk backup, encryption is essential. Look for 256-bit AES. Find a solution that encrypts your data during transmission and storage. Make certain there isn’t a “back door” that would let someone else view your data.

ACCESSIBILITY. Companies waste thousands of hours waiting on tapes.

BEST PRACTICE: Ensure that you can get your data back with minimal delay.

You should have direct access to your backups, with no time spent on physical transport (no trucks, no warehouses). Restores should take minutes, not hours or days. Set yourself up to work with your data, not wait for it. Make sure your solution provider can meet your Return-to-Operations (RTO) and Recovery Point Objectives (RPO) which determine how quickly you can recover your data and maintain business continuity. Inquire about onsite and offsite replication that provide both improved performance and a solid disaster recovery strategy.

CYBER SECURITY. More than 80 percent of U.S. companies have been successfully hacked, according to a Duke University/CFO Magazine Global Business Outlook Survey.

BEST PRACTICE: Regular cyber security training and phishing tests for all employees using company email are essential to your organization.

Your end-users are the weak link in your network security. Today, your employees are frequently exposed to advanced phishing attacks. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack. Be sure your vendor of choice includes cyber security training as part of their backup and DR package.

SCALABILITY. Some backup systems can’t scale readily.

BEST PRACTICE: Invest in a data protection architecture that can grow with your business.

You should be able to back up your data no matter how large it grows. Starting small? Look for an option that handles your backups automatically. Then, as you grow, gives you tools to manage complex environments. Look for “changes-only” and compression technologies to speed backups and save space. And insist on bandwidth throttling to balance traffic and ensure network availability for your other business applications. Make sure that their solution offerings rely on common technology to scale easily as your business––and data––grow.

COST-EFFECTIVENESS

BEST PRACTICE: Calculate the true total cost of tape-based back up.

A 2019 Server OS Reliability Survey found that one hour of downtime costs at least $100K for 98% of companies to over $5 million for 34% of surveyed companies. When you do the math, the dollars make sense: Go with disk-to-disk. Unlike tape, there are close to zero handling costs—no rush deliveries, loading, accessing, locating, or repeated steps. And there’s one benefit you can’t factor directly: Reputation. Reliability and security can make an incalculable difference with just one avoided breach or failure.

COMPLIANCE. Most companies have problems satisfying privacy, security, and data retention regulations.

BEST PRACTICE: Choose a data protection partner who has deep know-how about compliance, and the technology to ensure it.

Disaster Recovery. Most companies lack a comprehensive, tested plan for disasters.

BEST PRACTICE: Find a vendor that delivers a complete DR solution.

You can’t say your data protection is complete until you have a disaster recovery plan that is itself complete and tested. Your backup vendor should have both the product mix and professional services team to help you prepare for a worst-case scenario. Make sure they can help configure your backups so you rebound quickly. Best bet: A vendor who can train you to deal with disasters confidently, based on your company’s actual configuration.

EASE OF USE. Some companies don’t —or can’t—manage their backups from one place.

BEST PRACTICE: Get control and reporting you can use anywhere, with ease. Managing your backup environment should be simple, and the software you use should eliminate any guesswork that could lead to lost data. You should know at all times if your data is protected across your entire network—including remote offices—by simply looking at a dashboard. The software should be simple to configure using wizards, yet powerful enough to meet your specific needs with customizable views, job propagation, and roles-based security.

OPERATING SYSTEM AND PLATFORM SUPPORT. Most backup vendors support a limited range of OS, server types, and applications.

BEST PRACTICE: Look for broad and deep technology that supports your complete environment. Your backup solution should accommodate your environment, not vice versa.

CUSTOMER SUPPORT. Backup vendors’ product support varies widely.

BEST PRACTICE: Find a vendor whose support is passionate, maybe even slightly obsessed. Customer support should be one of your vendor’s main selling points. You shouldn’t have to wonder if they’ll be there to help when you need them most. Do they offer phone support or email only, and who exactly are you talking to when you call that 800 number? Find a vendor that will treat your data as if it were their own.

REPUTATION. Does your backup vendor have a quality reputation and the financial resources to stay in business for the long haul?

BEST PRACTICE: Find a vendor with strong financial backing and customer references. There are a lot of vendors that have come and gone. When you consider a service provider, look for one that has strong financial backing, a solid business plan and the ability to be in business as long as your data needs to be stored. Ask for customer references and case studies as their customers are the best validation you can get.

Visit VAULT400.com/proposal to receive a FREE analysis and proposal

DOWNLOAD SOLUTIONS BRIEF:
Best Practices for IBM i Cloud Backup & Recovery

DURING THIS UNPRECEDENTED TIME, DON’T WAIT FOR YOUR BUSINESS
TO SUFFER A DISASTER TO TAKE ACTION.

Serving the US, Canada, & Latin America

VAULT400 Cloud Backup & DRaaS is an IBM Server Proven Solution.

800.211.8798 | info@ucgtechnologies.com| ucgtechnologies.com/cloud

To the First Responders serving on the front-lines during the COVID-19 pandemic,
we extend our heartfelt gratitude.