Thoroughly Modern: What You Need to Know About IBM i Security
March 13, 2023 Fresche Solutions
On a weekly basis, the security experts at Fresche receive calls from IBM i organizations asking for help with ransomware and cyberattacks. These calls are from a broad range of organizations across the spectrum of industries and company sizes.
The IBM i platform has a very strong reputation of being secure, but it’s a dangerous misconception that it is secure out of the box. We can’t tell you how many times we’ve seen an enormous lack of security configuration on the system. It’s often due to a lack of security knowledge and skills on IBM i. But many people still think there’s just no need to secure the box, which is obviously wrong. While IBM i does have a great architecture and many excellent security features, without intentional, proper security configured and implemented on the system, all of the data and applications on it are left wide open and are vulnerable to security breaches.
Here is a good example that comes from late 2021: The Log4Shell vulnerability, also known as Log4j. It was a severity 10 critical security vulnerability. And if it was exploited, which was quite common, it allowed a hacker to remotely execute code on a system.
Not long after the Log4j vulnerability was revealed, we received a call asking for help to determine why there were so many continual failed sign-on attempt alerts coming in from a client’s system. This company did have TGDetect, our network monitoring and intrusion detection software, installed and implemented, so they could receive these alerts and then go on to analyze their IBM i network traffic to determine the source of the intrusion attempts. That led this company to isolate the workstation that had been exploited, and the IT staff to quickly patch the system before the company’s data was breached. It wasn’t other systems in the network that were alerting to this vulnerability being exploited, but it was on the IBM i. The workstation was a Windows laptop that had been affected, which they were able to get cleaned up.
But without those security measures in place and the quick response time they enabled, who knows how far the malware would have gotten on the IBM i and throughout the entire network and how much damage it could have caused before it was detected. Additionally, without proper monitoring and having an audit trail set up, there would be no data available to perform forensic analysis and identify the cause of attacks like this.
If you want to lock down your IBM i systems, make a list of what is important and then start checking those things off one at a time. Locking down IT systems can feel overwhelming, but it doesn’t need to be. The most important thing to realize is that any progress is good progress. And we can help you with a list of things to do, ranked by importance.
The top of the list is network monitoring for your IBM i. With network monitoring, you are able see who is accessing your system and find out: What IP address is the access coming from? Where is it coming from? Who is it? What are they doing? What protocol are they using? Is it coming through Telnet, FTP, ODBC? Or is it coming from a lower, port-level connection like SSH, which Log4Shell exploits quite well – and other malware does as well.
Programmatic attacking the IBM i platform is something that we see on a regular basis. Just a few days ago, there was another example: invalid Telnet sign-on attempts every 30 seconds. It was obviously a systematic attack to the IBM i. When you have clear visibility into this sort of activity, you can take the actions necessary to eliminate the threat and not remain vulnerable, especially if the attack were to discover a weak profile to compromise.
Privileged Access Management
Strengthening weak user profiles is another critical element of your security. On IBM i, privileged access management is paramount.
If you are not aware of what your users are able to access or how much authority they have, then you really can’t control who is accessing any data on the system. We’ve run many, many security assessments where there are an alarming number of *ALLOBJ user profiles. All object (*ALLOBJ) authority trumps everything on the system, essentially giving those users the “keys to the kingdom”.
Monitoring those users – the configuration of the users, changes to the users – and ensuring you implement a least privilege security model is an effective method to reduce the amount of excess user privileges and tighten up weak profile configuration.
Zero Trust Is Necessary
Implementing a zero-trust policy is also a strong security tactic and is highly recommended in this present day of sophisticated cyber attacks.
While it is good to have your network perimeter protected with a firewall, it would be naïve to think a firewall can protect against all types of attacks. With the evolution in the world of cybercrime, it is critical to consider the large number of security breaches that happen from corporate firewalls being completely bypassed. Approximately four out of ten ransomware attacks come through phishing emails. A high volume of them also come from software vulnerabilities, especially considering the difficulties surrounding patch currency.
The main thing to consider is if a hacker can penetrate your network firewall, what protections do you have in place to protect your crown jewels, or critical data? Consider the analogy of your front door being locked and someone breaking in – are the valuables in your house laying out on the counter to be quickly stolen, or are they locked away in a safe? Hopefully, they’re in a safe. The safe is the additional layer of protection you need because you don’t put all your trust in the front door security system. That’s the same approach we need to take with data security – implementing various layers of access control. This analogy can be taken a step further even for the people you invite into your home, or the users working within your corporate network – do you want everyone to be able to access everything inside, including your valuables and sensitive data, or should critical items be locked up with limited access? Relying on one layer of external network protection will not help if user credentials are compromised and there is no further data security in place.
Other Things On the Security Wish List
Here are some other important things to consider:
- Strong object-level security – without proper authorities defined on your programs and files, sensitive data can be left highly vulnerable to unauthorized access, both from internal IBM i applications as well as external applications and protocols like ftp and ssh.
- Solid Integrated File System (IFS) permissions – an IFS file structure looks just any other file structure to a ransomware and it is an easy target when users have drives mapped to the IFS. In addition, the IFS is also accessible through various protocols that don’t require mapped drives, so it’s even more important to ensure the root directory and sensitive directories within the environment are secured as needed.
- Auditing is huge. In the event of an actual security breach, you need to have an audit trail to see what exactly happened, when it happened, how it happened, etc. It empowers you with the data you need to do forensic analysis and implement more effective controls in the future. You may also be required to prove that due diligence was performed prior to the event.
- Event notification is another important factor in increasing your response time to security events. If you have alerting in place, as in the Log4Shell exploit example above, your response time to mitigate threats on your system can be drastically reduced and halt an attack.
- Network protection needs to be comprehensive – assume that hackers will gain entry into one layer or another. Implementing security measures across network layers is critical in making sure all your data is locked down.
There are automated tools such as the TGSecurity Suite to help you monitor security on your systems and protect your data:
- TGSecure is a very comprehensive security enforcement tool that allows for network monitoring, handling user profiles effectively, securely and keeping them in compliance with your standards, as well as many other areas of the system, including implementing proper object authorities and IFS permissions.
- TGDetect is real-time security monitoring and alerting and integrates with any Security Information and Event Management (SIEM) solution on the market.
- TGAudit is a reporting engine that allows you to report on any area of security on the system. And it gives you high-level reports so you can see at a glance what is going on and be notified of what areas to pay attention to instead of just scouring through pages and pages and pages of data.
- TGEncrypt allows you to encrypt sensitive data.
- TGMFA allows you to quickly enable multi-factor authentication on different business applications.
With these tools in place, you can proactively increase protection on your systems from ransomware and malware. Here’s a quick demo to give you a glimpse into what’s possible with TGSecurity Suite:
For anyone who is just getting started with security, Fresche can do a free security assessment on your system to understand the state of security on your IBM i server. If you are a little more advanced, download the free trial to all the tools within TGSecurity Suite for 30 days and try it out for yourself. These tools let you quickly generate report cards that give you a comprehensive view of your security stance and provide numerous ways to monitor and lock down your system. If you have any questions or wondering how to address a specific security or compliance concern, please email our IBM i security experts at firstname.lastname@example.org.
This content is sponsored by Fresche Solutions.
Thoroughly Modern: Flexible And Fractional Staffing Models That Deliver
Thoroughly Modern: How To Optimize IT In 2023
Thoroughly Modern: A Swiss Army Knife For IBM i Developers
Thoroughly Modern: Digital Solutions For IBM i And Beyond
Thoroughly Modern: Simplify IBM i Application Management and Extract Key Insights
Thoroughly Modern: Four Ways Staff Augmentation Is Helping IT Get Things Done
Thoroughly Modern: Bring Security, Speed, And Consistency To IT With Automation
Thoroughly Modern: Good Security Is Just As Important As Good Code
Thoroughly Modern: The Real Top 5 Challenges For IBM i Shops Today
Thoroughly Modern: Improving The Digital Experience With APIs
Thoroughly Modern: IBM i Security Is No Longer Set It And Forget It
Thoroughly Modern: Taking Charge of Your Hardware Refresh in 2022
Thoroughly Modern: Building Organizational Resilience in the Digital Age
Thoroughly Modern: Time To Develop Your IBM i HA/DR Plan For 2022
Thoroughly Modern: Infrastructure Challenges And Easing Into The Cloud
Thoroughly Modern: Talking IBM i System Management With Abacus
Fresche Buys Abacus To Integrate From IBM i To Cloud To Code
What IBM i Shops Want From Cloud, And How To Do It Right
A Chat With Steve Woodard, The New CEO At Fresche Solutions
Thoroughly Modern: Making The Case For Code And Database Transformation
Thoroughly Modern: Making Quick Wins Part Of Your Modernization Strategy
Thoroughly Modern: Augmenting Your Programming Today, Solving Staffing Issues Tomorrow
Thoroughly Modern: Clearing Up Some Cloud And IBM i Computing Myths
Thoroughly Modern: IBM i Web Development Trends To Watch In the Second Half
Thoroughly Modern: Innovative And Realistic Approaches To IBM i Modernization
Thoroughly Modern: Running CA 2E Applications? It’s Time To Modernize The UI
Thoroughly Modern: Understanding Your IBM i Web Application Needs With Application Discovery
Thoroughly Modern: What’s New With PHP On IBM i?
Thoroughly Modern: A Wealth Of Funding Options Makes It Easier To Take On Modernization
Thoroughly Modern: Speed Up Application Development With Automated Testing
Thoroughly Modern: The Smart Approach to Modernization – Know Before You Go!
Thoroughly Modern: Strategic Things to Consider With APIs and IBM i
Thoroughly Modern: Why You Need An IT Strategy And Roadmap
Thoroughly Modern: Top Five Reasons To Go Paperless With IBM i Forms
Thoroughly Modern: Quick Digital Transformation Wins With Web And Mobile IBM i Apps
Thoroughly Modern: Digital Modernization, But Not At Any Cost
Thoroughly Modern: Digital Transformation Is More Important Than Ever
Thoroughly Modern: Giving IBM i Developers A Helping Hand
Thoroughly Modern: Resizing Application Fields Presents Big Challenges
Thoroughly Modern: Taking The Pulse Of IBM i Developers
Thoroughly Modern: More Than Just A Pretty Face
Thoroughly Modern: Driving Your Synon Applications Forward
Thoroughly Modern: What To Pack For The Digital Transformation Journey