• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Thoroughly Modern: What You Need to Know About IBM i Security

    March 13, 2023 Fresche Solutions

    On a weekly basis, the security experts at Fresche receive calls from IBM i organizations asking for help with ransomware and cyberattacks. These calls are from a broad range of organizations across the spectrum of industries and company sizes.

    The IBM i platform has a very strong reputation of being secure, but it’s a dangerous misconception that it is secure out of the box. We can’t tell you how many times we’ve seen an enormous lack of security configuration on the system. It’s often due to a lack of security knowledge and skills on IBM i. But many people still think there’s just no need to secure the box, which is obviously wrong. While IBM i does have a great architecture and many excellent security features, without intentional, proper security configured and implemented on the system, all of the data and applications on it are left wide open and are vulnerable to security breaches.

    Here is a good example that comes from late 2021: The Log4Shell vulnerability, also known as Log4j. It was a severity 10 critical security vulnerability. And if it was exploited, which was quite common, it allowed a hacker to remotely execute code on a system.

    Not long after the Log4j vulnerability was revealed, we received a call asking for help to determine why there were so many continual failed sign-on attempt alerts coming in from a client’s system. This company did have TGDetect, our network monitoring and intrusion detection software, installed and implemented, so they could receive these alerts and then go on to analyze their IBM i network traffic to determine the source of the intrusion attempts. That led this company to isolate the workstation that had been exploited, and the IT staff to quickly patch the system before the company’s data was breached. It wasn’t other systems in the network that were alerting to this vulnerability being exploited, but it was on the IBM i. The workstation was a Windows laptop that had been affected, which they were able to get cleaned up.

    But without those security measures in place and the quick response time they enabled, who knows how far the malware would have gotten on the IBM i and throughout the entire network and how much damage it could have caused before it was detected. Additionally, without proper monitoring and having an audit trail set up, there would be no data available to perform forensic analysis and identify the cause of attacks like this.

    If you want to lock down your IBM i systems, make a list of what is important and then start checking those things off one at a time. Locking down IT systems can feel overwhelming, but it doesn’t need to be. The most important thing to realize is that any progress is good progress. And we can help you with a list of things to do, ranked by importance.

    Network Monitoring

    The top of the list is network monitoring for your IBM i. With network monitoring, you are able see who is accessing your system and find out: What IP address is the access coming from? Where is it coming from? Who is it? What are they doing? What protocol are they using? Is it coming through Telnet, FTP, ODBC? Or is it coming from a lower, port-level connection like SSH, which Log4Shell exploits quite well – and other malware does as well.

    Programmatic attacking the IBM i platform is something that we see on a regular basis. Just a few days ago, there was another example: invalid Telnet sign-on attempts every 30 seconds. It was obviously a systematic attack to the IBM i. When you have clear visibility into this sort of activity, you can take the actions necessary to eliminate the threat and not remain vulnerable, especially if the attack were to discover a weak profile to compromise.

    Privileged Access Management

    Strengthening weak user profiles is another critical element of your security. On IBM i, privileged access management is paramount.

    If you are not aware of what your users are able to access or how much authority they have, then you really can’t control who is accessing any data on the system. We’ve run many, many security assessments where there are an alarming number of *ALLOBJ user profiles. All object (*ALLOBJ) authority trumps everything on the system, essentially giving those users the “keys to the kingdom”.

    Monitoring those users – the configuration of the users, changes to the users – and ensuring you implement a least privilege security model is an effective method to reduce the amount of excess user privileges and tighten up weak profile configuration.

    Zero Trust Is Necessary

    Implementing a zero-trust policy is also a strong security tactic and is highly recommended in this present day of sophisticated cyber attacks.

    While it is good to have your network perimeter protected with a firewall, it would be naïve to think a firewall can protect against all types of attacks. With the evolution in the world of cybercrime, it is critical to consider the large number of security breaches that happen from corporate firewalls being completely bypassed. Approximately four out of ten ransomware attacks come through phishing emails. A high volume of them also come from software vulnerabilities, especially considering the difficulties surrounding patch currency.

    The main thing to consider is if a hacker can penetrate your network firewall, what protections do you have in place to protect your crown jewels, or critical data? Consider the analogy of your front door being locked and someone breaking in – are the valuables in your house laying out on the counter to be quickly stolen, or are they locked away in a safe? Hopefully, they’re in a safe. The safe is the additional layer of protection you need because you don’t put all your trust in the front door security system. That’s the same approach we need to take with data security – implementing various layers of access control. This analogy can be taken a step further even for the people you invite into your home, or the users working within your corporate network – do you want everyone to be able to access everything inside, including your valuables and sensitive data, or should critical items be locked up with limited access? Relying on one layer of external network protection will not help if user credentials are compromised and there is no further data security in place.

    Other Things On the Security Wish List

    Here are some other important things to consider:

    • Strong object-level security – without proper authorities defined on your programs and files, sensitive data can be left highly vulnerable to unauthorized access, both from internal IBM i applications as well as external applications and protocols like ftp and ssh.
    • Solid Integrated File System (IFS) permissions – an IFS file structure looks just any other file structure to a ransomware and it is an easy target when users have drives mapped to the IFS. In addition, the IFS is also accessible through various protocols that don’t require mapped drives, so it’s even more important to ensure the root directory and sensitive directories within the environment are secured as needed.
    • Auditing is huge. In the event of an actual security breach, you need to have an audit trail to see what exactly happened, when it happened, how it happened, etc. It empowers you with the data you need to do forensic analysis and implement more effective controls in the future. You may also be required to prove that due diligence was performed prior to the event.
    • Event notification is another important factor in increasing your response time to security events. If you have alerting in place, as in the Log4Shell exploit example above, your response time to mitigate threats on your system can be drastically reduced and halt an attack.
    • Network protection needs to be comprehensive – assume that hackers will gain entry into one layer or another. Implementing security measures across network layers is critical in making sure all your data is locked down.

    There are automated tools such as the TGSecurity Suite to help you monitor security on your systems and protect your data:

    • TGSecure is a very comprehensive security enforcement tool that allows for network monitoring, handling user profiles effectively, securely and keeping them in compliance with your standards, as well as many other areas of the system, including implementing proper object authorities and IFS permissions.
    • TGDetect is real-time security monitoring and alerting and integrates with any Security Information and Event Management (SIEM) solution on the market.
    • TGAudit is a reporting engine that allows you to report on any area of security on the system. And it gives you high-level reports so you can see at a glance what is going on and be notified of what areas to pay attention to instead of just scouring through pages and pages and pages of data.
    • TGEncrypt allows you to encrypt sensitive data.
    • TGMFA allows you to quickly enable multi-factor authentication on different business applications.

    With these tools in place, you can proactively increase protection on your systems from ransomware and malware. Here’s a quick demo to give you a glimpse into what’s possible with TGSecurity Suite:

    Click image to watch video.

    For anyone who is just getting started with security, Fresche can do a free security assessment on your system to understand the state of security on your IBM i server. If you are a little more advanced, download the free trial to all the tools within TGSecurity Suite for 30 days and try it out for yourself. These tools let you quickly generate report cards that give you a comprehensive view of your security stance and provide numerous ways to monitor and lock down your system. If you have any questions or wondering how to address a specific security or compliance concern, please email our IBM i security experts at info@freschesolutions.com.

    This content is sponsored by Fresche Solutions.

    RELATED STORIES

    Thoroughly Modern: Flexible And Fractional Staffing Models That Deliver

    Thoroughly Modern: How To Optimize IT In 2023

    Thoroughly Modern: A Swiss Army Knife For IBM i Developers

    Thoroughly Modern: Digital Solutions For IBM i And Beyond

    Thoroughly Modern: Simplify IBM i Application Management and Extract Key Insights

    Thoroughly Modern: Four Ways Staff Augmentation Is Helping IT Get Things Done

    Thoroughly Modern: Bring Security, Speed, And Consistency To IT With Automation

    Thoroughly Modern: Good Security Is Just As Important As Good Code

    Thoroughly Modern: The Real Top 5 Challenges For IBM i Shops Today

    Thoroughly Modern: Improving The Digital Experience With APIs

    Thoroughly Modern: IBM i Security Is No Longer Set It And Forget It

    Thoroughly Modern: Taking Charge of Your Hardware Refresh in 2022

    Thoroughly Modern: Building Organizational Resilience in the Digital Age

    Thoroughly Modern: Time To Develop Your IBM i HA/DR Plan For 2022

    Thoroughly Modern: Infrastructure Challenges And Easing Into The Cloud

    Thoroughly Modern: Talking IBM i System Management With Abacus

    Fresche Buys Abacus To Integrate From IBM i To Cloud To Code

    What IBM i Shops Want From Cloud, And How To Do It Right

    A Chat With Steve Woodard, The New CEO At Fresche Solutions

    Thoroughly Modern: Making The Case For Code And Database Transformation

    Thoroughly Modern: Making Quick Wins Part Of Your Modernization Strategy

    Thoroughly Modern: Augmenting Your Programming Today, Solving Staffing Issues Tomorrow

    Thoroughly Modern: Clearing Up Some Cloud And IBM i Computing Myths

    Thoroughly Modern: IBM i Web Development Trends To Watch In the Second Half

    Thoroughly Modern: Innovative And Realistic Approaches To IBM i Modernization

    Thoroughly Modern: Running CA 2E Applications? It’s Time To Modernize The UI

    Thoroughly Modern: Understanding Your IBM i Web Application Needs With Application Discovery

    Thoroughly Modern: What’s New With PHP On IBM i?

    Thoroughly Modern: A Wealth Of Funding Options Makes It Easier To Take On Modernization

    Thoroughly Modern: Speed Up Application Development With Automated Testing

    Thoroughly Modern: The Smart Approach to Modernization – Know Before You Go!

    Thoroughly Modern: Strategic Things to Consider With APIs and IBM i

    Thoroughly Modern: Why You Need An IT Strategy And Roadmap

    Thoroughly Modern: Top Five Reasons To Go Paperless With IBM i Forms

    Thoroughly Modern: Quick Digital Transformation Wins With Web And Mobile IBM i Apps

    Thoroughly Modern: Digital Modernization, But Not At Any Cost

    Thoroughly Modern: Digital Transformation Is More Important Than Ever

    Thoroughly Modern: Giving IBM i Developers A Helping Hand

    Thoroughly Modern: Resizing Application Fields Presents Big Challenges

    Thoroughly Modern: Taking The Pulse Of IBM i Developers

    Thoroughly Modern: More Than Just A Pretty Face

    Thoroughly Modern: Driving Your Synon Applications Forward

    Thoroughly Modern: What To Pack For The Digital Transformation Journey

    Talking Digital Transformation With The New And Prior CEO

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Fresche Solutions

    Move Projects Forward with Expert Staffing Services

    Gain access to IBM i experts to move IT projects forward, reduce backlog and support business-critical systems.

    Fast onboarding, flexible engagement models for IBM i, RPG, COBOL, CA 2E (Synon), ERPs and more:

    • Bug Fixes & Maintenance
    • Full-Stack Web and Mobile Development
    • Application Enhancements
    • Application Maintenance
    • Database Modernization

    Speak to an Expert »

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Spring Brings Events To IBM i Community, And More You Ought To Be Committed

    Leave a Reply Cancel reply

TFH Volume: 33 Issue: 14

This Issue Sponsored By

  • New Generation Software
  • Fresche Solutions
  • Racksquared
  • WorksRight Software
  • Raz-Lee Security
  • Raz-Lee Security

Table of Contents

  • You Ought To Be Committed
  • Thoroughly Modern: What You Need to Know About IBM i Security
  • Spring Brings Events To IBM i Community, And More
  • As I See It: AI-AI-O
  • IBM i PTF Guide, Volume 25, Number 10
  • Situation Wanted

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • IBM Tweaks Some Power Systems Prices Down, Others Up
  • Disaster Recovery: From OS/400 V5R3 To IBM i 7.4 In 36 Hours
  • The Disconnect In Modernization Planning And Execution
  • Superior Support: One Of The Reasons You Pay The Power Systems Premium
  • IBM i PTF Guide, Volume 25, Number 13
  • IBM i Has a Future ‘If Kept Up To Date,’ IDC Says
  • When You Need Us, We Are Ready To Do Grunt Work
  • Generative AI: Coming to an ERP Near You
  • Four Hundred Monitor, March 22
  • IBM i PTF Guide, Volume 25, Number 12

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle