Thoroughly Modern: Top Things To Stop IBM i Hacks

September 11, 2023 Alan Hamm

As an IBM i security specialist, I work with organizations to strengthen their security position, uncover vulnerabilities, and implement automated solutions that help quickly detect internal and external threats. I’ve seen just how malicious and disruptive data theft can be and the lengths to which cyber criminals will go to hack your system and steal your data. While IBM i is known for its strong security measures, there are still vulnerabilities that need to be addressed and older practices that need to be updated. In fact, many IBM i servers are left dangerously exposed due to improper configurations and lack of protection.

To successfully secure your IBM i environment, it is crucial to have a solid understanding of how IBM i security works and how it doesn’t. In this article, I will break down the different components of IBM i security and explain their roles in safeguarding your system. By understanding and implementing these measures, you can greatly reduce the risk of unauthorized access.

One of the key proven strategies is to apply security in layers. Similar to how you would protect your home with multiple locks and alarms, securing your IBM i system requires a multi-faceted approach. By implementing a combination of the following techniques, you can create a comprehensive defense against both internal and external threats.

Key areas to focus for your IBM i security include:

Network Security and Exit Points: The introduction of exit points in 1994 allowed customers to connect to the Internet via protocols like FTP, Telnet, and ODBC, opening up new opportunities for e-business. However, this also created pathways for malicious actors and software to access the system, greatly increasing security risks.

To address this issue, IBM implemented a security regimen that works alongside the menu-based security system. With exit point programs, IBM i users have the power to control access across each exit point, down to the IP address and socket level.

Network security software on IBM i is vital in stopping malicious users and malware, as well as preventing unwanted access from internal users. Unfortunately, many IBM i users are unaware of the importance of exit points and the role they play in securing network connections.

Without network security software in place to monitor exit point activity, an IBM i shop is blind to incoming traffic and its origins. This leaves the server vulnerable to external and internal users. Considering the increasing malicious activity on the Internet and how quickly cybercriminals exploit new vulnerabilities, overlooking exit programs and network security is a huge risk for IBM i security.

IFS and Object Authority: The Integrated File System (IFS) is a valuable tool for storing non-traditional data on IBM i, such as PDFs and stream files. With the rise of open source languages, the use of IFS has become increasingly popular. However, there are two important security risks associated with the IFS that all IBM i administrators should be aware of.

Firstly, the IFS is a honeypot for cybercriminals. If an intruder manages to bypass network security, they will likely target the IFS to search for valuable directories. If user permissions on the IFS are not properly configured, the cybercriminal may gain access to sensitive and proprietary data, potentially causing significant damage to the company.

Secondly, unlike the traditional QSYS.LIB file system, the IFS is susceptible to malware, especially Windows- and Unix-based malware. This makes it particularly vulnerable to ransomware attacks, especially if a remote user’s device is compromised and has a direct connection to the IFS.

To address these threats, IBM i administrators must carefully restrict access to IFS files and directories. This process can be time-consuming and manual, requiring individual attention for each user. It is essential to ensure that sensitive files and directories have appropriate read and write access restrictions. Special caution is needed when dealing with the root directory, as it controls access to the entire IFS.

Access Management: Access Management on IBM i involves multiple layers of defense and allows administrators to control user access and permissions on the system.

When a user is registered on IBM i, the administrator assigns them a user profile. This profile, whether individual or group-based, is crucial in determining what the user can access on the system. By configuring the user profile to restrict access to specific programs or menus, the risk of both internal and external threats is minimized.

Special authorities are also specified in the user profile. There are a handful of special authorities, but the big one is All Object Authority (*ALLOBJ), which essentially gives users free rein on the system. It’s not uncommon for many users to have *ALLOBJ attached to their user profiles, but it’s a very poor practice and opens up a number of potential security vulnerabilities.

Authentication is another important aspect. Users typically require a username and password to sign in. IBM i allows administrators to define password complexity and expiration policies. To enhance security, many IBM i customers have adopted multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to enter a PIN code sent to their mobile phones or through an authenticator app. MFA also plays a vital role in achieving a zero-trust security approach.

Auditing and Compliance: The IBM i server has a powerful auditing feature that records all system activity. This includes user interactions with the database, password changes, and requests for sensitive system access. These records are stored in the unalterable QAUDJRN journal.

Enabling auditing is crucial for several reasons. Firstly, it serves as a valuable resource in detecting and investigating potential hacking attempts, both from insiders and external threats. Cybercriminals can navigate the IBM i system and cover their tracks, but with QAUDJRN turned on, it becomes significantly harder for them to hide their activities.

Although the security logs from QAUDJRN can be dense and difficult to interpret, they provide essential raw data that is necessary for tracing attacks and assessing their impact. Without this data, your chances of making progress in investigating an attack and determining the extent of the damage are greatly diminished.

In addition to its security benefits, auditing is also vital for regulatory compliance. If you need to adhere to regulations like GDPR, HIPAA, or PCI DSS, activating QAUDJRN should be one of your first steps. Activating QAUDJRN offers simple and cost-effective insurance for IBM i shops.

SIEM and Forensic Accounting: It can be hard to unravel what’s going on in today’s complex and heterogenous IT environments, especially when databases, applications, and file servers run on separate systems and communicate over the network. To help cut through the fog and connect the dots on potential criminal activity, many organizations turn to Security Event and Information Management (SIEM) solutions.

The IBM i server can be configured to send security event data to SIEM systems, just as every other system can. To speed the integration with SIEMs, such as Splunk, Graylog, ArcSight, QRadar, and Elastic, many IBM i shops implement a log aggregator product on the IBM i to weed out the extraneous entries and convert the event data into a common format, like syslog. When connected to other systems via a SIEM, the IBM i can serve as the canary for your coal mine. If security events like multiple failed sign-in attempts or authority failures for sensitive files on IBM i are detected, it may be an early indicator that something is not right in your IT network.

IBM i customers may resist implementing tougher security measures because they think they’ve never been hacked. However, without the QAUDJRN turned on, the IBM i customer may never know they’ve been hacked, and be unable to conduct a forensic analysis. It’s also possible that hackers have already penetrated an IBM i system but are just lurking. This so-called “dwell time” for cybercriminals has been known to extend to months.

Without tools like QAUDJRN or log-collection turned on, an IBM i shop may never know they’ve been hacked.

To sum things up, IBM i security is highly effective thanks to its multiple layers of protection. These layers play a crucial role in preventing unauthorized access to your data and applications, even if one layer fails. To help you strengthen your system’s security and minimize the risk of compromise, we have covered the most important IBM i security layers in this article. By identifying and addressing common security vulnerabilities in your IBM i defense, you can take control and enhance your system’s security.

And, Fresche’s recent subscription launch of the entire TGSecurity Suite that covers all layers of security, training and support for $833 per month is changing the game and making modern, affordable security solutions accessible to every IBM i shop on the planet.

For anyone interested, a special walkthrough workshop will be hosted on October 4 where you can pick up a Fresche TGSecurity Suite trial and follow along while I go over how to lock your system down. The invitations will go out shortly – if you would like to receive the details, email us at info@freschesolutions.com and we will add you to the list.

Alan Hamm is a senior security services engineer at Fresche Solutions.

This content is sponsored by Fresche Solutions.

One thought on “Thoroughly Modern: Top Things To Stop IBM i Hacks”

Dennis says:

September 14, 2023 at 4:26 am

Great article, Alan! Your insights into IBM i security are incredibly valuable, especially in today’s world where cyber threats are constantly evolving. I appreciate the emphasis on the importance of staying updated and implementing a multi-layered approach to security.

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search