Thoroughly Modern: What You Need to Know About IBM i Security

March 13, 2023 Fresche Solutions

On a weekly basis, the security experts at Fresche receive calls from IBM i organizations asking for help with ransomware and cyberattacks. These calls are from a broad range of organizations across the spectrum of industries and company sizes.

The IBM i platform has a very strong reputation of being secure, but it’s a dangerous misconception that it is secure out of the box. We can’t tell you how many times we’ve seen an enormous lack of security configuration on the system. It’s often due to a lack of security knowledge and skills on IBM i. But many people still think there’s just no need to secure the box, which is obviously wrong. While IBM i does have a great architecture and many excellent security features, without intentional, proper security configured and implemented on the system, all of the data and applications on it are left wide open and are vulnerable to security breaches.

Here is a good example that comes from late 2021: The Log4Shell vulnerability, also known as Log4j. It was a severity 10 critical security vulnerability. And if it was exploited, which was quite common, it allowed a hacker to remotely execute code on a system.

Not long after the Log4j vulnerability was revealed, we received a call asking for help to determine why there were so many continual failed sign-on attempt alerts coming in from a client’s system. This company did have TGDetect, our network monitoring and intrusion detection software, installed and implemented, so they could receive these alerts and then go on to analyze their IBM i network traffic to determine the source of the intrusion attempts. That led this company to isolate the workstation that had been exploited, and the IT staff to quickly patch the system before the company’s data was breached. It wasn’t other systems in the network that were alerting to this vulnerability being exploited, but it was on the IBM i. The workstation was a Windows laptop that had been affected, which they were able to get cleaned up.

But without those security measures in place and the quick response time they enabled, who knows how far the malware would have gotten on the IBM i and throughout the entire network and how much damage it could have caused before it was detected. Additionally, without proper monitoring and having an audit trail set up, there would be no data available to perform forensic analysis and identify the cause of attacks like this.

If you want to lock down your IBM i systems, make a list of what is important and then start checking those things off one at a time. Locking down IT systems can feel overwhelming, but it doesn’t need to be. The most important thing to realize is that any progress is good progress. And we can help you with a list of things to do, ranked by importance.

Network Monitoring

The top of the list is network monitoring for your IBM i. With network monitoring, you are able see who is accessing your system and find out: What IP address is the access coming from? Where is it coming from? Who is it? What are they doing? What protocol are they using? Is it coming through Telnet, FTP, ODBC? Or is it coming from a lower, port-level connection like SSH, which Log4Shell exploits quite well – and other malware does as well.

Programmatic attacking the IBM i platform is something that we see on a regular basis. Just a few days ago, there was another example: invalid Telnet sign-on attempts every 30 seconds. It was obviously a systematic attack to the IBM i. When you have clear visibility into this sort of activity, you can take the actions necessary to eliminate the threat and not remain vulnerable, especially if the attack were to discover a weak profile to compromise.

Privileged Access Management

Strengthening weak user profiles is another critical element of your security. On IBM i, privileged access management is paramount.

If you are not aware of what your users are able to access or how much authority they have, then you really can’t control who is accessing any data on the system. We’ve run many, many security assessments where there are an alarming number of *ALLOBJ user profiles. All object (*ALLOBJ) authority trumps everything on the system, essentially giving those users the “keys to the kingdom”.

Monitoring those users – the configuration of the users, changes to the users – and ensuring you implement a least privilege security model is an effective method to reduce the amount of excess user privileges and tighten up weak profile configuration.

Zero Trust Is Necessary

Implementing a zero-trust policy is also a strong security tactic and is highly recommended in this present day of sophisticated cyber attacks.

While it is good to have your network perimeter protected with a firewall, it would be naïve to think a firewall can protect against all types of attacks. With the evolution in the world of cybercrime, it is critical to consider the large number of security breaches that happen from corporate firewalls being completely bypassed. Approximately four out of ten ransomware attacks come through phishing emails. A high volume of them also come from software vulnerabilities, especially considering the difficulties surrounding patch currency.

The main thing to consider is if a hacker can penetrate your network firewall, what protections do you have in place to protect your crown jewels, or critical data? Consider the analogy of your front door being locked and someone breaking in – are the valuables in your house laying out on the counter to be quickly stolen, or are they locked away in a safe? Hopefully, they’re in a safe. The safe is the additional layer of protection you need because you don’t put all your trust in the front door security system. That’s the same approach we need to take with data security – implementing various layers of access control. This analogy can be taken a step further even for the people you invite into your home, or the users working within your corporate network – do you want everyone to be able to access everything inside, including your valuables and sensitive data, or should critical items be locked up with limited access? Relying on one layer of external network protection will not help if user credentials are compromised and there is no further data security in place.

Other Things On the Security Wish List

Here are some other important things to consider:

Strong object-level security – without proper authorities defined on your programs and files, sensitive data can be left highly vulnerable to unauthorized access, both from internal IBM i applications as well as external applications and protocols like ftp and ssh.
Solid Integrated File System (IFS) permissions – an IFS file structure looks just any other file structure to a ransomware and it is an easy target when users have drives mapped to the IFS. In addition, the IFS is also accessible through various protocols that don’t require mapped drives, so it’s even more important to ensure the root directory and sensitive directories within the environment are secured as needed.
Auditing is huge. In the event of an actual security breach, you need to have an audit trail to see what exactly happened, when it happened, how it happened, etc. It empowers you with the data you need to do forensic analysis and implement more effective controls in the future. You may also be required to prove that due diligence was performed prior to the event.
Event notification is another important factor in increasing your response time to security events. If you have alerting in place, as in the Log4Shell exploit example above, your response time to mitigate threats on your system can be drastically reduced and halt an attack.
Network protection needs to be comprehensive – assume that hackers will gain entry into one layer or another. Implementing security measures across network layers is critical in making sure all your data is locked down.

There are automated tools such as the TGSecurity Suite to help you monitor security on your systems and protect your data:

TGSecure is a very comprehensive security enforcement tool that allows for network monitoring, handling user profiles effectively, securely and keeping them in compliance with your standards, as well as many other areas of the system, including implementing proper object authorities and IFS permissions.
TGDetect is real-time security monitoring and alerting and integrates with any Security Information and Event Management (SIEM) solution on the market.
TGAudit is a reporting engine that allows you to report on any area of security on the system. And it gives you high-level reports so you can see at a glance what is going on and be notified of what areas to pay attention to instead of just scouring through pages and pages and pages of data.
TGEncrypt allows you to encrypt sensitive data.
TGMFA allows you to quickly enable multi-factor authentication on different business applications.

With these tools in place, you can proactively increase protection on your systems from ransomware and malware. Here’s a quick demo to give you a glimpse into what’s possible with TGSecurity Suite:

Click image to watch video.

For anyone who is just getting started with security, Fresche can do a free security assessment on your system to understand the state of security on your IBM i server. If you are a little more advanced, download the free trial to all the tools within TGSecurity Suite for 30 days and try it out for yourself. These tools let you quickly generate report cards that give you a comprehensive view of your security stance and provide numerous ways to monitor and lock down your system. If you have any questions or wondering how to address a specific security or compliance concern, please email our IBM i security experts at info@freschesolutions.com.

This content is sponsored by Fresche Solutions.

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search