The most effective approach to cybersecurity is having multiple layers of defense mechanisms deployed to protect your systems. This is commonly referred to as “Defense in Depth”. Because your IBM i holds data that is vital to your business, implementing multiple IBM i technologies that will help prevent or detect an accidental error or malicious behavior is essential. Watch our on-demand webinar where Carol Woodbury of DXR Security discusses three of the current real-world issues facing organizations today and how layering multiple security technologies can protect your data and avoid business disruptions. Register to hear about: • The benefits of implementing defense in depth • Determining the value and risk level of your data • Developing a plan to implement as many layers as needed to appropriately reduce risk

1. Addressing the Top 3
Real-world Security
Challenges for Your
IBM i Systems
Carol Woodbury | CISSP, CRISC, PCIP
DXR Security
Bill Hammond | Director, Product Marketing
Precisely

2. Today’s Topics
• Value of Your Data
• Top Three Security Challenges
• How Precisely Can Help

3. © DXRSecurity, All Rights Reserved.
Carol Woodbury
CISSP, CRISC, PCIP
Addressing the Top 3 Real-world Security
Challenges for Your IBM i Systems

4. Goals
Understand the benefits of implementing multiple
layers of defense (defense in depth)
Determine the value and risk level of your data
Develop a plan to implement as many layers as
needed to reduce risk to acceptable level

5. Not all Data is Created Equal
 Data has value to an
organization
 Most people think that means
data under regulatory
requirements
 Data unique to the organization
may have even more value
 Inventory
 Pricing
 Vendor list
 Monthly sales

6. What’s the Cost of the Data …
 Not being accurate?
 Not being available?
 Being stolen?
 Used by a competitor
 Sold on the Dark Web
 Being posted on the Internet?

7. Previous answers determine Value
Implement multiple layers of defense
based on Value of the data to your
organization

8. Scenario #1

9. Scenario #1: Protecting Against the Accidental Error
 Company A has multiple warehouses in different regions,
each with their own sales figures
 Employee in Warehouse 200 wrote an application using
ODBC to download his sales figures to a spreadsheet
 Company A was ok with this, just didn’t want employee to
accidentally upload the spreadsheet back to IBM i.

10. Acknowledge that Accidental Errors Occur
 Insiders
 Malicious insider – 14%
 Credential theft – 23%
 Negligence – 63%
 Ponemon Institute The Cost of
Insider Threats – 2020
 https://www.ibm.com/security/digita
l-assets/services/cost-of-insider-
threats/#/

11. Stats
Prevalence Cost
(Annualized)
Remediation /
Incident
Negligence 63% $4.58M $300K
Criminal insider 14% $4.08M $757K
Stolen credentials 23% $2.79 M $872K
Source: 2020 Ponemon Institute The Cost of Insider Threats

12. Layers of Defense Implemented
 Implemented IBM i object level
security, setting *PUBLIC to
*USE, granting more authority
for profiles running processes
that wrote to these files
 Removed users from group that
owned the application
 Reduced number of users with
*ALLOBJ
 Authority required can be
discovered via Authority
Collection

13. Scenario #2

14. Scenario #2: Malware
Two types of malware affect IBM i:
 Resident (Stored) in the IFS
 Coming in via a file share
 https://www.securityweek.com/industry
-reactions-ransomware-attack-colonial-
pipeline
 https://www.securityweek.com/fbi-
confirms-revil-ransomware-involved-
jbs-attack
 https://www.securityweek.com/white-
house-urges-private-companies-help-
fight-against-ransomware

16. File Shares
Worst possible scenario is to have a Read/Write share to root

17. Who Can Use a File Share?
 Unlike Windows, there is no permission on the share itself
 What the malware can do will depend on
 How the share is defined – Read only or Read/Write
 The user’s authority to the directory and objects in the directory
 Goals:
 Remove unused shares
 If required, reduce to Read only when possible

18. Share Permissions
Read share
Share
Permission
What can be
Accomplished
If user has at least *READ authority,
contents can be read
Contents cannot be updated regardless
of user’s authority to the object
Read/Write share If user has at least *READ authority,
contents can be read
If user has at least *W (write) authority,
contents can be modified
User must have sufficient authority for
the operation being attempted (either a
read or a write)

19. To Reduce the Risk Of Malware
 Educate your users!
 Back-ups
 Do them!
 Verify them!
 Store them separately
 Shares
 DO NOT SHARE ROOT !!!! (or QSYS.lib)
 Remove unnecessary shares
 Set shares to Read-only where possible
 Secure shared objects

20. If Infected …
 Pull out your incident response plan !
 Determine if you’re still under attack or if it’s contained
 Determine if you can resolve yourself or need to call in experts
 Determine if you need to notify law enforcement
 If ransomware, determine if ransom will be paid
Quality and availability of your back-ups may determine
whether you can recover from a malware attack

21. Real Scenario
Dear MsWoodbury,
I was forwarded your info. As of last night, we are being held hostage.We've
been in touch with the FBI and IBM.We have a ransom note on our servers. I can
be reached at xxx-xxx-xxxx
- via LinkedIn and Voicemail
24

22. Layers of Defense Implemented
 Develop incident response plan
 Clean up file shares
 Implement object level security on
appropriate directories
 Use an exit program to control who
can use the NetServer server
 Reduce the number of profiles with
*ALLOBJ special authority
 Encrypt critical/sensitive
information
 MFA

23. Scenario #3

24. Scenario #3: Malicious Attack
 Can occur from a variety of sources
 Malicious insider
 Nation-state attacks
 Competitors
 Attacker exploiting a vulnerability
 Microsoft Exchange Server
 https://www.afr.com/technology/thousands-of-aussie-businesses-hit-by-
microsoft-security-flaws-20210308-p578rc
 Malware
 Current ransomware exploits do recon on the network prior to encrypting files
and/or use credentials purchased on the dark web
 https://www.secureworldexpo.com/industry-news/doj-seizes-colonial-pipeline-
ransom-payment

25. Why Multiple Layers of Defense?
 Colonial was attacked using a VPN without MFA using a
profile that wasn’t in use with a password that is suspected
to have been purchased on the dark web.
 Layers:
 Client education – don’t use the same password everywhere!
 Password management – change passwords regularly even for
service accounts
 Profile management – delete or at least disable inactive profiles
 Require MFA
 Any one of these could have prevented access!

26. Protect Data
 Implement object level security
on critical data
 Reduce the number of users
with *ALLOBJ special authority
 Use RCAC to implement
additional privileges
 Encrypt critical data
 Use exit point software to further
restrict access (or at least log
access)

27. Encrypt all Sessions
 Internal communications are
often not encrypted
 WFH or WFS (Work from
Starbucks  ) not using a VPN
 Vulnerable to sniffing

28. Multi-factor Authentication (MFA)
 Requires two or more ‘factors’ to
authenticate (gain access to the
system)
 Something you know (password,
pin)
 Something you are (fingerprint,
facial recognition, optical scan)
 Something you have (token, bank
card)
 Recommended for at least
‘powerful’ profiles
 Helps prevent credential stuffing

29. Use IBM i to Alert to Trouble
 Are you sending IBM i
information to your SIEM? If
not, why not?
 See MC Press article for more
considerations
 https://www.mcpressonline.com/se
curity/ibm-i-os400-i5os/what-ibm-i-
information-should-i-be-sending-to-
my-siem

30. Monitor Audit Journal Entries to Detect an Attack
 PW
 ‘U’ entries where the User is “root” or “Admin” and attempt originates from outside of the
organization
 ‘P’ entries where many occur within a short period of time and for the well-known IBM i-
supplied profiles (QSYS, QSECOFR, QUSER, QSYSOPR, QPGMR, QSRV, QSRVBAS)
 JS
 Job start entries that originate from an unknown external IP address
 Job starts for unknown entries (such as QSECOFR)
 CP
 Password changes for QSECOFR and other IBM-supplied profiles
 Re-enablement of QSECOFR (if kept STATUS *DISABLED)
 VP
 Invalid password attempts via NetServer

31. Use Intrusion Detection
IM – Audit entries – Used to detect DDoS attacks and cryptomining malware
See
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubkickoff.htm
>>> It takes tuning! <<<

32. Layers of Defense to Implement
 Protect the data
 Object level security
 Reduce *ALLOBJ
 RCAC
 Encryption
 Exit points
 Encrypt sessions
 MFA
 Use the audit journal
 SIEM
 Alerting

33. How many layers of defense is enough?
Must first answer:
What is the value of the data to your
organization?
What is the cost of it being inaccurate,
unavailable or stolen?

34. Focus!
Focus on the data which
is most valuable to the
organization!!!

35. Talking with Management
 Your suggestions for resolving
issues need to be high level
 Avoid technical terms
 Talking in terms of loss to the
business – operational risk and
how it can be prevented
 May have to explain to
management what (all) runs on
IBM i
 Again… in business terms

36. Talking with Management
 Your suggestions for resolving
issues need to be high level
 Avoid technical terms
 Talking in terms of loss to the
business – operational risk and
how it can be prevented
 May have to explain to
management what (all) runs on
IBM i
 Again… in business terms

37. Operational Risk
 Operational risk is caused by inadequate or failed internal
processes or controls and results in loss (e.g., time,
reputation, money)
 Example:
 We have data on one of our key servers – IBM i – that is
vulnerable to being infected with ransomware and I would like to
take steps to reduce that operational risk

38. Don’t get Overwhelmed!
With management, develop a plan
to address vulnerabilities
Do something!
Take a step – ANY step to reduce
your organization’s risk

39. For More
Information
RCAC Redpiece
 http://www.redbooks.ibm.com/abstracts/redp5110.html?Open
Intrusion Detection
 https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzau
bpdf.pdf?view=kc
IBM i Security Reference – PDF
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzarl/sc415302.
pdf?view=kc
 Chapters 2 and 3 – System Values
 Chapter 9 - Auditing
 Chapter 10 – Authority Collection
IBM i Security Administration and Compliance, 3nd edition, by Carol Woodbury,
2020.
DXR Security www.dxrsecurity.com
42

40. How Precisely Can Help

41. Assure Security
44
Compliance
Monitoring
• Assure Monitoring
and Reporting
• SIEM Integration
• Assure Db2 Data
Monitor
Access
Control
• Assure MFA
• Assure Elevated
Authority
Manager
• Assure System
Access Manager
Data
Privacy
• Assure Encryption
• Assure Secure File
Transfer
Malware
Prevention
• Assure MFA
• Assure Elevated
Authority
Manager
• Assure System
Access Manager
• Assure Monitoring
and Reporting
with SIEM
Integration
• Assure Encryption

42. Q & A
45

43. Thank You
46