The most effective approach to cybersecurity is having multiple layers of defense mechanisms deployed to protect your systems. This is commonly referred to as “Defense in Depth”.
Because your IBM i holds data that is vital to your business, implementing multiple IBM i technologies that will help prevent or detect an accidental error or malicious behavior is essential.
Watch our on-demand webinar where Carol Woodbury of DXR Security discusses three of the current real-world issues facing organizations today and how layering multiple security technologies can protect your data and avoid business disruptions.
Register to hear about:
• The benefits of implementing defense in depth
• Determining the value and risk level of your data
• Developing a plan to implement as many layers as needed to appropriately reduce risk
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
1. Addressing the Top 3
Real-world Security
Challenges for Your
IBM i Systems
Carol Woodbury | CISSP, CRISC, PCIP
DXR Security
Bill Hammond | Director, Product Marketing
Precisely
2. Today’s Topics
• Value of Your Data
• Top Three Security Challenges
• How Precisely Can Help
4. Goals
Understand the benefits of implementing multiple
layers of defense (defense in depth)
Determine the value and risk level of your data
Develop a plan to implement as many layers as
needed to reduce risk to acceptable level
5. Not all Data is Created Equal
Data has value to an
organization
Most people think that means
data under regulatory
requirements
Data unique to the organization
may have even more value
Inventory
Pricing
Vendor list
Monthly sales
6. What’s the Cost of the Data …
Not being accurate?
Not being available?
Being stolen?
Used by a competitor
Sold on the Dark Web
Being posted on the Internet?
7. Previous answers determine Value
Implement multiple layers of defense
based on Value of the data to your
organization
9. Scenario #1: Protecting Against the Accidental Error
Company A has multiple warehouses in different regions,
each with their own sales figures
Employee in Warehouse 200 wrote an application using
ODBC to download his sales figures to a spreadsheet
Company A was ok with this, just didn’t want employee to
accidentally upload the spreadsheet back to IBM i.
10. Acknowledge that Accidental Errors Occur
Insiders
Malicious insider – 14%
Credential theft – 23%
Negligence – 63%
Ponemon Institute The Cost of
Insider Threats – 2020
https://www.ibm.com/security/digita
l-assets/services/cost-of-insider-
threats/#/
12. Layers of Defense Implemented
Implemented IBM i object level
security, setting *PUBLIC to
*USE, granting more authority
for profiles running processes
that wrote to these files
Removed users from group that
owned the application
Reduced number of users with
*ALLOBJ
Authority required can be
discovered via Authority
Collection
14. Scenario #2: Malware
Two types of malware affect IBM i:
Resident (Stored) in the IFS
Coming in via a file share
https://www.securityweek.com/industry
-reactions-ransomware-attack-colonial-
pipeline
https://www.securityweek.com/fbi-
confirms-revil-ransomware-involved-
jbs-attack
https://www.securityweek.com/white-
house-urges-private-companies-help-
fight-against-ransomware
17. Who Can Use a File Share?
Unlike Windows, there is no permission on the share itself
What the malware can do will depend on
How the share is defined – Read only or Read/Write
The user’s authority to the directory and objects in the directory
Goals:
Remove unused shares
If required, reduce to Read only when possible
18. Share Permissions
Read share
Share
Permission
What can be
Accomplished
If user has at least *READ authority,
contents can be read
Contents cannot be updated regardless
of user’s authority to the object
Read/Write share If user has at least *READ authority,
contents can be read
If user has at least *W (write) authority,
contents can be modified
User must have sufficient authority for
the operation being attempted (either a
read or a write)
19. To Reduce the Risk Of Malware
Educate your users!
Back-ups
Do them!
Verify them!
Store them separately
Shares
DO NOT SHARE ROOT !!!! (or QSYS.lib)
Remove unnecessary shares
Set shares to Read-only where possible
Secure shared objects
20. If Infected …
Pull out your incident response plan !
Determine if you’re still under attack or if it’s contained
Determine if you can resolve yourself or need to call in experts
Determine if you need to notify law enforcement
If ransomware, determine if ransom will be paid
Quality and availability of your back-ups may determine
whether you can recover from a malware attack
21. Real Scenario
Dear MsWoodbury,
I was forwarded your info. As of last night, we are being held hostage.We've
been in touch with the FBI and IBM.We have a ransom note on our servers. I can
be reached at xxx-xxx-xxxx
- via LinkedIn and Voicemail
24
22. Layers of Defense Implemented
Develop incident response plan
Clean up file shares
Implement object level security on
appropriate directories
Use an exit program to control who
can use the NetServer server
Reduce the number of profiles with
*ALLOBJ special authority
Encrypt critical/sensitive
information
MFA
24. Scenario #3: Malicious Attack
Can occur from a variety of sources
Malicious insider
Nation-state attacks
Competitors
Attacker exploiting a vulnerability
Microsoft Exchange Server
https://www.afr.com/technology/thousands-of-aussie-businesses-hit-by-
microsoft-security-flaws-20210308-p578rc
Malware
Current ransomware exploits do recon on the network prior to encrypting files
and/or use credentials purchased on the dark web
https://www.secureworldexpo.com/industry-news/doj-seizes-colonial-pipeline-
ransom-payment
25. Why Multiple Layers of Defense?
Colonial was attacked using a VPN without MFA using a
profile that wasn’t in use with a password that is suspected
to have been purchased on the dark web.
Layers:
Client education – don’t use the same password everywhere!
Password management – change passwords regularly even for
service accounts
Profile management – delete or at least disable inactive profiles
Require MFA
Any one of these could have prevented access!
26. Protect Data
Implement object level security
on critical data
Reduce the number of users
with *ALLOBJ special authority
Use RCAC to implement
additional privileges
Encrypt critical data
Use exit point software to further
restrict access (or at least log
access)
27. Encrypt all Sessions
Internal communications are
often not encrypted
WFH or WFS (Work from
Starbucks ) not using a VPN
Vulnerable to sniffing
28. Multi-factor Authentication (MFA)
Requires two or more ‘factors’ to
authenticate (gain access to the
system)
Something you know (password,
pin)
Something you are (fingerprint,
facial recognition, optical scan)
Something you have (token, bank
card)
Recommended for at least
‘powerful’ profiles
Helps prevent credential stuffing
29. Use IBM i to Alert to Trouble
Are you sending IBM i
information to your SIEM? If
not, why not?
See MC Press article for more
considerations
https://www.mcpressonline.com/se
curity/ibm-i-os400-i5os/what-ibm-i-
information-should-i-be-sending-to-
my-siem
30. Monitor Audit Journal Entries to Detect an Attack
PW
‘U’ entries where the User is “root” or “Admin” and attempt originates from outside of the
organization
‘P’ entries where many occur within a short period of time and for the well-known IBM i-
supplied profiles (QSYS, QSECOFR, QUSER, QSYSOPR, QPGMR, QSRV, QSRVBAS)
JS
Job start entries that originate from an unknown external IP address
Job starts for unknown entries (such as QSECOFR)
CP
Password changes for QSECOFR and other IBM-supplied profiles
Re-enablement of QSECOFR (if kept STATUS *DISABLED)
VP
Invalid password attempts via NetServer
31. Use Intrusion Detection
IM – Audit entries – Used to detect DDoS attacks and cryptomining malware
See
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubkickoff.htm
>>> It takes tuning! <<<
32. Layers of Defense to Implement
Protect the data
Object level security
Reduce *ALLOBJ
RCAC
Encryption
Exit points
Encrypt sessions
MFA
Use the audit journal
SIEM
Alerting
33. How many layers of defense is enough?
Must first answer:
What is the value of the data to your
organization?
What is the cost of it being inaccurate,
unavailable or stolen?
35. Talking with Management
Your suggestions for resolving
issues need to be high level
Avoid technical terms
Talking in terms of loss to the
business – operational risk and
how it can be prevented
May have to explain to
management what (all) runs on
IBM i
Again… in business terms
36. Talking with Management
Your suggestions for resolving
issues need to be high level
Avoid technical terms
Talking in terms of loss to the
business – operational risk and
how it can be prevented
May have to explain to
management what (all) runs on
IBM i
Again… in business terms
37. Operational Risk
Operational risk is caused by inadequate or failed internal
processes or controls and results in loss (e.g., time,
reputation, money)
Example:
We have data on one of our key servers – IBM i – that is
vulnerable to being infected with ransomware and I would like to
take steps to reduce that operational risk
38. Don’t get Overwhelmed!
With management, develop a plan
to address vulnerabilities
Do something!
Take a step – ANY step to reduce
your organization’s risk
39. For More
Information
RCAC Redpiece
http://www.redbooks.ibm.com/abstracts/redp5110.html?Open
Intrusion Detection
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzau
bpdf.pdf?view=kc
IBM i Security Reference – PDF
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzarl/sc415302.
pdf?view=kc
Chapters 2 and 3 – System Values
Chapter 9 - Auditing
Chapter 10 – Authority Collection
IBM i Security Administration and Compliance, 3nd edition, by Carol Woodbury,
2020.
DXR Security www.dxrsecurity.com
42