Your IBM i holds data that is vital to your business and can be a target for ransomware and other types of malware. Did you know a frequent vulnerability that is exploited to initiate a ransomware attack on your IBM i is a compromised password?
Security breaches caused by passwords written on sticky notes, guessed passwords, or bruteforce password attacks have compelled IBM i shops to implement stronger password management controls. One of the most effective protections against this type of attack is MultiFactor Authentication.
Watch this on-demand webinar to learn:
- What true multifactor authentication really is
- How malware gets on to the IBM i system
- Tips on implementing MFA for the IBM i
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
1. Bill Hammond | Director, Product Marketing
Dawn Winston | Product Management Director
Effectively Defending
Your IBM i from
Malware with Multi-
Factor Authentication
2. Housekeeping
Webinar Audio
• Today’s webcast audio is streamed through your
computer speakers
• If you need technical assistance with the web interface
or audio, please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the
presentation using the Q&A box. If we don't get to your
question, we will follow-up via email
Recording and slides
• This webinar is being recorded. You will receive an email
following the webinar with a link to the recording and
slides
3. Today’s Agenda
• IBM i security landscape
• Authentication options and
tradeoffs
• Tips on implementing multi-
factor authentication for IBM i
3
4. Assure Security for IBM i
• Defending against the increasing sophistication and complexity
of today’s security threats, including malware requires a
comprehensive, multi-layered approach.
• The key is to maximize the strength of each layer of your
defenses, and then ask:
“If this layer is breached, what do I have
in place to prevent further damage?”
• Assure Security delivers market-leading IBM i security
capabilities that help your organization successfully comply
with increasingly stringent cybersecurity regulations and
effectively address current and emerging security threats.
5. • Despite the inherent security capabilities of IBM i
(AS/400), it isn’t without vulnerabilities.
• These security gaps can range from relatively
common configuration issues to more complex
and systematic concerns, but businesses must
identify and rectify them to maintain the integrity
of their IBM i platform.
• Even a single network intrusion can put
organizational data and operability at risk.
IBM i security threats are increasing
10% increase in
costs of a Data
Breach in 2021*
Breaches from
compromised
credentials
surged by 450%
in 2020***
Cost of data
breach is $180
per record for
customer PII*
Average cost of
a ransomware
breach is $4.62
million
88% of
organizations see
malware as
extreme or
moderate threat**
Average
total cost of a
ransomware
breach is $4.62m*
* Cost of a Data Breach Report 2021-IBM Security
** 2021 Malware Report-Cybersecurity Insiders
*** 2021 ForgeRock Consumer Identity Breach Report
6. Defending against Credential
Theft
Why Do Organizations
Need to Control Privilege
User Access?
Credential theft is when a
bad actor obtains users’ user
ids and passwords (via theft
from another site, via
phishing, etc.) and uses them
to gain access to an
organization’s systems.
• When configured to require
an additional piece of
information besides user id
and passwords, i.e., multi-
factor authentication,
having a valid user
id/password combination is
no longer sufficient to gain
access to the systems.
• Think about it. Apple and
Google use MFA for
phones. How much more
valuable is data on an IBM
i?
8. Malware on IBM i
• No (current) malware for IBM i ‘proper’
– that is, the operating system itself
• IBM i can be affected by malware in
the IFS in two ways
• An infected object is stored in the IFS
• Malware enters the system from an
infected workstation to a mapped drive
(that is, IBM i) via a file share
9. 9
Access Control
• Prevent unauthorized logon
• Manage users’ system privileges
• Control and restrict access to data,
system settings, and command line
options
Monitoring
• Automate security and compliance
alerts and reports
• Monitor and block views of sensitive
data
• Integrate IBM i security data into
SIEM solutions
Malware Defense
• Harden all systems and data
against attacks
• Automate and integrate security
technologies and management
• Design for depth and resilience if
one or more defenses fail
Assure
Security:
Addressing
Critical Security
Challenges
Data Privacy
• Encrypt IBM i data
• Secure encryption key management
• Tokenization and Anonymization
• File transfer security for Data in
Motion
10. 10
10
Assure Security
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Access Control
Assure System
Access Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Monitoring Malware Defense
Assure System
Access Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Monitoring
and Reporting
Assure Encryption
Assure
Security:
Addressing
Critical
Security
Challenges
12. Why Adopt Multi-Factor
Authentication?
• Regulations are evolving to require or recommend MFA. Consult
the latest documentation for the regulations that impact your
business!
• MFA avoids the risks and costs of:
• Weak passwords
• Complex passwords
• MFA is a good security measure when:
• It is customizable and simple to administer
• End users adoption is easy
• MFA can support internal strategy and legal requirements
• BYOD (Bring Your Own Device) vs COPE (Corporate Owned,
Personally Enabled)
• Multi-Factor Authentication is the direction!
12
13. Multi-Factor Authentication
Adds a Layer of Login Security
Multi-Factor Authentication (MFA), sometimes called Two-
Factor Authentication (2FA), uses two or more of the following
factors :
• Something you know or a “knowledge factor”
• E.g. user ID, password, PIN, security question
• Something you have or a “possession factor”
• E.g. smartphone, smartcard, token device
• Something you are or an “inherence factor”
• E.g. fingerprint, iris scan, voice recognition
Typical authentication on IBM i uses 2 items of
the same factor – User ID and password.
This is not multi-factor authentication.
13
14. Authentication
/ Verification
UserID
Password
Passcode
Logged in
Single Step
SUCCESS
FAILURE
Multi-Step vs. One-Step Authentication
Multi-Step Authentication
• Two authentication steps are presented separately
• If authentication fails, the user knows which step failed
14
One-Step Authentication
• Multiple authentication factors presented at the same
time
• All factors must be validated before granting access
• If authentication fails, user doesn’t know which factor
failed
Authentication
Verification
User ID &
Password
Passcode
Logged in
Step 1
Step 2
SUCCESS
SUCCESS
FAILURE
FAILURE
Not understanding which authentication
factor failed is frustrating for end users, but it
is required by regulations such as PCI.
15. Examples of MFA
15
This is Not MFA
Two things the user knows
and no other factor is not MFA
A combination of things the
user knows, has or is provides
MFA
16. Why Is Multi-Factor
Authentication Required?
• MFA supports the requirements of numerous industry and
governmental regulations
• Multi-Factor Authentication is required by
• PCI-DSS 3.2
• 23 NYCRR 500
• FFIEC
• MFA is mentioned or the benefits of MFA are implied for:
• HIPAA
• Swift Alliance Access
• GDPR
• Selective use of MFA is a good Security practice. You may be
required to use it tomorrow, if you’re not already using it today.
16
• SOX
• GLBA
• And more
18. Authentication Options
18
Authentication services*
generate codes delivered to the
user. For example:
• RADIUS compatible (RSA
SecurID, Entrust, Duo, Vasco,
Gemalto, and more)
• RFC6238 (Microsoft
Authenticator, Google
Authenticator, Authy, Yubico,
and more)
• Others (TeleSign, and more)
Use of SMS for Authentication –
PCI DSS relies on industry standards, such
as NIST, ISO, and ANSI, that cover all
industries, not just the payment industry.
While NIST currently permits the use of
SMS authentication for MFA, they have
advised that out-of-band authentication
using SMS or voice should be “restricted”
as it presents a security risk.
Authentication options, beyond
the basic factor that the user
knows, are delivered by:
• Smartphone app
• Email
• Phone call
• SMS/text message (see box)
• Hardware device such as fobs
or tokens
• Biometric device
* Not all Authentication Services are supported in
Assure Security
19. Key Features to Look for in
an IBM i MFA Solution
• Option to integrate with IBM i signon screen
• Ability to integrate MFA with other IBM i applications or processes
• Multiple authentication options that align with your budget
and current authenticators
• Certification by a standards body (e.g. RSA, NIST)
• Rules that enable MFA to be invoked for specific situations
or user criteria such as:
• Group profiles, Special authorities
• IP addresses, Device types, Dates and times
• And more
• Real risk-based authentication policy (integrated with access
control and elevated authority management capabilities)
19
21. Notes on IBM i Authentication
Process
• Can be used to protect not only the signon screen, but also to protect
application use and communication protocols (eg. FTP/ODBC/REXEC)
• Users can be registered individually or globally (through group profiles, or any
other user attribute)
• Can identify different populations of users and challenge them using different
methods
• Use existing authenticators as much as possible
• Options for one-step or two-step authentication
22. Tips and Questions to Consider
22
• It’s better to check more than just one authentication server, in case some are not reachable
• What should be done if communication cannot be established with any of the authentication servers?
• What should be done if the user provided is QSECOFR?
• What should be done if the user is connected from the console?
• What should be done if the user provided an incorrect IBM i password ? The initial program won’t be called…
• What should be done with the QMAXSIGN & QMAXSGNACN system values?
The end user should not know why his logon has failed. Text of these messages can be changed with a neutral
message such as "Access denied". These messages are in the QCPFMSG message file.
23. More MFA
Implementation Tips
• The coding must be very robust in order to not let
users finding weaknesses.
• The coding must not leave any trace of the
process in the joblog or anywhere else.
• Access to journal(s) should be protected, but this is
true anyway for any security policies in place
• Changes to the MFA configuration need to be
strongly audited and access by administrators
should be prevented (using exit points)
23
24. Additional Uses for Multi-
Factor Authentication on IBM i
24
• Enables self-service profile re-enablement and self-service password
changes
• Supports the Four Eyes Principle for supervised changes
• Protects access to certain commands like DFU, STRSQL, STRSST,
etc…
• Real risk-based authentication policy (integrated with access control
and elevated authority management capabilities)
To improve Security
Passwords alone are insufficient to protect your systems from attack
Multi-step is still better than just one step
Verizon 2018 Data Breach Investigations Report :“Use two-factor authentication Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.”
To comply with regulations and laws
HIPAA doesn't explicitly mention MFA, but due to password expiration reinforcement and updates to NIST guidance (800-63), it becomes a very reasonable solution to meet something like section 164.312d
Financial companies doing business in the state of New York have to comply with the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). Section 500.12 (b) states that “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.”
To comply with regulations and laws
FFIEC recommends MFA:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.
PCI-DSS version 3.2 requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA by January 2018
- Check document « Multi-Factor Authentication » – February 2017
- Check Requirement 8.3.
Multistep Versus Multifactor
The PCI requirement became simpler but more restrictive, since all factors must be verified prior to the authentication mechanism granting the requested access. Furthermore, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented. If an unauthorized user can deduce the validity of any individual factor, it doesn’t really matter if a different factor is used for each step.
Let’s say that a CDE administrator is trying to log in to a system by Secure Shell (SSH) using a username and password. Once successfully validated, the console prompts him or her for a second factor, such as a one-time password (OTP) token. This process would be considered multistep authentication.
To be considered multifactor, the administrator should be able to provide the username, password and token at the same time. If access is denied, the system should do so without disclosing which factor was entered incorrectly.
To improve Security
Passwords alone are insufficient to protect your systems from attack
Multi-step is still better than just one step
Verizon 2018 Data Breach Investigations Report :“Use two-factor authentication Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.”
To comply with regulations and laws
HIPAA doesn't explicitly mention MFA, but due to password expiration reinforcement and updates to NIST guidance (800-63), it becomes a very reasonable solution to meet something like section 164.312d
Financial companies doing business in the state of New York have to comply with the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). Section 500.12 (b) states that “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.”
To comply with regulations and laws
FFIEC recommends MFA:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.
PCI-DSS version 3.2 requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA by January 2018
- Check document « Multi-Factor Authentication » – February 2017
- Check Requirement 8.3.