Contrary to popular belief, IBM i is NOT secure by default. Thankfully, it IS secure-able.
View this on-demand webinar to explore the top configuration settings that leave your IBM i vulnerable – to accidental misconfiguration, being infected with malware (including ransomware), an outside attacker, or an ill-intentioned insider.
During this webinar, Carol Woodbury, President and CTO of DXR Security describes the vulnerability, provides considerations prior to changing settings, and high-level instructions for eliminating each vulnerability.
System Hardening Recommendations_FINALMartin Evans
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
Getting Started with IBM i Security: Integrated File System (IFS)HelpSystems
The document provides an overview of IBM i security and the Integrated File System (IFS). It discusses how IFS security combines IBM i authorities, PC file properties, and Unix file permissions. It emphasizes the importance of securing the IFS root directory and limiting write access. It also addresses auditing the IFS, managing file shares, securing commands, and protecting against viruses. The presenter encourages attendees to understand how IFS security works, establish top-level folder security, and test their security measures.
CryptionPro HDD® protects confidential data through automatic and efficient hdd encryption.
Further details: http://cynapspro.com/US/products/cryptionpro-hdd
Group Policy Objects (GPOs) allow administrators to apply settings and restrictions to users and computers in Active Directory. GPOs can configure software, security, and other settings. Administrators use the Group Policy Management console to create and edit GPOs. Administrative templates define where specific policy settings are stored in the registry and are used to configure GPO settings. GPOs help administrators centrally manage network configurations and security policies.
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsStuart McIntyre
As per the Quickr Wiki ( http://www-10.lotus.com/ldd/lqwiki.nsf/dx/20052009045545WEBCGW.htm ):
"This document contains the presentation from Quickr masterclass covering planning optimal deployments – crawl/walk/run.
Discussing simplistic deployment architectures which can be linearily scaled over time (e.g. from POC to simple-non-clustered to clustered)
Sharing of key tips/recommendations from SVT and Perf - so as to help avoid expensive crit-sits in the field
Tuning for performance, stability and reliability"
Please note, I do not claim any ownership of this presentation, just am uploading to allow sharing via the Quickr Blog. Any questions/comments/issues, just let me know!
This session will explore Windows 7 core platform security improvements, securing anywhere access, data protection, and protecting desktop users. We will explain how Windows 7 features in each of these areas provide the foundation for secure and reliable platform. We will discuss User Account Control improvements, enhanced auditing, Network Access Protection (NAP), Firewall improvements, Applocker, Bitlocker and Bitlocker to go enhancements, Direct Access, Internet Explorer 8 security improvements, and EFS enhancements.
This document summarizes different methods for monitoring and remotely accessing systems. It discusses the differences between historical and real-time monitoring, and outlines ways to monitor user machines, servers, and remotely log into machines using Remote Desktop Services. Specific monitoring tools covered include Microsoft Management Console, Event Viewer, Task Manager, Performance Monitor, and event and performance logs. The document provides examples of information to monitor and considerations for remote access and server monitoring.
This document discusses servers and services in a network. It describes domain controllers, file and print servers, and server roles like Windows Internet Name Service (WINS) and Domain Name System (DNS). It also discusses Windows Server 2008 editions, reasons for using servers over desktops, best practices for running servers, and provides a case study of Nottingham Trent University's network infrastructure.
System Hardening Recommendations_FINALMartin Evans
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
Getting Started with IBM i Security: Integrated File System (IFS)HelpSystems
The document provides an overview of IBM i security and the Integrated File System (IFS). It discusses how IFS security combines IBM i authorities, PC file properties, and Unix file permissions. It emphasizes the importance of securing the IFS root directory and limiting write access. It also addresses auditing the IFS, managing file shares, securing commands, and protecting against viruses. The presenter encourages attendees to understand how IFS security works, establish top-level folder security, and test their security measures.
CryptionPro HDD® protects confidential data through automatic and efficient hdd encryption.
Further details: http://cynapspro.com/US/products/cryptionpro-hdd
Group Policy Objects (GPOs) allow administrators to apply settings and restrictions to users and computers in Active Directory. GPOs can configure software, security, and other settings. Administrators use the Group Policy Management console to create and edit GPOs. Administrative templates define where specific policy settings are stored in the registry and are used to configure GPO settings. GPOs help administrators centrally manage network configurations and security policies.
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsStuart McIntyre
As per the Quickr Wiki ( http://www-10.lotus.com/ldd/lqwiki.nsf/dx/20052009045545WEBCGW.htm ):
"This document contains the presentation from Quickr masterclass covering planning optimal deployments – crawl/walk/run.
Discussing simplistic deployment architectures which can be linearily scaled over time (e.g. from POC to simple-non-clustered to clustered)
Sharing of key tips/recommendations from SVT and Perf - so as to help avoid expensive crit-sits in the field
Tuning for performance, stability and reliability"
Please note, I do not claim any ownership of this presentation, just am uploading to allow sharing via the Quickr Blog. Any questions/comments/issues, just let me know!
This session will explore Windows 7 core platform security improvements, securing anywhere access, data protection, and protecting desktop users. We will explain how Windows 7 features in each of these areas provide the foundation for secure and reliable platform. We will discuss User Account Control improvements, enhanced auditing, Network Access Protection (NAP), Firewall improvements, Applocker, Bitlocker and Bitlocker to go enhancements, Direct Access, Internet Explorer 8 security improvements, and EFS enhancements.
This document summarizes different methods for monitoring and remotely accessing systems. It discusses the differences between historical and real-time monitoring, and outlines ways to monitor user machines, servers, and remotely log into machines using Remote Desktop Services. Specific monitoring tools covered include Microsoft Management Console, Event Viewer, Task Manager, Performance Monitor, and event and performance logs. The document provides examples of information to monitor and considerations for remote access and server monitoring.
This document discusses servers and services in a network. It describes domain controllers, file and print servers, and server roles like Windows Internet Name Service (WINS) and Domain Name System (DNS). It also discusses Windows Server 2008 editions, reasons for using servers over desktops, best practices for running servers, and provides a case study of Nottingham Trent University's network infrastructure.
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
The document discusses database security and compliance. It provides examples of how privileges like ANY privileges in Oracle or UTL_FILE access can be exploited by attackers to gain administrator access. It also discusses how auditing slows database performance. The document recommends using database activity monitoring instead of native auditing for better security, compliance, independence of audit trails, and less performance impact. It introduces IBM Guardium as a solution that addresses the full security lifecycle from monitoring to remediation.
The ADNM console provides administrators with tools to manage antivirus protection across their network. It is organized into folders containing tasks, sessions, computers, and management servers. Tasks define jobs like scanning and updating, and sessions show results of task runs. The computer catalog stores all managed machines in a customizable tree structure. Default security policies cascade down the tree but can be overridden. Management servers represent individual AMS installations used to deploy policies and collect results.
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...Priyanka Aash
Organizations have been forced to adapt to the new reality: Anyone can be targeted and many can be compromised.
This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough?
The overwhelming answer is: No.
The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMWare or Microsoft Hyper-V), and increasingly, the cloud platform.
Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access. Again the question is: Are the new ways to securely administer Active Directory enough to protect against attackers? Join me in this session to find out.
Some of the areas explored in this talk:
* Explore how common methods of administration fail.
* Demonstrating how attackers can exploit flaws in typical Active Directory administration.
* Highlight common mistakes organizations make when administering Active Directory.
* Discuss what's required to protect admins from modern attacks.
* Provide the best methods to ensure secure administration and how to get executive, operations, and security team acceptance.
This document provides instructions for configuring the BIG-IP Local Traffic Manager (LTM) with multiple BIG-IP Application Security Manager (ASM) devices to improve performance and scalability. Key steps include creating monitors, pools, and profiles on the LTM and ASM devices, then configuring virtual servers and a security policy. The configuration supports both fail-open and fail-closed modes.
Cansecwest - The Death of AV defence in depthThierry Zoller
The document discusses vulnerabilities in antivirus software. It notes that antivirus software has a large attack surface due to parsing thousands of file formats and being programmed in unmanaged languages. While antivirus vendors claim their software implements defense in depth, the document argues this is not truly the case as the software itself is left unprotected. It provides examples of bypassing antivirus detection by exploiting flaws in how the software parses file formats. The authors advocate that vendors should flag files they cannot fully scan as "unscanned" rather than reporting them as clean.
Symantec will unify information security management across endpoints, gateways and servers, and deliver targeted protection for the Enterprise with the release of new Symantec Protection Suites.
Configuration management 101 - A tale of disaster recovery using CFEngine 3RUDDER
The document discusses a presentation about configuration management tools and disaster recovery, describing how the speakers' company previously suffered a server failure due to two hard drive failures that wiped out their infrastructure, highlighting lessons learned about backups and the benefits of using a configuration management tool like CFEngine.
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
The document discusses keeping private data private through various data security techniques. It focuses on data masking, which involves replacing sensitive data with realistic but non-sensitive substitutes. Various methods for data masking are described, including data substitution, truncation, randomization, and dynamic or real-time masking. The document emphasizes that data masking helps enable testing and analytics while protecting sensitive production data.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in French
We will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data. Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
Best practices for authentication (trust, certificate, MD5, Scram, etc).
Advanced approaches, such as password profiles.
Deep dive of authorization and data access control for roles, database objects (tables etc), view usage, row level security and data redaction.
Auditing, encryption and SQL injection attack prevention.
Chris Rutter: Avoiding The Security BrickMichael Man
Security teams provide concise summaries of dependency scans to development teams. The summaries include the vulnerability found, whether the team is affected, and how to remediate. This avoids lengthy CVE research and allows teams to focus on actual vulnerabilities. Any common libraries and frameworks are pre-scanned by security to share findings.
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalQuek Lilian
Windows 7 provides improved security features for IT professionals to securely manage networks and protect data. It builds on the security foundations of Windows Vista with enhancements such as streamlined user account control, enhanced auditing capabilities, new remote access features like DirectAccess, and data protection tools including AppLocker, Internet Explorer 8, and expanded BitLocker and RMS capabilities. These features allow organizations to securely manage networks and infrastructure, protect users and data, and provide secure access to corporate resources from any location.
ActiveBase Security helps implement preventive security policies to protect data without modifying applications or databases. It masks, scrambles, hides, blocks and audits data accessed by outsourced teams, developers or external QA to comply with regulations like PCI and HIPAA. ActiveBase applies rules based on user context to dynamically mask data in real-time, protecting personal information from unauthorized access across applications, databases, and tools.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in German
Speaker:
Borys Neselovskyi, Sales Engineer, EDB
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
Social Distance Your IBM i from Cybersecurity RiskPrecisely
The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more. With all the options available for securing IBM i data at rest and in motion, how do you know where to begin?
Register to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees.
Topics will include:
- Protecting data with encryption and the need for strong key management
- Use Cases that are best for tokenization
- Options for permanently deidentifying data
- Securing data in motion across networks
- Complete security solution for IBM I (AS/400)
Getting Started with IBM i Security: User PrivilegesHelpSystems
IBM i users with excess privileges are a security risk. The 2016 State of IBM i Security Study, published annually, the results reveal most Power Systems lack adequate security controls and auditing measures.This PowerPoint will teach you how to limit access without hurting productivity.
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Windows 7 provides enhanced security features for IT professionals to securely manage access and protect data and infrastructure. It includes a fundamentally secure platform with strengthened access controls and auditing. Windows 7 also enables securing access from any location through improved network security, protection of mobile devices, and direct secure access. Additional features protect users and infrastructure through application control and data recovery tools, as well as protecting data from unauthorized viewing using encryption and information rights management.
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
The document discusses database security and compliance. It provides examples of how privileges like ANY privileges in Oracle or UTL_FILE access can be exploited by attackers to gain administrator access. It also discusses how auditing slows database performance. The document recommends using database activity monitoring instead of native auditing for better security, compliance, independence of audit trails, and less performance impact. It introduces IBM Guardium as a solution that addresses the full security lifecycle from monitoring to remediation.
The ADNM console provides administrators with tools to manage antivirus protection across their network. It is organized into folders containing tasks, sessions, computers, and management servers. Tasks define jobs like scanning and updating, and sessions show results of task runs. The computer catalog stores all managed machines in a customizable tree structure. Default security policies cascade down the tree but can be overridden. Management servers represent individual AMS installations used to deploy policies and collect results.
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...Priyanka Aash
Organizations have been forced to adapt to the new reality: Anyone can be targeted and many can be compromised.
This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough?
The overwhelming answer is: No.
The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMWare or Microsoft Hyper-V), and increasingly, the cloud platform.
Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access. Again the question is: Are the new ways to securely administer Active Directory enough to protect against attackers? Join me in this session to find out.
Some of the areas explored in this talk:
* Explore how common methods of administration fail.
* Demonstrating how attackers can exploit flaws in typical Active Directory administration.
* Highlight common mistakes organizations make when administering Active Directory.
* Discuss what's required to protect admins from modern attacks.
* Provide the best methods to ensure secure administration and how to get executive, operations, and security team acceptance.
This document provides instructions for configuring the BIG-IP Local Traffic Manager (LTM) with multiple BIG-IP Application Security Manager (ASM) devices to improve performance and scalability. Key steps include creating monitors, pools, and profiles on the LTM and ASM devices, then configuring virtual servers and a security policy. The configuration supports both fail-open and fail-closed modes.
Cansecwest - The Death of AV defence in depthThierry Zoller
The document discusses vulnerabilities in antivirus software. It notes that antivirus software has a large attack surface due to parsing thousands of file formats and being programmed in unmanaged languages. While antivirus vendors claim their software implements defense in depth, the document argues this is not truly the case as the software itself is left unprotected. It provides examples of bypassing antivirus detection by exploiting flaws in how the software parses file formats. The authors advocate that vendors should flag files they cannot fully scan as "unscanned" rather than reporting them as clean.
Symantec will unify information security management across endpoints, gateways and servers, and deliver targeted protection for the Enterprise with the release of new Symantec Protection Suites.
Configuration management 101 - A tale of disaster recovery using CFEngine 3RUDDER
The document discusses a presentation about configuration management tools and disaster recovery, describing how the speakers' company previously suffered a server failure due to two hard drive failures that wiped out their infrastructure, highlighting lessons learned about backups and the benefits of using a configuration management tool like CFEngine.
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
The document discusses keeping private data private through various data security techniques. It focuses on data masking, which involves replacing sensitive data with realistic but non-sensitive substitutes. Various methods for data masking are described, including data substitution, truncation, randomization, and dynamic or real-time masking. The document emphasizes that data masking helps enable testing and analytics while protecting sensitive production data.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in French
We will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data. Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
Best practices for authentication (trust, certificate, MD5, Scram, etc).
Advanced approaches, such as password profiles.
Deep dive of authorization and data access control for roles, database objects (tables etc), view usage, row level security and data redaction.
Auditing, encryption and SQL injection attack prevention.
Chris Rutter: Avoiding The Security BrickMichael Man
Security teams provide concise summaries of dependency scans to development teams. The summaries include the vulnerability found, whether the team is affected, and how to remediate. This avoids lengthy CVE research and allows teams to focus on actual vulnerabilities. Any common libraries and frameworks are pre-scanned by security to share findings.
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalQuek Lilian
Windows 7 provides improved security features for IT professionals to securely manage networks and protect data. It builds on the security foundations of Windows Vista with enhancements such as streamlined user account control, enhanced auditing capabilities, new remote access features like DirectAccess, and data protection tools including AppLocker, Internet Explorer 8, and expanded BitLocker and RMS capabilities. These features allow organizations to securely manage networks and infrastructure, protect users and data, and provide secure access to corporate resources from any location.
ActiveBase Security helps implement preventive security policies to protect data without modifying applications or databases. It masks, scrambles, hides, blocks and audits data accessed by outsourced teams, developers or external QA to comply with regulations like PCI and HIPAA. ActiveBase applies rules based on user context to dynamically mask data in real-time, protecting personal information from unauthorized access across applications, databases, and tools.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in German
Speaker:
Borys Neselovskyi, Sales Engineer, EDB
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
Social Distance Your IBM i from Cybersecurity RiskPrecisely
The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more. With all the options available for securing IBM i data at rest and in motion, how do you know where to begin?
Register to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees.
Topics will include:
- Protecting data with encryption and the need for strong key management
- Use Cases that are best for tokenization
- Options for permanently deidentifying data
- Securing data in motion across networks
- Complete security solution for IBM I (AS/400)
Getting Started with IBM i Security: User PrivilegesHelpSystems
IBM i users with excess privileges are a security risk. The 2016 State of IBM i Security Study, published annually, the results reveal most Power Systems lack adequate security controls and auditing measures.This PowerPoint will teach you how to limit access without hurting productivity.
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Windows 7 provides enhanced security features for IT professionals to securely manage access and protect data and infrastructure. It includes a fundamentally secure platform with strengthened access controls and auditing. Windows 7 also enables securing access from any location through improved network security, protection of mobile devices, and direct secure access. Additional features protect users and infrastructure through application control and data recovery tools, as well as protecting data from unauthorized viewing using encryption and information rights management.
This document discusses IBM DB2 9 security. It covers authentication types that control where user passwords are verified, such as at the client or server. It also discusses authorities like SYSADM, SYSCTRL, and DBADM that control administrative privileges and database access. The document defines database privileges for actions like connecting to a database or creating tables.
Expand Your Control of Access to IBM i Systems and DataPrecisely
This document discusses expanding control of access to IBM i systems and data. It begins with some logistical information about the webcast. The presentation will discuss myths about IBM i security, exit points and access methods, examples of security issues, and how Syncsort can help with security. The agenda includes discussing the myth that IBM i is secure by nature, reviewing exit points and access methods, providing examples, and explaining how Syncsort can help manage security risks. Overall, the document aims to educate about security risks on IBM i and how third party solutions can help address vulnerabilities from various access methods and improve overall security.
Top Ten Tips for IBM i Security and CompliancePrecisely
Users and IT administrators have the belief that the IBM i is a secure system on its own, but what is the actual truth here? While the IBM i is known to be a highly securable system, it also presents unique challenges to security auditors and system administrators alike.
Achieving a secure and compliant IBM i environment is often a complex and difficult process. External threats, the array of security regulations and the increasing demands of auditors continue to grow and evolve every day.
View this webinar on-demand to learn about the top ten key tips for achieving compliance and managing security including topics like:
• Encrypting, masking or scrambling your sensitive data
• Assessing your system definitions and setting them to conform to policy or compliance requirements
• Adding an additional layer of password security with multi-factor authentication
• Making sure your security assessment is done by someone who isn’t managing the system
• and MORE!
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
Slides from CIAOPS December 2019 webinar that provided Microsoft 365 news update, open Q & A as well as a focus session on security. Video recording is available at www.ciaopsacademy.com
Raz-Lee Security Inc. provides a suite of security, auditing, and compliance products for IBM i (AS/400) systems. The suite includes solutions for auditing, protection, encryption, databases, and evaluation. It offers hundreds of customizable reports, real-time alerts and actions, user and system monitoring, firewalls, antivirus software, password management, and tools to evaluate compliance with regulations like SOX, PCI, and HIPAA. The suite is designed to address insider threats, external risks, application data changes, and assess an organization's overall IBM i security status.
Similar to Top Ten Settings that Leave your IBM i Vulnerable (20)
Getting a Deeper Look at Your IBM® Z and IBM i Data in ServiceNowPrecisely
A well-maintained ServiceNow Configuration Management Database (CMDB) is critical for effective IT service delivery, reducing costs and increasing overall efficiency.
ServiceNow® Discovery can populate the CMDB automatically by discovering physical and virtual devices such as laptops, desktops, servers (physical and virtual), switches, routers, storage, and applications, as well as the dependent relationships between them. However, it can be hard to integrate specific resources from IBM Z and IBM i systems to get a complete, single source of truth on your entire IT infrastructure.
We have been working to integrate these platform-specific items more deeply into the CMDB to improve IT visibility, have a more complete view of your infrastructure, and reduce the risk of ineffective troubleshooting because you don’t have the view of everything you need.
Join us to learn:
Why less frequent changes on these IBM systems doesn’t mean discovery isn’t critical
What specific resources we are adding to the CMDB
How these new resources will impact the hierarchy within the CMDB
Predictive Powerhouse: Elevating AI Accuracy and Relevance with Third-Party DataPrecisely
Artificial Intelligence (AI) and Machine Learning’s (ML) predictive capabilities are crucial for strategic decision-making, and enhancing accuracy and contextual relevance remains paramount. “Predictive Powerhouse: Elevating AI Accuracy and Relevance with Third-Party Data” addresses this challenge head-on.
Join Stefano Biondi from Generali Real Estate as he explores the transformative approach of enriching AI/ML training data with expertly curated third-party datasets and spatial insights. Discover how integrating external data can significantly elevate the accuracy and contextual relevance of AI/ML predictions, enabling businesses to navigate market uncertainties with confidence.
This on-demand webinar highlights key elements of data enrichment and showcases Generali’s City Forward application, illustrating the profound impact of enriched data on predictive outcomes. Gain invaluable insights into making AI/ML applications more intelligent and contextually aware, ensuring hyper-local data insights inform decisions.
Whether you’re a data scientist or a business strategist, this session equips you with the knowledge and tools to leverage external data to enhance your AI/ML’s predictive power. Access the webinar now to unlock the full potential of your AI applications and transform your approach to market analysis and decision-making.
Predictive Powerhouse: Elevating AI Accuracy and Relevance with Third-Party DataPrecisely
Artificial Intelligence (AI) and Machine Learning's (ML) predictive capabilities are crucial for strategic decision-making, and enhancing accuracy and contextual relevance remains paramount. "Predictive Powerhouse: Elevating AI Accuracy and Relevance with Third-Party Data" will address this challenge head-on.
We will be joined by Stefano Biondi from Generali Real Estate, who will examine the transformative approach of enriching AI/ML training data with expertly curated third-party datasets and spatial insights. Attendees will learn how integrating external data can significantly elevate AI/ML predictions' accuracy and contextual relevance, enabling businesses to navigate market uncertainties confidently.
This webinar will highlight elements of data enrichment and showcase Generali's City Forward application, illustrating the profound impact of enriched data on predictive outcomes. Participants will gain invaluable insights into making AI/ML's applications more intelligent and contextually aware, ensuring hyper-local data insights inform decisions.
Whether you're a data scientist or a business strategist, this session promises to equip you with the knowledge and tools to leverage external data to enhance your AI/ML's predictive power. Join us to unlock the full potential of your AI applications and transform your approach to market analysis and decision-making.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
AI-Ready Data - The Key to Transforming Projects into Production.pptxPrecisely
Moving AI projects from the laboratory to production requires careful consideration of data preparation. Join us for a fireside chat where industry experts, including Antonio Cotroneo (Director, Product Marketing, Precisely) and Sanjeev Mohan (Principal, SanjMo), will discuss the crucial role of AI-ready data in achieving success in AI projects. Gain essential insights and considerations to ensure your AI solutions are built on a solid foundation of accurate, consistent, and context-rich data. Explore practical insights and learn how data integrity drives innovation and competitive advantage. Transform your approach to AI with a focus on data readiness.
Building a Multi-Layered Defense for Your IBM i SecurityPrecisely
In today's challenging security environment, new vulnerabilities emerge daily, leaving even patched systems exposed. While IBM works tirelessly to release fixes as they discover vulnerabilities, bad actors are constantly innovating. Don't settle for reactive defense – secure your IT with a layered approach!
This holistic strategy builds multiple security walls, making it far harder for attackers to breach your defenses. Even if a certain vulnerability is exploited, one of the controls could stop the attack or at least delay it until you can take action.
Join us for this webcast to hear about:
• How security risks continue to evolve and change
• The importance of keeping all your systems patched an up-to-date
• A multi-layered approach to network, system object and data security
Navigating the Cloud: Best Practices for Successful MigrationPrecisely
In today's digital landscape, migrating workloads and applications to the cloud has become imperative for businesses seeking scalability, flexibility, and efficiency. However, executing a seamless transition requires strategic planning and careful execution. Join us as we delve into the insightful insights around cloud migration, where we will explore three key topics:
i. Considerations to take when planning for cloud migration
ii. Best practices for successfully migrating to the cloud
iii. Real-world customer stories
Unlocking the Power of Your IBM i and Z Security Data with Google ChroniclePrecisely
In today's ever-evolving threat landscape, any siloed systems, or data leave organizations vulnerable. This is especially true when mission-critical systems like IBM i and IBM Z mainframes are not included in your security planning. Valuable security data from these systems often remains isolated, hindering your ability to detect and respond to threats effectively.
Ironstream and bridge this gap for IBM systems by integrating the important security data from these mission-critical systems into Google Chronicle where it can be seen, analyzed and correlated with the data from other enterprise systems Here's what you'll learn:
• The unique challenges of securing IBM i and Z mainframes
• Why traditional security tools fall short for mainframe data
• The power of Google Chronicle for unified security intelligence
• How to gain comprehensive visibility into your entire IT ecosystem
• Real-world use cases for integrating IBM i and Z security data with Google Chronicle
Join us for this webcast to hear about:
• The unique challenges of securing IBM i and IBM Z systems
• Real-world use cases for integrating IBM i and IBM Z security data with Google Chronicle
• Combining Ironstream and Google Chronicle to deliver faster threat detection, investigation, and response times
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
Are you considering leveraging the cloud alongside your existing IBM AIX and IBM I systems infrastructure? There are likely benefits to be realized in scalability, flexibility and even cost.
However, to realize these benefits, you need to be aware of the challenges and opportunities that come with integrating your IBM Power Systems in the cloud. These challenges range from data synchronization to testing to planning for fallback in the event of problems.
Join us for this webcast to hear about:
• Seamless migration strategies
• Best practices for operating in the cloud
• Benefits of cloud-based HA/DR for IBM AIX and IBM i
Crucial Considerations for AI-ready Data.pdfPrecisely
This document discusses the importance of ensuring data is ready for AI applications. It notes that while most businesses invest in AI, only 4% of organizations say their data is truly AI-ready. It identifies several issues that can arise from using bad data for AI, including bias, poor performance, and inaccurate predictions. The document advocates for establishing strong data governance, quality practices, and integration capabilities to address issues like completeness, validity, and bias. It provides examples of how two companies leveraged these approaches to enhance their AI and machine learning models. The document emphasizes that achieving trusted AI requires a focus on data integrity throughout the data journey from generation to activation.
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
This document discusses how to empower businesses through worry-free data processing. Key steps include collecting and organizing relevant business data, developing efficient processes for analyzing and interpreting the data, and using insights from the data to help businesses make better decisions and improve their operations in a sustainable way over time.
It can be challenging display and share capacity data that is meaningful to end users. There is an overabundance of data points related to capacity, and the summarization of this data is difficult to construct and display.
You are already spending time and money to handle the critical need to manage systems capacity, performance and estimate future needs. Are you it spending wisely? Are you getting the level of results from your investment that you really need? Can you prove it?
The good news is that the return on investment of implementing capacity management and capacity planning is most definitely positive and provable, both in terms of tangible monetary value and in some less tangible but no-less-valuable benefits.
Join us for this webinar and learn:
• Top Trends in Capacity Management
• Common customer pain points
• Ways to demonstrate these benefits to your company
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
The Microsoft 365 Migration Tutorial For Beginner.pptx
Top Ten Settings that Leave your IBM i Vulnerable
1. Bill Hammond | Precisely
Carol Woodbury | DXR Security
John Vanderwall | DXR Security
Top Ten Settings
that Leave your
IBM i Vulnerable
2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please refresh your browser window – Chrome is recommended
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides
3. The global leader in data integrity
Trust your data. Build your possibilities.
Our data integrity software and data enrichment products
deliver accuracy and consistency to power confident
business decisions.
Brands you trust, trust us
Data leaders partner with us
of the Fortune 100
90
Customers in more than
100
2,000
employees
customers
12,000
countries
5. Goal
To give you topics to consider, and once you’ve
considered them, evaluate whether you need to
make changes - based on your organization’s
business requirements - and then take a step to
improve security and reduce risk
6. Issue #10 – Nothing Needs to be Done
Belief that IBM i is secure by
default
“We trust our employees”
No regulatory compliance
requirements
7. So….. the data residing on IBM i
isn’t important to your organization?
8. Acknowledge that Accidental Errors Occur
Insiders
Malicious insider – 14%
Credential theft – 23%
Negligence – 63%
Ponemon Institute The Cost of
Insider Threats – 2020
https://www.ibm.com/security/digita
l-assets/services/cost-of-insider-
threats/#/
9. Issue #9 – Setting and Forgetting
Security project has completed or an
audit performed – no process in place
to review:
User profile settings
Default passwords
Special authorities
Group membership
Old profiles
Authority settings
Libraries, directories, files
Authorization lists
File Shares
TCP/IP Settings
Auto-start values, Encryption settings
14. Issue #8 – Running at the Wrong Security Level
Vulnerable to:
Running batch jobs with elevated authority
By-passing some auditing
Calling OS programs directly
Note: Permissions when profiles are created include *ALLOBJ and *SAVSYS (level 20)
-20 0 20 40 60 80 100
Level 10
Level 20
Level 30
Level 40
Level 50
Total Available IBM i Security Capabilities
QSECURITYValue
15. Moving to a Higher Security Level
Moving from 30 to 40/50:
Must audit to determine issues (if any)
Moving from 20 to 40/50
Much more planning required
Details can be found:
IBM i Security Reference, Chapter 2
IBM i Security Administration and Compliance, 3rd edition
16. Issue #7 – Not Requiring a Password for DDM
An attribute of the DDM server determines whether a
password is required on the target system
Using ADDSVRAUTE, a user can define that they will run
as a different profile on the target system – including
QSECOFR
17. Securing DDM
Investigate what profiles are using DDM prior to changing the server
attributes to require a password!
Use the GR audit journal entries, looking for use of DDM/DRDA
Look at the exit point logs
Add a server authentication entry for each profile using DDM
Using a group profile for DDM access
https://www.ibm.com/support/pages/simplified-ddm-and-drda-authentication-
entry-management-using-group-profiles
Use current user’s password for DDM access
https://www.ibm.com/support/pages/enable-drda-and-ddm-authentication-using-
user-profiles-password
18. Securing DDM - continued
Set ADDSVRAUTE to *PUBLIC *EXCLUDE
Set QSECOFR to STATUS(*DISABLED)
Use Application Administration to shut off access
Use Exit Point software to log and control access
19. Issue #6 – Keeping Around Old Stuff
Inactive profiles
Archived data past retention
schedule
Copies made prior to updating a
database
filenameX, filenameOld, filename2,
filenameCopy
De-commissioned servers
Past versions of vendor products
Vendor products no longer in use
File shares
20. #6a – Profiles Remain with Access / Power
Even though Users (employees / contractors) have left the
organization, their access remains
MUST have process to ensure immediate access is terminated
Don’t forget SAAS applications – payroll/HR, CRM, etc
Use:
CHGUSRPRF to *DISABLE on a specific date or timeframe (days)
GO SECTOOLS
Option 8 to *DISABLE or *DELETE on a specific date
WRKOBJOWN or QSYS2.object_ownership to find owned objects
21. Issue #5 – Sessions aren’t Encrypted
Internal communications are
often not encrypted
WFH or WFS (Work from
Starbucks ) not using a VPN
Vulnerable to sniffing
22. Encrypt Sessions
Obtain a digital certificate from a well-known CA (Certificate
Authority) or configure IBM i to be a CA
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzahu/rzahurazhu
digitalcertmngmnt.htm
http://your_system_name:2006/dcm/login
Use the SSLCONFIG or TLSCONFIG (V7R4) SST command to
determine what protocols are in use
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzain/rzainhscoun
ter.htm
Use the *NETSCK, *NETUDP and *NETTELSVR in QAUDLVL to
determine if unsecure communications are in use (V7R3)
https://www.mcpressonline.com/security/ibm-i-os400-i5os/how-can-i-tell-
whether-all-the-connections-to-my-ibm-i-are-secure
23. Issue #4 – Data is Not Protected
Data is not protected against:
accidental modification
accidental (or purposeful) deletion
downloading by individuals without
a business justification
24. How / Why does this Happen?
Perception that object security is
too difficult
IFS is ignored
An organization’s corporate data
is ignored
People don’t realize where (all)
the data is located
25. Multiple Layers of Defense / Defense in Depth
Object security
NOT all or nothing!
Authority Collection – added in
V7R3 and enhanced in V7R4
Masking and/or additional
permissions via Row and
Column Access Control (RCAC)
Encryption via FIELDPROC
Exit point software Implement as many layers of
defense as is required to
reduce risk
to an acceptable level
26. Issue #3: Lack of Visibility into What’s Happening on IBM i
No auditing enabled or never
reviewed
Not sending information to
organization’s SIEM
27. Audit Recommendations
QAUDCTL
*OBJAUD
*AUDLVL
*NOQTEMP (optional)
QAUDLVL
*AUTFAIL
*PGMFAIL (only when moving from 20/30 to 40/50)
*CREATE
*DELETE
*PTFOPR, *PTFOBJ
*SAVRST
*SECCFG and *SECRUN (or *SECURITY)
*SERVICE
*OBJMGT
*JOBBAS (generates A LOT of entries)
*ATNEVT (intrusion detection at IP stack level)
28. SIEM
Are you sending IBM i events to your SIEM?
If not, why not?
What’s your SIEM used for?
System of record or to detect inappropriate activity
See MC Press article for more considerations
https://www.mcpressonline.com/security/ibm-i-os400-i5os/what-
ibm-i-information-should-i-be-sending-to-my-siem
29. Send Audit Entries Indicating an Attack to your SIEM
PW
‘U’ entries where the User is “root” or “Admin” and attempt originates from outside of
the organization
‘P’ entries where many occur within a short period of time and for the well-known
IBM i-supplied profiles (QSYS, QSECOFR, QUSER, QSYSOPR, QPGMR, QSRV,
QSRVBAS)
JS
Job start entries that originate from an unknown external IP address
Job starts for unknown entries (such as QSECOFR)
CP
Password changes for QSECOFR and other IBM-supplied profiles
Re-enablement of QSECOFR (if kept STATUS *DISABLED)
https://www.mcpressonline.com/security/ibm-i-os400-i5os/what-ibm-i-
information-should-i-be-sending-to-my-siem
30. Use Intrusion Detection
IM – Audit entries – Used to detect DDoS attacks and cryptomining malware
See
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubkickoff.htm
>>> It takes tuning! <<<
31. Issue #2: Authentication
Running at the wrong password
level
Allowing weak passwords
(including default passwords)
No multifactor authentication
(MFA)
Credential stuffing
32. Password Level (QPWDLVL)
System value
0 Default
Character set: A-Z, 0-9, $, @, # and _
Maximum length: 10
1 Same as level 0 but gets rid of old NetServer password-
Safe to move if you are not using NetServer or not connecting with Windows 95,
98, ME or Windows 2000 server – end users will see no difference
2 Character set: Upper / lower case, all punctuation and special characters, numbers and
spaces
Maximum length: 128
Keeps NetServer password, encrypts with old and new algorithms
Sign on screen changed to accommodate longer password, CHGPWD and
CRT/CHGUSRPRF pwd field changed
3 Same as level 2, gets rid of old encrypted password and old NetServer password
Safe to move if you are not using NetServer or not connecting with Windows 95,
98, ME or Windows 2000 server – end users will see no difference
Changes require an IPL
Move to level 2 prior to moving to 3.
At level 2, can sign on with a password that’s ALL CAPS or all lower until
password is changed. *** User education required!***
33. Sign-on System Values
System value Recommended setting
QMAXSIGN 3-5
QMAXSGNACN 2 (Disable the profile) or 3 (Disable the
profile and device)
35. QPWDRULES
*PWDSYSVAL or
*CHRLMTAJC
*CHRLMTREP
*DGTLMTAJC
*DGTLMTFST
*DGTLMTLST
*DGTMAXn
*DGTMINn
*LMTSAMPOS
*LMTPRFNAME
*LTRLMTAJC
*LTRLMTFST
*LTRLMTLST
*LTRMAXn
*LTRMINn
*MAXLENnnn
*MINLENnnn
*MIXCASEnnn
*REQANY3
*SPCCHRLMTAJC
*SPCCHRLMTFST
*SPCCHRLMTLST
*SPCCHRMAXn
*SPCCHRMINn
V7R2
*ALLCRTCHG
Recommended: Rules are all in one place, more options
Note: ALL rules must go in QPWDRULES once it’s
changed from the default.
36. Default Passwords
Specify *LMTPRFNAME and *ALLCRTCHG in
QPWDRULES
Specifying that the password has to be changed at first sign-on is
no protection!
Run ANZDFTPWD to discover
37. Credential Stuffing
Using previously stolen / compromised credentials (user id
and passwords) to attempt to gain access to a different site
or organization.
DO NOT re-use passwords!!!
39. Multi-factor Authentication (MFA)
Requires two or more ‘factors’ to authenticate (gain access
to the system)
Something you know (password, pin)
Something you are (fingerprint, facial recognition, optical scan)
Something you have (token, bank card)
Recommended for at least ‘powerful’ profiles
Helps prevent credential stuffing
40. Issue #1: Malware
Two types of malware affect IBM i:
Resident (Stored) in the IFS
Coming in via a file share
41.
42. *ALLOBJ and Directory Permissions
Unlike Windows, there is no permission on the share itself
What the malware can do will depend on
How the share is defined – Read only or Read/Write
The user’s authority to the directory and objects in the directory
45. To Reduce the Risk Of Malware
Educate your users!
Back-ups
Do them!
Verify them!
Store them separately
Shares
DO NOT SHARE ROOT !!!! (or QSYS.lib)
Remove unnecessary shares
Set shares to Read-only where possible
Hide shares by creating with a ‘$’ – e.g. newshare$
Turn off broadcasting of the NetServer
46. To Reduce the Risk Of Malware - continued
Permissions
After review, set root to DTAAUT(*RX) OBJAUT(*NONE)
Review critical paths and restrict access as appropriate
Ransomware has started to exfiltrate the data and threaten to post it
Review who has *ALLOBJ special authority
Exit programs
If you have exit point software, use the NetServer exist to control
which profiles can use the IFS
Consider network segmentation
47. If Infected …
Pull out your incident response plan !
Determine if you’re still under attack or if it’s contained
Determine if you can resolve yourself or need to call in experts
Determine if you need to notify law enforcement
If ransomware, determine if ransom will be paid
Quality and availability of your back-ups may determine
whether you can recover from a malware attack
48. Real Scenario
Dear MsWoodbury,
I was forwarded your info. As of last night, we are being held hostage.We've
been in touch with the FBI and IBM.We have a ransom note on our servers. I can
be reached at xxx-xxx-xxxx
- via LinkedIn and Voicemail
48
49. Don’t be Overwhelmed!
To give you topics to consider, and once you’ve
considered them, evaluate whether you need to
make changes - based on your organization’s
business requirements - and then take a step
- ANY step –
to improve security and reduce risk
50. For More
Information
IBM i Services page
https://www.ibm.com/support/pages/node/1119123
https://gist.github.com/forstie
RCAC Redpiece
http://www.redbooks.ibm.com/abstracts/redp5110.html?Open
Intrusion Detection
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubpdf.
pdf?view=kc
IBM i Security Reference – PDF
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzarl/sc415302.pdf?v
iew=kc
Chapters 2 and 3 – System Values
Chapter 9 - Auditing
Chapter 10 – Authority Collection
IBM i Security Administration and Compliance, 3nd edition, by Carol Woodbury, 2020.
50
52. DXRSecurity Services
1) Annual IBM i Security Analysis Subscription
Includes:
2 Vulnerability Discovery Instances per year
12 hours of assistance per year
Sold per partition/LPAR
2) Vulnerability Discovery
Sold per partition/LPAR
3) Vulnerability Confirmation
Includes:
Testing and validation of vulnerabilities
Understand if compensating controls that are in place actually work
Understand how much access people have to critical files
Similar to a “penetration test” for the IBM i, but far more customized
4) Security Education
Includes:
2 Day Course (virtual or onsite “post Covid”)
Learn Security from an Expert
Sold “per student” plus expenses if onsite
53. Why DXR Security?
Unquestioned Expertise
Carol Woodbury
Former Security Architect and Chief
Engineering Manager for Enterpriser Server
group at IBM
Only Commercially available book on IBM i
Security. “IBM i Security Administration and
Compliance”
25+ years in IBM i Security
John Vanderwall
20+ years selling IBM i Security services and
software
CEO and VP roles
Doubled size of security services business in 4
years
We are all about “action” – not
overwhelming you with huge amounts of
information
56. 56
Assure
Security
addresses the issues on the
radar screen of every security
officer and IBM i admin
Compliance Monitoring
Gain visibility into all security activity on
your IBM i and optionally feed it to an
enterprise console
Access Control
Ensure comprehensive control of
unauthorized access and the ability to
trace any activity, suspicious or otherwise
Security Risk Assessment
Assess your security threats and
vulnerabilities
Data Privacy
Protect the privacy of data at-rest or
in-motion to prevent data breaches
57. 57
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Security
Risk Assessment
Assure Compliance
Monitoring