Top Ten Tips for IBM i Security and Compliance

Top Ten Tips for IBM i Security and
Compliance
June 26, 2018

Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.

Dan Riehl - President, IT Security and Compliance Group
Dan Riehl is the president and security specialist for IT Security and Compliance
Group where he performs IBM i security assessments and provides customized
security services and software solutions for his customers. He also provides
training in all aspects of IBM i security and other technical topics through his
training company, The 400 School, which he founded 21 years ago. Dan is also
familiar to most System i professionals through his many books and articles on
security written for System iNEWS over the past 20 years.
Today’s Presenters
Becky Hjellming - Product Marketing Director, Syncsort
Becky is one of our Product Marketing Directors. She has over 25 years of
experience in the software industry in a variety of R&D, product management and
marketing roles. Her areas of specialty are high availability, disaster recovery,
backup and archiving, systems management and networking. She has worked at
companies of all sizes and stages – from software startups to HP, Seagate and
Novell.

Top Tips Regarding
The Most Common IBM i Exposures
and How to Assess Your System
Address Escalating Security Threats and Regulatory Demands
www.SecureMyi.com
Copyright ©2018 Dan Riehl
Presented by: Dan Riehl
Dan.Riehl@SecureMyi.com

5
Top Tips Regarding
The Most Common IBM i Exposures
and How to Assess Your System
User Profile Account Creation and Maintenance Failures
Non-Restrictive Password Formation/Expiration Rules
Too Many Powerful Users
Command Line Access Misconceptions – Limited Capabilities
Simplicity of Hijacking a Powerful User Profile
Security Related System Values are Not Protected
Object Level Authorities are Not Restrictive
Encryption and Masking of Sensitive Data is Not Enforced
Sensitive Data stored in Clear Text in Unsecured Files
TELNET, FTP, ODBC… Data in Motion in Clear Text
Backup Media Not Encrypted
Sensitive Production Data lives on Test/Dev Systems without Masking
Uncontrolled, Invisible and Unaudited Network Data Access
Lack of IBM i Experience in IT Audit Community
Few Organizations have a dedicated IBM i Security Specialist
Copyright© 2006-2018 Dan Riehl

6
Non-Restrictive Password Formation Rules
Default Passwords are a Huge Exposure
On Password Initial Setting, The default value is the User name
This is often used also for Re-Setting the Password
Causes immediate exposure for these Offending User Profiles
Anyone could Log On as User PAYUSER with Password PAYUSER
Password formation Rules
(New V6R1M0 QPWDRULES System Value)
Replaces QPWD* System Values for password formation
Provides for more granular and more precise password formation rules
QPWDRULES is Updated in V7R2M0 with *ALLCRTCHG
Copyright© 2018 Dan Riehl

7
Use The QPWDRULES System Value
to Set Password Formation Rules
And - New Options Available to Prevent Default Passwords
*ALLCRTCHG (New at V7R2M0)
Enforce all password composition rules defined in the QPWDRULES
system value when creating or changing a password via the Create
User Profile (CRTUSRPRF) and Change User Profile (CHGUSRPRF)
commands and APIs.
Prior to this V7R2M0 update, password formation rules are only in effect
when a user changes their own password(CHGPWD).
With this option, the rules are also in effect when the CRTUSRPRF
or CHGUSRPRF commands are used.
*LMTPRFNAME
The uppercase password value may not contain the complete user
profile name in consecutive positions.

8
Default Passwords - How many do you have?
Use the ANZDFTPWD command
Then Review The Resulting Report

9
Too Many Powerful Users
User Special Authorities
User Profiles can be assigned Powerful Special Authorities
Assigned at the User Level Or at the Group Level
*ALLOBJ – allows ALL access to ALL resources on the system
*SECADM – ability to manage user profiles
*JOBCTL – control all jobs and IPL/Reboot the system
*SPLCTL – control all spool files(Reports), and jobs in job queues
*SAVSYS – ability to save and restore any object
*SERVICE – ability to run STRSST and other Service commands
*AUDIT – control all system auditing functions, Run Audit Reports
*IOSYSCFG – configure system communications SNA, TCP/IP. . .

10
Special Authorities are Out of Control
Use the command PRTUSRPRF

11
Limited Capabilities Users *YES
Considered as “Security By Menu-Option”
Can only use certain commands at a command line
Sign off (SIGNOFF)
Send message (SNDMSG)
Display messages (DSPMSG)
Display job (DSPJOB)
Display job log (DSPJOBLOG)
Work with Messages (WRKMSG)
Cannot change Initial Program, Initial Menu or Current Library at the Sign-on
Display, or with the CHGPRF command
Limited Capabilities Exposures

12
Limited Capabilities *NO
Sign-On Screen Exposures
The limited capabilities attribute of a User Profile determines if the User
can run ANY authorized command at a command line. It also
determines whether the User can change selected values on the IBM
supplied Sign-on display QDSIGNON and/or QDSIGNON2.
Sign On
System . . . . . : SYSTEMI
Subsystem . . . . : QINTER
Display . . . . . : QPADEV0083
User . . . . . . . . . . . . . . __________
Password . . . . . . . . . . . . __________
Program/procedure . . . . . . . . __________
Menu . . . . . . . . . . . . . . __________
Current library . . . . . . . . . __________
Why are these here?

13
CRTUSRPRF BOB … LMTCPB(*YES)
Provides the Command Line restriction
But, The Remote Command Server does not respect the
LMTCPB attribute
Microsoft Windows [Version 7.1.2600]
(C) Copyright 1985-2011 Microsoft Corp.
C:Documents and SettingsDan Riehl> RMTCMD CRTLIB HACKER
IBM iSeries Access for Windows
Version 7 Release 1 Level 0
Submit Remote Command
(C) Copyright IBM Corporation and Others 1984, 2011. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Licensed Materials - Property of IBM
Library HACKER Created

14
What happens when we combine the RMTCMD exposure with User
Special Authorities, like the ubiquitous *JOBCTL
So, Bubba out on the loading dock just shut down your system
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsDan Riehl> RMTCMD ENDSBS QINTER
Subsystem QINTER ending in process
Need Network Exit Point Programs

15
User Profile Authorization Exposure
A VERY DANGEROUS AND UBIQUITOUS VULNERABILITY
CRTUSRPRF POWERUSER … AUT(*USE, *CHANGE, *ALL)
Allows anyone on the system to assume the identity of
POWERUSER to perform unsanctioned tasks.
If a user profile provides *USE rights or more to other user profiles,
the other user may use that profile without knowing the password.

16
Exploiting the User Profile
Authorization Exposure
If you have *USE rights or more to another User Profile object, you can
easily run batch jobs as that user.
SBMJOB CMD(CHGUSRPRF USRPRF(DAN) +
SPCAUT(*ALLOBJ *SECADM *JOBCTL)) +
USER(POWERUSER)
Running this command will give me everything I need to rule the entire
system. It submits a batch job that runs under the POWERUSER profile,
and assigns me the i/OS Special Authorities *ALLOBJ *SECADM and
*JOBCTL.
SBMJOB CMD(RUNQRY QRYFILE( PAYROLL/PAYFILE )) +
USER(PAYUSER)
The command line restriction LMTCPB is NO protection. The SBMJOB
command can be run from RMTCMD.exe.

17
Do you have this exposure?
Some VERY WELL KNOWN IBM i software vendors provide *SECOFR class
profiles that are *PUBLIC AUT(*ALL) or AUT(*CHANGE). These allow anyone a
back door to unlimited power.
Check the authorizations on your user profiles. All Profiles should be PUBLIC
AUT(*EXCLUDE).
To list ONLY User profiles that provide *PUBLIC access, use the command:
PRTPUBAUT OBJTYPE(*USRPRF)
To list out all the *PUBLIC and Private authorities of your user profiles.
PRTPVTAUT OBJTYPE(*USRPRF)
If you see user profiles listed in the resulting report with *PUBLIC *USE or greater
authority, YOU HAVE THE EXPOSURE!

18
*Public Authority to User Profiles

19
*Private Authority to User Profiles
Including Ownership Of Users

20
IBM i Security Levels
10 No system-enforced security (Cannot be Newly Set)
20 Sign-on security
30 Sign-on and resource security
40 Sign-on and resource security; Operating system integrity protection
50 Sign-on and resource security; Operating system enhanced protection
Not Secure
Can be Secure
WRKSYSVAL QSECURITY
or
DSPSYSVAL QSECURITY

21
Security Attributes
DSPSECA – Display Security Attributes
Allows you to see SST Security Settings without
accessing STRSST(System Service Tools)
www.SecureMyi.com
Display Security Attributes
User ID number . . . . . . . . . . . . . . : 582
Group ID number . . . . . . . . . . . . . : 165
Security level . . . . . . . . . . . . . . : 40
Password level . . . . . . . . . . . . . . : 0
Allow change of security related system
values . . . . . . . . . . . . . . . . . : *NO
Allow add of digital certificates . . . . : *NO
Allow service tools user ID with default
and expired password to change its own
password . . . . . . . . . . . . . . . . : *YES

22
Protecting Security System Values
STRSST – Start System Service Tools
www.SecureMyi.com
*SERVICE special authority and
special SST Password is required for access
(WHO HAS THIS SENSITIVE SST PASSWORD?)

23
Protecting Security System Values
IBM i V7R2M0 Setting the Lock on
Security Related System Values
www.SecureMyi.com
QALWJOBITP QCRTOBJAUD QPWDEXPWRN
QALWOBJRST QDEVRCYACN QPWDLMTAJC
QALWUSRDMN QDSCJOBITV QPWDLMTCHR
QAUDCTL QDSPSGNINF QPWDLMTREP
QAUDENACN QFRCCVNRST QPWDLVL
QAUDFRCLVL QINACTMSGQ QPWDMAXLEN
QAUDLVL QLMTDEVSSN QPWDMINLEN
QAUDLVL2 QLMTSECOFR QPWDPOSDIF
QAUTOCFG QMAXSGNACN QPWDRQDDGT
QAUTORMT QMAXSIGN QPWDRQDDIF
QAUTOVRT QPWDCHGBLK QPWDRULES
QCRTAUT QPWDEXPITV QPWDVLDPGM
QRETSVRSEC QSCANFSCTL QSSLCSLCTL
QRMTSIGN QSECURITY QSSLPCL
QRMTSRVATR QSHRMEMCTL QUSEADPAUT
QSCANFS QSSLCSL QVFYOBJRST
Password
Settings
Audit
Settings

24
Standard Application Software Vendor Scheme
Group Profile owns all data files (*ALL Authority)
All application Users are members of the Group
All application Users have *ALL authority to files

25
Library Security Scheme - *USE Authority
PAYLIB AUT(*USE)
PAYFILE1 AUT(*USE)
PAYFILE2 AUT(*CHANGE)
PAYFILE3 AUT(*ALL)
PAYFILE4 AUT(*EXCLUDE)
*USE authority to a library allows access as defined in the
objects, including the ability to delete an object, if authorized by
the object. You cannot add an object to a library with *USE
authority. Copyright© 2018 Dan Riehl

26
Library Security Scheme
*USE and *ADD or *CHANGE Authority
PAYLIB AUT(*CHANGE)
PAYFILE1 AUT(*USE)
PAYFILE3 AUT(*ALL)
*CHANGE authority to a library allows access as defined in the
objects. This includes the ability to delete an object, if
authorized by the object, and the ability to add new objects to
the library. Copyright© 2018 Dan Riehl

27
Library Security Scheme - *ALL Authority
PAYLIB AUT(*ALL)
PAYFILE1 AUT(*USE)
PAYFILE3 AUT(*ALL)
*ALL authority to a library allows access as defined in the
objects. This includes the ability to delete an object, if
authorized by the object, and the ability to add new objects to
the library.

28
Library Security Scheme - *EXCLUDE Authority
PAYLIB AUT(*EXCLUDE)
PAYFILE1 AUT(*USE)
PAYFILE3 AUT(*ALL)
*EXCLUDE authority to a library prohibits the user from any
access to the library and the objects inside the library.

29
Checking Library Authority Settings
To list out all the *PUBLIC and Private authorities to your Libraries

30
Checking File Authority Settings
To list out all the *PUBLIC and Private authorities to files in a Library

31
*SPLCTL Special Authority
and Secured Printer Queues
Regardless of how secure an output queue is, a user with
*SPLCTL special authority can view and manipulate any
spooled file using the DSPSPLF and WRKSPLF
commands.
Use PRTQAUT command to Print a list of Authority to All
Queues

32
Encryption is Required
Common Encryption Problems
Sensitive Data stored in Clear Text in mostly
Unsecured Files
TELNET, FTP, ODBC… Data in Motion in Clear Text
Backup Media Not Encrypted
Sensitive Production Data lives on Test/Dev Systems
without Masking
www.SecureMyi.com

33
Clear Text for TELNET - Passwords
STRCMNTRC CFGOBJ(LINETH)
CFGTYPE(*LIN)
MAXSTG(16M)
TEXT('My Comm Trace')
Trace Showing Clear Text from Sign-on Screen
UserID = PROG1
Password = ‘PASSWORD1’

34
Clear Text for
Sensitive Application Screen and Print Data
Trace Showing Clear Text from Application Screen
Social Security Number = 282-36-1745
Name = EILEEN
Encrypted TELNET, FTP, etc…. IS Not Optional!

35
NETSTAT Command - Option 3 - IPv4
Review the Network Services are you running?
Work with IPv4 Connection Status
System: MYSYSTEM
Type options, press Enter.
3=Enable debug 4=End 5=Display details 6=Disable debug
Remote Remote Local
Opt Address Port Port Idle Time State
5 * * ftp-con > 000:02:14 Listen ftp-control
5 * * telnet 000:05:51 Listen telnet
5 * * ddm 031:39:04 Listen ddm
5 * * ddm-ssl 002:52:31 Listen ddm-ssl
5 * * as-data > 000:11:59 Listen as-database
5 * * ftps-co > 000:02:13 Listen ftps-control
5 * * telnet- > 000:05:02 Listen telnet-s
5 * * as-data > 000:00:10 Listen as-database-s
22.213.323.235 53079 telnet 000:03:04 Established
22.213.323.235 53083 telnet 000:05:35 Established
22.213.323.235 53251 telnet- > 000:00:00 Established SSL TELNET
22.213.323.235 53261 as-data > 000:00:31 Established
More...
F3=Exit F5=Refresh F9=Command line F11=Display byte counts F12=Cancel
F20=Work with IPv6 connections F22=Display entire field F24=More keys

36
The trouble with IBM i Security
Implementation, our own home grown scheme, or…
Application Software Vendors have supplied us with lousy
security models, and we have learned to accept them.
Green screen menu security…
Group ownership of Software packages
End users have way too much authority to files and other objects
*PUBLIC has too much authority
Too many individuals with too many special authorities…. Like
*ALLOBJ.
We have not appreciated the dangers that come with
network access to our files and services!

37
Interactive Workstation Menu Security
Typical ‘Green Screen’ Setup
Payroll Master File
PAYUSER AUT(*CHANGE) or
PAYUSER AUT(*ALL) or
*PUBLIC AUT(*CHANGE) or
*PUBLIC AUT(*ALL)
PAYUSER Menu
1. Maintain Payroll File
2. Print Payroll Reports
90. Sign off

38
Network Access Methods
Payroll Master File
PAYUSER AUT(*CHANGE) or
PAYUSER AUT(*ALL) or
*PUBLIC AUT(*CHANGE) or
*PUBLIC AUT(*ALL)
FTP
CA File Transfer
ODBC
DDM
No Menu Restrictions for Network Access
No Data Validation
Object authority allows access

39
The Heart of the Matter!
The OS/400 authority you have assigned to an object for
Green Screen, menu-based access,
IS NOT the same authority you want to allow using network
tools like ODBC and FTP.
AUT(*USE) Allows viewing and download of files and execution of
commands and programs
AUT(*CHANGE) Allows modification of data records without regard to data
rules implemented in Green Screen programs.
AUT(*ALL) Allows deletion of files, programs and other objects.

40
What can a user do with FTP?
File Transfer Protocol
Transfer files (up and down), PUT GET
Run commands and programs RCMD
Menu authority is always irrelevant
i/OS object authority reigns supreme
If the user’s object authority to the file is:
*USE – The user can download all fields in all records in the file
*CHANGE - The user can upload records into the file… regardless of database edits.
*OBJMGT - The user can clear and replace the file, regardless of database edits.
*ALL – The user can rename, clear, or delete the file or other object

41
What can a user do with FTP?
Where’s the FTP Log for IBM i?
Microsoft Windows [Version 10.0.17134.48]
(c) 2018 Microsoft Corporation. All rights reserved.
C:Usersme>ftp MYSYSTEM
Connected to MYSYSTEM.
220-QTCP at MYSYSTEM.
220 Connection will close if idle more than 2 minutes.
User (MYSYSTEM:(none)): BOBTHETECH
331 Enter password.
Password:
230 BOBTHETECH logged on.
ftp> get customers
200 PORT subcommand request successful.
150 Retrieving member CUSTOMERS in file CUSTOMERS in library PRODDATA.
226 File transfer completed successfully.
ftp: 7400 bytes received in 0.18Seconds 41.11Kbytes/sec.

42
What can a user do with
IBM i Access File Transfer?
IBM i Access (Client Access) File Transfer
Upload and/or replace files and Download files
Menu authority is always irrelevant
i/OS object authority reigns supreme
*USE – The user can download all fields in all records in the file
*CHANGE - The user can upload records into the file… regardless of
database edits.
*OBJMGT - The user can clear and/or replace the file… again,
regardless of database edits.
*ALL – The user can rename, clear, or delete the file
Where’s the IBM i CA Transfer Log?

43
What can a user do with ODBC?
ODBC Open DataBase Connectivity
ODBC provides record level SQL access to DB2 data.
What happens when Microsoft tools meets IBM i DB2 data?
Client Access installs download/upload option into MS/Excel.
DB2 manipulation with MS/Access/Excel, etc…
*USE – The user can read all fields in all records
*CHANGE - The user can change or delete all fields in any record
*OBJMGT - The user can clear and/or replace the file
*ALL – The user can rename, clear, or delete the file
Where’s the IBM i ODBC Log?

44
What can a user do with DDM ?
Distributed Data Management (Huh… What’s that?)
File and Record level access to networked IBM i
systems - CRTDDMF
Remote commands - SBMRMTCMD
Can use a default user profile like QUSER
OS/400 authority reigns supreme...Any command or program
that the default user is authorized to can be executed
Works over any SNA APPC connection… including PC’s
Also available over TCP/IP

45
What can a user do with RMTCMD?
Where’s the IBM i RMTCMD Log?
Microsoft Windows [Version 10.0.17134.48]
(c) 2018 Microsoft Corporation. All rights reserved.
C:Documents and SettingsBOBTHETECH> RMTCMD ENDSBS QINTER
Subsystem QINTER ending in process
Ignores User Limited Capabilities (LMTCPB)

46
The Heart of the Matter #2
There are no Logs or Audit Trail of network
access transactions!!
You cannot tell WHO is doing WHAT?
Who Downloaded the Customer file today?
Did anyone Download my most sensitive file?
Violates any valid Security/Auditing protocol

47
Solving the Network Access Problem
Implement Network Exit Programs to record and
control IBM i access through the network interfaces

48
What is an Exit Program Anyway?
A User/Vendor supplied program attached to a predefined exit point
in a process. In this case the exit points are defined by IBM for
network servers.
The FTP Exit Program can perform processing that overrides and/or
compliments the processing done by the main FTP process.
Main Process
(e.g. FTP Server)
Access Requested
Call to Exit program
Continue Processing...
User-Supplied
Exit program
RPG, CL, COBOL, etc
ILE or OPM
Accept Request
Or
Reject Request
Record The Request
in a Secure Audit Log

49
Do you Have Network Exit Programs?
Exit Programs must be Registered with IBM i
DDM and Original PC Support File Transfer Server Exit
Programs are Registered in the Network Attributes
DSPNETA or CHGNETA – Page Down Until …
Display Network Attributes
System: MYSYSTEM
DDM request access(DDMACC) . . . . . . . . . . . : MYDDMEXIT
Library . . . . . . . . . . . . . . . . . . . : EXITLIB
Client request access(PCSACC). . . . . . . . . . : MYTFREXIT
Library . . . . . . . . . . . . . . . . . . . : EXITLIB
If no Exit Programs – the Default Value is *OBJAUT

50
Do you Have Network Exit Programs?
TCP/IP Servers and Host Server Exit Programs must
be Registered with WRKREGINF or ADDEXITPGM
Work with Registration Information
Type options, press Enter.
5=Display exit point 8=Work with exit programs
8 QIBM_QTMF_CLIENT_REQ VLRQ0100 *YES FTP Client Request Validation
QIBM_QTMF_SERVER_REQ VLRQ0100 *YES FTP Server Request Validation
QIBM_QTMF_SVR_LOGON TCPL0100 *YES FTP Server Logon
8 QIBM_QZDA_INIT ZDAI0100 *YES Database Server - entry
QIBM_QZDA_NDB1 ZDAD0100 *YES Database Server - data base a
QIBM_QZDA_NDB1 ZDAD0200 *YES Database Server - data base a
QIBM_QZDA_ROI1 ZDAR0100 *YES Database Server - object info
QIBM_QZDA_ROI1 ZDAR0200 *YES Database Server - object info
QIBM_QZDA_SQL1 ZDAQ0100 *YES Database Server - SQL access
QIBM_QZDA_SQL2 ZDAQ0200 *YES Database Server - SQL access
QIBM_QZHQ_DATA_QUEUE ZHQ00100 *YES Data Queue Server
QIBM_QZRC_RMT CZRC0100 *YES Remote Command/Program Call

51
Network Security Summary
If you have this problem, you are not alone.
IBM i provides Exit Points, But IBM i does not provide the Exit
Programs that can enforce your rules and Log the activity.
Successful business strategies rely on a secure
system.
Privacy must be a Top concern
Write your own Network Exit Programs or invest
in a commercial software package.

52
Summary and Final Thoughts
Do not Permit the use of a Default Password, and enforce strong, but
not onerous, Password Formation Rules.
Remove Powerful Special Authorities from All Users and Groups
where possible.
Set Restrictive Ownership and Authority to User Profiles to prevent
Hijacking
Enforce Restrictive Policies on Security System Values, and Protect
these from being changed.
Implement Encryption of Sensitive Data … Data at Rest
Implement Encryption of TELNET, FTP, etc… Data in Motion
Implement Encryption of Backup Media
Mask or otherwise Encrypt data on Test/Development Systems
Implement Network Exit Programs to Log and Control all Network
Access

Thank you!
www.SecureMyi.com
IT Security and Compliance Group, LLC
Dan.Riehl@SecureMyi.com

Solutions for IBM i
Compliance and Security
Becky Hjellming
Product Marketing Director

Syncsort’s Security Portfolio
Security
Cilasoft
Cilasoft Compliance
and Security Suite
QJRN/400
QJRN Database & QJRN System
CONTROLER
EAM
RAMi
(Coming Soon!)
CENTRAL
Enforcive
Enterprise Security
Suite
Security Risk
Assessment
Cross-Platform Audit
Cross-Platform
Compliance
Password Self-Service
AIX Security
Quick
Quick-CSi
Quick-Anonymizer
Townsend
Alliance
AES/400
Alliance
Key Manager
Alliance Token
Manager
Alliance
FTP Manager
Alliance
LogAgent Suite
Alliance Two Factor
Authentication
55

SIEM Integration
Ensure IBM i security activity can
be fed into an enterprise security
monitoring console
Fraud
Detection/Prevention
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance
Prove to auditors that access is
controlled and the system is in
compliance
What Are Your
Security Goals?
56

Syncsort can help
with any compliance,
security or SIEM
integration need
Security Risk
Assessment
Comprehensive
Access Control
Elevated
Authority
Management
Enhanced
Password
Management
Sensitive
Data
Protection
Secure Data
Transfer
System &
Database
Auditing
Compliance
Acceleration
Alerts and
Reports
SIEM
Integration
Log
Forwarding
57

• Annual IT risk assessments are required by certain regulations
such as PCI DSS and HIPAA
• Challenges of performing an IBM i audit include
• Audits of IBM i are not well understood by all security auditors
• Not all IBM i administrators have the knowledge or the time to
conduct regular, thorough security assessments.
• Separation of duties is encouraged so that the audit is not conducted
by the same person that manages the system on a day-to-day basis
• Look for risk assessment products or services that:
• Assess all areas of the IBM i
• Generate comprehensive reports
• Make recommendations for remediating any exposures
Security Risk Assessment
58

• Annual IT risk assessments are required by certain regulations
such as PCI DSS and HIPAA
• Challenges of performing an IBM i audit include
• Audits of IBM i are not well understood by all security auditors
• Not all IBM i administrators have the knowledge or the time to
conduct regular, thorough security assessments.
• Separation of duties is encouraged so that the audit is not conducted
by the same person that manages the system on a day-to-day basis
• Look for risk assessment products or services that:
• Assess all areas of the IBM i
• Generate comprehensive reports
• Make recommendations for remediating any exposures
Security Risk Assessment
59
Security Risk
Assessment Tool
Security Risk
Assessment Service
Syncsort
Security
Solutions

• You must take control of all access to your IBM i
• Comprehensive access control can only be achieved if network exit point
and command control are added to your IBM i security strategy
• Controlling network exit points
• Blocking operations like logging on, accessing data, running programs, etc.
• Includes:
• Network protocols such as ODBC, JDBC, OLE DB, FTP, DDM, DRDA, NetServer
• Jobs, Sockets
• SQL engine
• File open
• System and user commands
• Command control
• Blocking commands based on their context and parameter values
Comprehensive Access Control
60

• You must take control of all access to your IBM i
• Comprehensive access control can only be achieved if network exit point
and command control are added to your IBM i security strategy
• Controlling network exit points
• Blocking operations like logging on, accessing data, running programs, etc.
• Includes:
• Network protocols such as ODBC, JDBC, OLE DB, FTP, DDM, DRDA, NetServer
• Jobs, Sockets
• SQL engine
• File open
• System and user commands
• Command control
• Blocking commands based on their context and parameter values
Comprehensive Access Control
61
Cilasoft CONTROLER
Enforcive Enterprise
Security Suite
(for IBM i and for AIX)
Syncsort
Security
Solutions

• Auditors require that the number of powerful profiles (*ALLOBJ,
*SECADM, command line access, etc.) within a system be limited
• It is preferred that users are only given the minimum necessary
authorities and that their authorities are only elevated as required
• Temporarily assigning authority through a rule-based process, and only as
required, helps meet audit requirements
• Logging all activity from the temporarily elevated profile (including
journals, exit programs, joblogs, screen captures, etc.) to produce a
complete audit trail is also desirable
Elevated Authority Management
62

• Auditors require that the number of powerful profiles (*ALLOBJ,
*SECADM, command line access, etc.) within a system be limited
• It is preferred that users are only given the minimum necessary
authorities and that their authorities are only elevated as required
• Temporarily assigning authority through a rule-based process, and only as
required, helps meet audit requirements
• Logging all activity from the temporarily elevated profile (including
journals, exit programs, joblogs, screen captures, etc.) to produce a
complete audit trail is also desirable
Elevated Authority Management
63
Cilasoft Elevated
Authority Manager
(EAM)
Syncsort
Security
Solutions

• Passwords alone are not sufficient to provide strong security as
evidenced by breaches due to brute force attacks
• Authentication methods known as multi-factor authentication(MFA) or
two-factor authentication (2FA) use two of the following factors for
authentication:
• Something you know (user ID, password, PIN)
• Something you have (smart phone, email, token device)
• Something you are (fingerprint, iris scan)
• One-time passwords are generated by authenticators such as Google
Authenticator, Microsoft Authenticator, Authy, Duo, RSA SecurID. Some
support RADIUS.
• MFA is a strong requirement in PCI-DSS 3.2, HIPAA, NYDFS Cybersecurity
Regulation, Swift Alliance Access
Multi-Factor Authentication
64

• Passwords alone are not sufficient to provide strong security as
evidenced by breaches due to brute force attacks
• Authentication methods known as multi-factor authentication(MFA) or
two-factor authentication (2FA) use two of the following factors for
authentication:
• Something you know (user ID, password, PIN)
• Something you have (smart phone, email, token device)
• Something you are (fingerprint, iris scan)
• One-time passwords are generated by authenticators such as Google
Authenticator, Microsoft Authenticator, Authy, Duo, RSA SecurID. Some
support RADIUS.
• MFA is a strong requirement in PCI-DSS 3.2, HIPAA, NYDFS Cybersecurity
Regulation, Swift Alliance Access
Multi-Factor Authentication
65
Cilasoft Reinforced
Authentication
Manager for i (RAMi)
Townsend
Alliance Two Factor
Authentication
Syncsort
Security
Solutions

Organizations subject to regulations may be required to implement
some form of sensitive data protection
Encryption
• Required to comply with the PCI DSS
• Using a variety of algorithms, data is encrypted at either the file or
field level such that unauthorized users will not be able to see the
encrypted data, even if accessed through journals
• Solutions may have certification by NIST, RSA or others
Tokenization
• Supports compliance with PCI DSS, HIPAA/HITECH, GLBA, GDPR and
individual state privacy laws
• Replaces sensitive data with a token value. If files are lost or stolen,
sensitive data is not compromised
• Token is consistent for unique names, and data can be re-identified
• Solutions may be certified by NIST, RSA or others
Sensitive Data Protection
66

Organizations subject to regulations may be required to implement
some form of sensitive data protection
Encryption
• Required to comply with the PCI DSS
• Using a variety of algorithms, data is encrypted at either the file or
field level such that unauthorized users will not be able to see the
encrypted data, even if accessed through journals
• Solutions may have certification by NIST, RSA or others
Tokenization
• Supports compliance with PCI DSS, HIPAA/HITECH, GLBA, GDPR and
individual state privacy laws
• Replaces sensitive data with a token value. If files are lost or stolen,
sensitive data is not compromised
• Token is consistent for unique names, and data can be re-identified
• Solutions may be certified by NIST, RSA or others
Sensitive Data Protection
67
Townsend
Alliance AES/400,
Alliance Key Manager,
Alliance Token Manager
Enforcive
Field Encryption
Syncsort
Security
Solutions

Masking
• Full or partial masks of fields can be applied on any kind of database field
• Format remains the same but the values are changed
• Common when displaying credit card numbers (mask all but the final digits)
• Protects the data while providing a functional substitute
• Useful in production environments
Anonymization
• Permanently replaces identifiable data; process is irreversible
• Anonymization can be done using methods such as scrambling, PCI/LUHN
algorithm or custom exit program
• Key notion can be respected for data consistency
• Coupled with replication, can distribute anonymized data to another
environment in real time (not production or HA/DR environments)
• Useful for feeding anonymized data to a secondary system for training,
development and testing
More Sensitive Data Protection
68
Syncsort
Security
Solutions
Townsend
Alliance AES/400,
Alliance Key Manager,
Alliance Token Manager
Enforcive
Field Encryption
Quick-Anonymizer

• In addition to encrypting data at rest, you need to protect sensitive data
when in flight to meet regulatory requirements such as PCI, HIPAA, GDPR,
GLBA and others
• Data transfers need to be secured across both external and internal
networks
• Data is secured by encrypting the data on the IBM i before transferring
and decrypting it on the receiving end
• Options include
• Secure FTP (sFTP)
• Secure Shell (SSH)
• Pretty Good Privacy (PGP)
• Additional features such as negotiating firewalls and creating an audit trail
of file transfer activities are highly desirable
Secure Data Transfer
69

• In addition to encrypting data at rest, you need to protect sensitive data
when in flight to meet regulatory requirements such as PCI, HIPAA, GDPR,
GLBA and others
• Data transfers need to be secured across both external and internal
networks
• Data is secured by encrypting the data on the IBM i before transferring
and decrypting it on the receiving end
• Options include
• Secure FTP (sFTP)
• Secure Shell (SSH)
• Pretty Good Privacy (PGP)
• Additional features such as negotiating firewalls and creating an audit trail
of file transfer activities are highly desirable
Secure Data Transfer
70
Townsend
Alliance FTP Manager,
Alliance XML/400
Syncsort
Security
Solutions

• Regulations such as PCI, SOX, HIPAA, GLBA and others require logging and
monitoring of system and database activity
• Journals are the trusted source for auditors when tracing security events as they are
reliable, not falsifiable, not selective, and they are integrated with the IBM i OS
• System auditing includes logging of:
• Object changes (system values, user profiles, authorization lists, etc.)
• Access attempts (authentication and object access)
• Powerful user activity (*ALLOBJ, *SECADM)
• Real command line activity of user profiles
• Access to, or use of, sensitive objects (files, programs, menus, etc.)
• Database auditing includes logging of:
• Changes made via programs outside the standard applications (SQL, DFU, etc.)
• Modification to sensitive field values (credit limits, price lists, discount rates, etc.)
• Proper journal analysis requires tools
• Journals are cryptic, contain a large amount of data and are difficult to search
• Special tools are needed to make it easy to identify useful data in the journals
System and Database Auditing
71

• Regulations such as PCI, SOX, HIPAA, GLBA and others require logging and
monitoring of system and database activity
• Journals are the trusted source for auditors when tracing security events as they are
reliable, not falsifiable, not selective, and they are integrated with the IBM i OS
• System auditing includes logging of:
• Object changes (system values, user profiles, authorization lists, etc.)
• Access attempts (authentication and object access)
• Powerful user activity (*ALLOBJ, *SECADM)
• Real command line activity of user profiles
• Access to, or use of, sensitive objects (files, programs, menus, etc.)
• Database auditing includes logging of:
• Changes made via programs outside the standard applications (SQL, DFU, etc.)
• Modification to sensitive field values (credit limits, price lists, discount rates, etc.)
• Proper journal analysis requires tools
• Journals are cryptic, contain a large amount of data and are difficult to search
• Special tools are needed to make it easy to identify useful data in the journals
System and Database Auditing
72
Cilasoft
QJRN/400
Enforcive
Enterprise Security Suite
(for IBM i and AIX),
Cross-Platform Audit
Quick-CSi
Syncsort
Security
Solutions

• Organizations that are subject to regulations may need to
accelerate achieving compliance. Particularly if they are aware of
an impending audit.
• Compliance acceleration tools can help identify deviations from
the requirements and provide models or rules for achieving
compliance.
• By defining corporate security policies, alerts can be generated in
the event of potential compliance violations, fraudulent activity to
ensure that compliance is maintained.
Compliance Acceleration
73

• Organizations that are subject to regulations may need to
accelerate achieving compliance. Particularly if they are aware of
an impending audit.
• Compliance acceleration tools can help identify deviations from
the requirements and provide models or rules for achieving
compliance.
• By defining corporate security policies, alerts can be generated in
the event of potential compliance violations, fraudulent activity to
ensure that compliance is maintained.
Compliance Acceleration
74
Enforcive
Policy Compliance,
Compliance Accelerator,
Cross-Platform
Compliance
Cilasoft
QJRN/400
Syncsort
Security
Solutions

• For any security use case, proper alerting, reporting and integration with
other SIEM consoles makes the data truly useful.
• Alerting via various methods brings events to your attention that require
additional inspection or action.
• Reports enable you to communicate compliance and security data to
management, auditors, partners and customers.
• Integration with SIEM consoles or forwarding logs to tools such as Splunk
enables IBM i security data to be monitored alongside other platforms
and supports IT Operations Analytics (ITOA).
Reporting, Alerting, Log
Forwarding & SIEM Integration
75

• For any security use case, proper alerting, reporting and integration with
other SIEM consoles makes the data truly useful.
• Alerting via various methods brings events to your attention that require
additional inspection or action.
• Reports enable you to communicate compliance and security data to
management, auditors, partners and customers.
• Integration with SIEM consoles or forwarding logs to tools such as Splunk
enables IBM i security data to be monitored alongside other platforms
and supports IT Operations Analytics (ITOA).
Reporting, Alerting, Log
Forwarding & SIEM Integration
76
Ironstream for i
Cilasoft
Security Suite
Townsend
Alliance LogAgent
Enforcive Security Suite
with Data Provider
Syncsort
Security
Solutions

• Network Security
• Enforcive Firewall Manager
• Password Self-Service
• Cilasoft Reinforced Authentication Manager (RAMi)
• Enforcive Password Self-Service
• Supervised Changes / Four Eyes Principle
• Cilasoft Reinforced Authentication Manager (RAMi)
• Job Log Analysis
• Free Cilasoft Job Log Explorer
• Data Consolidation & Distribution
• Cilasoft CENTRAL (Consolidation & Distribution)
More Security Solutions
77
Cilasoft
Reinforced Authentication
Manager for i (RAMi)
Cilasoft
CENTRAL
Cilasoft
Job Log Explorer
Enforcive
Firewall Manager
Enforcive
Password Self-Service
Syncsort
Security
Solutions

Syncsort Global Services
Is Here to Help!
Flexible Services Offerings for Security
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (installing hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Our team of seasoned experts is here for you!
78

Let’s Get Started!
Compliance and Security solutions from Syncsort are available
to help you with:
1. Security Risk Assessment
2. Compliance Acceleration
3. Comprehensive Access Control
4. Elevated Authority Management
5. Enhanced Password Management
6. Sensitive Data Protection
7. Secure Data Transfer
8. System & Database Change Auditing
9. Alerts, Reports and SIEM Integration
10.Log Forwarding for ITOA
79

Top Ten Tips for IBM i Security and Compliance

Top Ten Tips for IBM i Security and Compliance

Recommended

Recommended

More Related Content

What's hot

What's hot (12)

Similar to Top Ten Tips for IBM i Security and Compliance

Similar to Top Ten Tips for IBM i Security and Compliance (20)

More from Precisely

More from Precisely (20)

Recently uploaded

Recently uploaded (20)

Top Ten Tips for IBM i Security and Compliance