IBM i Security: Malware Defense and Privacy Protection Privacy

Cybersecurity has been a hot topic this year, with several high-profile news stories emerging that have underscored the potential costs for malware defense both in money and reputation, of large-scale cybersecurity breaches like ransomware attacks.  For IBM i shops, the level of attention is higher than ever. A study commissioned by Preciselyshowed that only 25% of respondents were “very confident” in their ability to prevent a security breach, with 11% being “somewhat or very unconfident”.

Those numbers indicated a marked drop in confidence over the two preceding years. Cybersecurity threats, in particular malware and ransomware are growing more and more sophisticated. Although IBM i systems have a well-earned reputation for security, the unfortunate reality is that too many organizations that depend on them have failed to take proper measures to protect themselves. Until recently, it has been rare that the sensitive business data stored on IBM i systems has been widely exploited by cybercriminals. Today, it is happening more than ever before.

Seemingly Simple Measures: Password Protection

Many of the security concerns arising from the use of IBM i systems center around seemingly rudimentary processes such as establishing passwords, changing them on a regular basis, and deactivating users who no longer work at the company. According to a 2020 study, 25% of systems are allowing user profiles that use default system passwords in which the user ID and the password are the same. To a security professional, that is a gross violation of basic measures.

The problem is that in many IBM i landscapes, that kind of issue goes undetected, sometimes for many years. For example, non-named users (that is, so-called “PUBLIC” users) are often granted the rights to read, write, update, or even delete data. When IBM i systems are shipped, the default configurations include PUBLIC users with many of these rights in place. If no one takes affirmative measures to change those rights, the system is left with a security vulnerability that may remain undetected for a long time.

Digging Deeper: More Potential Gaps

The problems are compounded when you begin to explore user rights even further. For example, IBM i includes so-called “special authorities” such as Job Control (*JOBCTL) and Spool Control (*SPLCTL) authority, which should be granted to very few user profiles. Unfortunately, special authorities are often granted far more widely than they should be.

It’s also common for libraries to be configured to allow general users to modify their characteristics, potentially exposing sensitive corporate data to unauthorized users. Setting user authorizations properly is essential for effective security.

The challenge is that so many of these details can potentially create loopholes that allow cybercriminals to gain access to sensitive information. Those loopholes can lie dormant for years, undetected until a bad actor probes the system and discovers a way to get in.

Getting a Handle on IBM i Security

Unfortunately, it’s impossible after all, users still need access to certain features and libraries that create potential points of access for malevolent actors. That’s why comprehensive monitoring needs to be part of an effective security strategy for IBM i as well. Assure Monitoring and Reporting provides alerts and security reports based on IBM i journal data, including reporting on security incidents and deviations from compliance standards. Assure can also send monitoring data to your enterprise SIEM platform, where it can be viewed and analyzed alongside the information in the context of your entire IT landscape. Assure also offers a database monitor that tracks views of confidential DB2 data and can optionally block records from view by unauthorized individuals.

Managing access control is also critically important. That includes rule-based management of entry points (network protocols, communications ports, database protocols, and command lines) and the application of highly granular rules built around user profile settings, date and time of access, IP address locations, and more. Rules-based access to elevated user authorizations can also be granted on an as-needed basis, for a limited time if appropriate, after which the elevated rights are automatically rolled back.

Multi-factor authentication (MFA) which provides a solid foundation for logon security. By requiring users to provide a code from a hardware device or mobile phone, you can secure IBM i systems against brute-force password attacks or stolen credentials. Assure Multi-factor Authentication is certified to work with RSA SecurID and also supports RADIUS servers or a Precisely-provided authenticator.

Finally, sensitive data should be encrypted to prevent unauthorized disclosure of information. Assure Encryption defends data at rest using the only NIST-certified AES encryption for IBM i. In addition, it offers built-in masking and access auditing. For data in transit, Assure Secure File Transfer protects sensitive information using common protocols such as Secure Shell (SSH SFTP) or Secure FTP (SSL FTPS) and automates file transfers.

If your organization is one of the 75% of companies that are not “highly confident” in the security of their IBM i systems, it’s time to put a comprehensive strategy in place. Precisely Assure provides an end-to-end solution. To learn more about IBM i security, download our free eBook, IBM i Encryption 101: Adding a layer of protection against data breaches