Top 5 IBM i Security

Threats And How To

Avoid Them

Presented by: Software Engineering of America

Lloyd Ramdarie (Senior Engineer)

Alex Rodriguez (Technical Sales)

info@seasoft.com

• 38 years of Excellence

• 85% of the Fortune 500

• 9 of the Fortune 10

• Live Support

• 24/7, 365

Agenda

Employees or People in general

Excessive Authority (higher authority than they need)

Network (Unbridled remote access to the IBM i)

System (Not enough monitoring activated)

IFS (Unsecured usage)

Introduction to Cyberthreats

Ever Changing Threats

• Digitization has lead to fundamental changes to how businesses

operate and how they deliver value to customers

• Digitization has attracted hackers and those with malicious

intentions.

• IBM i is no longer an isolated system but connected to other

databases through networked systems and connectivity

The threat of Cyber-attacks is very real to IBM i

Data Protection worldwide

Source: DLA Piper https://www.dlapiperdataprotection.com/index.html?t=world-map&c=AO

Cyberattacks

• Cyberattack offensive (malware), targets information systems,

infrastructures, computer networks, personal computer devices, mobile

devices. Malicious acts originating from anonymous sources: expose,

alter, disable, destroy, steal or gain unauthorized access, target by

hacking the vulnerable system.

• Cyberattacks range from installing spyware on a personal computer…

attempts to destroy the infrastructure of entire nations.

• Cyberattacks take the form of executable code, scripts, active content,

and other software.

Types of Malware

• Computer viruses

• Worms

• Trojan horses

• Spyware

• Adware

• Scareware

• Ransomware

• Other malicious programs

Ransomware attacks

Some Ransomware statistics

Source: Barkly Blog "Must-Know Ransomware Statistics 2017"

Ransomware by Industry

Consider paying of ransom money.

21% of those who paid – didn’t

receive the key to decrypt their files

Source: NTT Security

200 Crypto-Ransomware Families

CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Alfa Ransomware, Alma Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, CrypMIC, Crypren, Crypt38, Cryptear, CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 3.1, CTB-Faker, CTB-Locker, CTB-Locker WEB, CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, NYton, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WannaCry, WildFire Locker, Xorist, XRTN, Zcrypt, Zepto, Zimbra, Zlader / Russian, Zyklon

Ransomware & IBM i

• The IFS appears as a mapped

network drive.

• From the point of view of any

system that has access to an IFS

folder, the IFS folder files are

regular files.

• Ransomware – it encrypts every

data file that it has access to. IFS

files included !

How Ransomware works in an IBM i environment

Let’s Dig Deeper Employees or People in general

Excessive Authority (higher authority than they need)

Network (Unbridled remote access to the IBM i)

System (Not enough monitoring activated)

IFS (Unsecured usage)

#1

People and adherence to security protocols

• Leaving notes lying around

• Unattended workstations

• Password sharing

• Default password usage

• Clicking unknown links

• Bringing external devices from home

• Relaxed access to data center or server room

What can we do to avoid or prevent a people enacted security disaster

• Monitor or track data access

• Setup an inactivity monitoring solution

• Implement a change tracking solution

• Password Reset solution

• Layered AV solution for the IBM i

How can we monitor data accesses?

• Develop your own solution to:

• Monitor data accesses

• Generate reports for Audit

• Produce alerts when exceptions occur

or

• Simply find a reputable 3rd party solution

Examples of data accesses that are typically monitored?

• Login Failures

• Audited command usages

• System values changes

• Object creation, deletion, modification, movement etc…

• Changes to user profiles

• Network attributes changes

• Auditing values changes

How to setup inactivity monitoring?

• Setup an inactivity monitoring solution

• Develop and maintain your own program

or

• Simply take advantage of existing 3rd party

tool

How to setup inactivity monitoring?

• IBM System Values

• QINACTMSGQ - *ENDJOB or *DSCJOB

And

• QINACTITV – 5-300 mins

Change Tracking?

• Implement a change tracking solution

• Enterprise CMS

• Items to be audited

• Reports

• Shipped with its own audit trail

Automated Password Reset

• Password Reset solution can assist with

• Manual PWD resets

• Recovery of valuable production time

• Avoid lengthy outages

Anti-Virus on the IBM i

• Layered AV solution for the IBM I

• Prevents IFS from becoming a propagator

• Proven to be foolproof

• Still protects when 1st level is compromised

Anti-Ransomware on the IBM i

• Additional solution for the IBM I

• Prevents IFS from becoming encrypted

• Proactive solution

• Still protects when 1st level is compromised

#2

Users with too much authority

• Implement granting authority on demand

• Remove command line access

• Remove *ALLOBJ special authority

Hidden danger with too much authority

• Accidental or deliberate access to sensitive data

• Potential for hacker to gain elevated authority

• Untrusted users are given unnecessary special

authority

Best approach

• Start with least privilege access to perform tasks

• Elevate only when required and fully audited

• Generate reports over the activity

#3

Network access

• Remote access protection

• Secure Exit points

• Monitor, Report and Prevent

Securing Exit Points and Remote access protection

• Implement exit point program

• Writing your own requires more overhead

• TCP protocols are widely used to connect to

IBM i

#4

Securable system operating system was not configured

• System security journal inactive

• Sensitive data unprotected at rest

Securable system operating system was not configured

QAUDJRN

• Shipped security Audit journal

• WRKSYSVAL SYSVAL(*SEC)

• QAUDLVL

• QAUDLVL2

Securable system operating system was not configured

Security Levels

• Most should be at 40

• Consider level 50

• SYSTEM VALUE (QSECURITY)

Securable system operating system was not configured

Password security levels

• Level 10 is obsolete

• Consider at least Level 20 or 30

#5

Securing IFS

• Virus or malware detection

• Monitor changes as they occur

• Set permissions based on specific rules

• Restrict access to QSYS.LIB

(https://www.ibm.com/support/knowledgecenter/

en/ssw_ibm_i_73/ifs/rzaaxlibfs.htm)

Summary• Implement security measures • Ensure that users are not bypassing

security policies and implementations• Power users are audited• Securely connect to the IBM i remotely• Monitoring local activity with QAUDJRN• Protect the IFS from being exploited

externally as well as internally.

Questions?

IBM i Job Scheduling

Message & Resource Management

SEA ‘s IBM i Solutions for Process Automation and Security

Thank You!

CONTACT US

INFO@SEASOFT.COM

WWW.SEASOFT.COM

1(800)272-7322