top 5 ibm i security threats and how to avoid themgateway400.org/documents/gateway400/handouts/top 5...
TRANSCRIPT
Top 5 IBM i Security
Threats And How To
Avoid Them
Presented by: Software Engineering of America
Lloyd Ramdarie (Senior Engineer)
Alex Rodriguez (Technical Sales)
• 38 years of Excellence
• 85% of the Fortune 500
• 9 of the Fortune 10
• Live Support
• 24/7, 365
Agenda
Employees or People in general
Excessive Authority (higher authority than they need)
Network (Unbridled remote access to the IBM i)
System (Not enough monitoring activated)
IFS (Unsecured usage)
Introduction to Cyberthreats
Ever Changing Threats
• Digitization has lead to fundamental changes to how businesses
operate and how they deliver value to customers
• Digitization has attracted hackers and those with malicious
intentions.
• IBM i is no longer an isolated system but connected to other
databases through networked systems and connectivity
The threat of Cyber-attacks is very real to IBM i
Data Protection worldwide
Source: DLA Piper https://www.dlapiperdataprotection.com/index.html?t=world-map&c=AO
Cyberattacks
• Cyberattack offensive (malware), targets information systems,
infrastructures, computer networks, personal computer devices, mobile
devices. Malicious acts originating from anonymous sources: expose,
alter, disable, destroy, steal or gain unauthorized access, target by
hacking the vulnerable system.
• Cyberattacks range from installing spyware on a personal computer…
attempts to destroy the infrastructure of entire nations.
• Cyberattacks take the form of executable code, scripts, active content,
and other software.
Types of Malware
• Computer viruses
• Worms
• Trojan horses
• Spyware
• Adware
• Scareware
• Ransomware
• Other malicious programs
Ransomware attacks
Some Ransomware statistics
Source: Barkly Blog "Must-Know Ransomware Statistics 2017"
Ransomware by Industry
Consider paying of ransom money.
21% of those who paid – didn’t
receive the key to decrypt their files
Source: NTT Security
200 Crypto-Ransomware Families
CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Alfa Ransomware, Alma Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, CrypMIC, Crypren, Crypt38, Cryptear, CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 3.1, CTB-Faker, CTB-Locker, CTB-Locker WEB, CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, NYton, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WannaCry, WildFire Locker, Xorist, XRTN, Zcrypt, Zepto, Zimbra, Zlader / Russian, Zyklon
Ransomware & IBM i
• The IFS appears as a mapped
network drive.
• From the point of view of any
system that has access to an IFS
folder, the IFS folder files are
regular files.
• Ransomware – it encrypts every
data file that it has access to. IFS
files included !
How Ransomware works in an IBM i environment
Let’s Dig Deeper Employees or People in general
Excessive Authority (higher authority than they need)
Network (Unbridled remote access to the IBM i)
System (Not enough monitoring activated)
IFS (Unsecured usage)
#1
People and adherence to security protocols
• Leaving notes lying around
• Unattended workstations
• Password sharing
• Default password usage
• Clicking unknown links
• Bringing external devices from home
• Relaxed access to data center or server room
What can we do to avoid or prevent a people enacted security disaster
• Monitor or track data access
• Setup an inactivity monitoring solution
• Implement a change tracking solution
• Password Reset solution
• Layered AV solution for the IBM i
How can we monitor data accesses?
• Develop your own solution to:
• Monitor data accesses
• Generate reports for Audit
• Produce alerts when exceptions occur
or
• Simply find a reputable 3rd party solution
Examples of data accesses that are typically monitored?
• Login Failures
• Audited command usages
• System values changes
• Object creation, deletion, modification, movement etc…
• Changes to user profiles
• Network attributes changes
• Auditing values changes
How to setup inactivity monitoring?
• Setup an inactivity monitoring solution
• Develop and maintain your own program
or
• Simply take advantage of existing 3rd party
tool
How to setup inactivity monitoring?
• IBM System Values
• QINACTMSGQ - *ENDJOB or *DSCJOB
And
• QINACTITV – 5-300 mins
Change Tracking?
• Implement a change tracking solution
• Enterprise CMS
• Items to be audited
• Reports
• Shipped with its own audit trail
Automated Password Reset
• Password Reset solution can assist with
• Manual PWD resets
• Recovery of valuable production time
• Avoid lengthy outages
Anti-Virus on the IBM i
• Layered AV solution for the IBM I
• Prevents IFS from becoming a propagator
• Proven to be foolproof
• Still protects when 1st level is compromised
Anti-Ransomware on the IBM i
• Additional solution for the IBM I
• Prevents IFS from becoming encrypted
• Proactive solution
• Still protects when 1st level is compromised
#2
Users with too much authority
• Implement granting authority on demand
• Remove command line access
• Remove *ALLOBJ special authority
Hidden danger with too much authority
• Accidental or deliberate access to sensitive data
• Potential for hacker to gain elevated authority
• Untrusted users are given unnecessary special
authority
Best approach
• Start with least privilege access to perform tasks
• Elevate only when required and fully audited
• Generate reports over the activity
#3
Network access
• Remote access protection
• Secure Exit points
• Monitor, Report and Prevent
Securing Exit Points and Remote access protection
• Implement exit point program
• Writing your own requires more overhead
• TCP protocols are widely used to connect to
IBM i
#4
Securable system operating system was not configured
• System security journal inactive
• Sensitive data unprotected at rest
Securable system operating system was not configured
QAUDJRN
• Shipped security Audit journal
• WRKSYSVAL SYSVAL(*SEC)
• QAUDLVL
• QAUDLVL2
Securable system operating system was not configured
Security Levels
• Most should be at 40
• Consider level 50
• SYSTEM VALUE (QSECURITY)
Securable system operating system was not configured
Password security levels
• Level 10 is obsolete
• Consider at least Level 20 or 30
#5
Securing IFS
• Virus or malware detection
• Monitor changes as they occur
• Set permissions based on specific rules
• Restrict access to QSYS.LIB
(https://www.ibm.com/support/knowledgecenter/
en/ssw_ibm_i_73/ifs/rzaaxlibfs.htm)
Summary• Implement security measures • Ensure that users are not bypassing
security policies and implementations• Power users are audited• Securely connect to the IBM i remotely• Monitoring local activity with QAUDJRN• Protect the IFS from being exploited
externally as well as internally.
Questions?
IBM i Job Scheduling
Message & Resource Management
SEA ‘s IBM i Solutions for Process Automation and Security