Get Help To Batten Down The Hatches On Your IBM i

FocalPoint Services

If you have a person on your IT staff that understands the complexities of aggressive malware, ransomware, viruses, and other kinds of hacking and is actually jazzed by this sort of thing – in a good way, a white hat kind of way – and who knows how to use security tools and a deep knowledge to defend your IBM i (and probably your Window Servers ) against such attacks, well bully for you. And if they work for next to nothing, you must be living in some sort of dream world.

For the rest of the IBM i community, the safest assumption when it comes to securing against hostile attacks is that they do not have such skills, that their systems are not that secure, and they are not being hacked mainly because someone has not gotten around to it yet. This isn’t security by obscurity, for which the AS/400 and IBM i is famous (or infamous, depending on how you want to look at it) so much as it is a security lottery. Or Russian roulette.

The first step in battening down the hatches on your IBM i platform is to admit that you have a problem, and the second step is to get help from experts who can do a security assessment. And while that assessment is important, it is the steps that you take after the results of that assessment – and brace yourself for all kinds of issues that you suspected you might have or that you didn’t even imagine you had – will make the difference between having a continually secure IBM i system and putting your head back into the sand.

One of the primary direct attacks on the IBM i system is through the Integrated File System, or IFS, which is a POSIX-compliant, OS/2 parallel file system that IBM embedded into the OS/400 platform back in 1995 to give it the look and feel of a Windows Server file system so Windows clients could use it as a kind of network storage. The IFS also allows external Windows Server applications a native way to put information onto the IBM i machine. This is great. But those IFS shares could be subject to malware and ransomware because they are like any other Windows file system. And right now, IBM i customers who are suffering from ransomware attacks are having their IFS file systems locked down and access to them prevented by hackers until they get money. This is happening. It is not a theory.

Rather than making root access to the IFS a public thing, organizations need to ask: Who needs to have access to the shares, and do they need read, write, or execute access to those shares? In a lot of cases, users and applications only need read access, or only need read access to certain directories underneath the IFS – they are only reading documents generated by other people or by applications. Most users do not need to execute access to the IFS. And more importantly, there are products, such as those from Precisely, that put two-factor authentication on the IBM i. This additional authentication places another layer between your IBM i and the threat actor. When IFS access is needed from a file share, adding the additional authentication layer allows you to control access as needed and to turn it off when it is not needed, locking it down.

When Focal Point performs its Assure Security Risk Assessment, which we do for free, we have a set of native tools that look at everything. Many users have default passwords, or passwords with too few characters and no special characters. We find machines that have far too many system operator profiles, or far too many profiles that have *ALLOBJ and/or *SECADM authority. And equally dangerously, they have too many accounts that were set up for users who are no longer at the company, just sitting there waiting for a hacker to see and turn to their nefarious purposes and all looking normal. We just did a security assessment on a real IBM i system that had over 1,000 such latent profiles, all of which should be removed to lock the machine down better.

After we run through our assessment, we present IBM i shops with a report of all of our findings, showing all of the system’s low, medium, and high-security risks. After that, if customers choose, we can generate a statement of work and create a build-to-suit contract, with estimated hours of work, to fix all of these issues. Simply put, it is much less costly to spend the time upfront to run an assessment and remediate any issues than it is to recover from being hacked.

And for those who don’t ever want to deal with this again, Focal Point is very happy to put together a services engagement where we secure an IBM i system and then do the monitoring, patching, and training to keep your IBM i system secure on a continuous basis. And finally, for those of you who don’t want to mess with any of this anymore, customers can move their applications to our cloud and leave the system, system management, and system security entirely to us. We have the expertise that many of you quite frankly don’t, and sharing that expertise across hundreds and thousands of IBM i shops makes more economic and practical sense than trying to do it yourself. Deep security and system administration expertise is getting harder and harder to come by, and that means IBM i shops have to learn to share.

John Fehr is the chief information security officer at Focal Point Solutions Group. Fehr has been on the IBM i platform for more than 20 years, and was the vice president of infrastructure and IS operations for Sandia Laboratory Federal Credit Union. Fehr got his masters in information protection, security, and national security from the University of New Haven back in 2017 and is currently pursuing his PhD in Cyber Defense at Dakota State University. Fehr is an active researcher and contributor at Madison Labs, PriLAB, addressing national and international data privacy knowledge gaps through research and solution building. Fehr holds certifications as a CISSP and GISP and in cloud security. Fehr is a former board member and current acting member of InfraGard, a program to enhance our nation’s collective ability to address and mitigate threats to United States’ critical infrastructure by fostering collaboration, education, and information-sharing through a robust private sector/government partnership.