Security on IBM i :
10 major risks and how to avoid them

Security threats are on the increase. Whether it’s a cyber attack or a virus, identity theft is becoming more and more common, not to mention the fact that certain vulnerabilities can also lead to data loss without any malicious intent on the part of the user.

The IBM i, although particularly secure compared to other platforms, is not 100% risk-free, as Bob Losey tells us.

With kind permission of Bob Losay. Sept. 2022.

As you know, security on IBMi has nothing to do with security on Windows, UNIX or Linux. The aim of this post is to briefly highlight 10 major IBM i security risks and explain what you can do about them.

1. Too many IBM i Operator/Admin users

Almost all IBM i systems address too many users with far more authorizations than they need. In fact, many organizations grant access to all database files and objects on the IBM i OS to a colossal number of user profiles. In concrete terms, there’s nothing to prevent employees from accessing and sharing unauthorized data, or even deleting the entire operating system.

Solution: Make the effort to evaluate user profiles and activities on a regular basis. Standardize profiles with role-based authorizations, keep track of who has access, and keep an eye on employees who gain access in surprising ways.

2. Allow default IBM i passwords

Users often keep passwords that correspond to their usernames… BIG MISTAKE. As you probably know, hackers always try to use login credentials whose username and password match or are easier to guess.

This allows hackers to check whether they can access the system (and they often succeed). Your entire IBM i system could then be exploited, or all important and confidential data erased.

Solution: Changing passwords on joining the company and during training is a must to solve this problem. Continuous compliance monitoring also enables reports to be created to determine how many users have default passwords, and to search for appropriate password settings.

3. Ignore compliance rules

Some organizations fail to properly implement the security measures they need to meet their obligations, because they don’t master the necessary tools or controls.

Postponing the task means risking sanctions, or hoping that the auditors won’t detect any problems. Especially since it’s quite possible that an auditor won’t realize that the IBM i is not protected against viruses, because he or she doesn’t understand how the platform works. And it offers administrators a loophole, at least from a legal point of view.

Solution: It’s essential to be fully aware of the specific requirements your organization needs to meet. From there, you can use appropriate software or other procedures to assure auditors that you are doing everything possible to fully comply with these guidelines and safeguard your data.

4. Using an unsupported version of IBM i

As with any operating system, not using the latest version can cause problems, especially if you’re using a version that is no longer supported by the vendor.

Using an obsolete version of IBM i means (often) not having the latest updates for your security tools, and therefore being vulnerable. What’s more, if your version is too old, you may not be able to get support from IBM.

Solution: The only wise option is to stay up-to-date and upgrade.

5. Rely on menu security

Green screen menu security offers each user unique options according to their profile. However, there’s nothing to control in the system, as these are the only places a user can access.

Except that experienced users can easily access areas beyond the menu options. These entry points allow a user to bypass the menu options that are initially displayed.

Solution: It is essential not to rely on the security policies of the menus that users can access via the system. Similarly, you need to pay attention to the other PC interfaces used, and set up an object-level authority.

6. Rely on a single security layer

Assuming that a PC firewall or antivirus protection offers sufficient security against an attack is misguided. A multi-tiered solution is required, including endpoint management, antivirus protection, firewalls and rigorous user profiles.

Solution: Evaluate your security position from several angles, as malicious users or actors will use any means to impersonate authorized users to gain access to the system.

7. Do not use multi-factor authentication (MFA) with privileged accounts

The use of multiple levels of authentication to ensure that you identify the people accessing the IBMi system is becoming increasingly widespread. This is particularly important when working with users with administrative access.

Solution: Some directives, such as PCI DSS, require multi-factor authentication for any IBM i system administrator entering the cardholder data environment. This additional layer of security, combined with other access control measures, can significantly minimize the damage that can be caused by divulged credentials.

8. Enable end-users to have command-line permissions

Organizations frequently use menus to limit users’ ability to use a command line. However, even the most inexperienced user can cause errors that allow him/her to access the command line. And they could execute more than 2,000 commands in the IBM i operating system, some of which could have disastrous effects: deleting data, disabling subsystems, even exposing data!

Solution: You need to control the environment in which any IBMi operator can execute commands, such as green screen or FTP. You also need to keep track of what permissions users have, as mentioned in the previous threats.

9. Operation below safety level 40, or even 30

IBM strongly recommends that you set the security level of your operating system to at least 40. Some users, however, reset the configuration during updates to integrate obsolete programs, with the intention of restoring the security level later. Except they never come back.

This is a major vulnerability, as a user could possibly execute a task under another profile, without authorization.

Solution: It’s essential to reach security level 40, even if it’s not a quick procedure on IBM i. You therefore need to plan the update and carry out the necessary tests to ensure that no related processes are disrupted.

10. Not having a cyber-attack response plan

A cyber-attack response plan is not the same as a disaster recovery plan, as each cyber-attack may require a very different response. You’ll need to determine where the security threat comes from, how to prevent access and determine the best strategy for restoring damage or assessing data loss.

Dealing with a virus has nothing to do with a malicious attack that attempts to steal data from your system: in the first case, the server may be irreparably damaged, in the second, it’s the data that leaks out.

Solution: Make sure you have two separate countermeasures in place to deal with these scenarios, as well as the necessary solutions and communications.

When it comes to IBM i security, there are many options. Unfortunately, many are not specific to IBM i to help you protect your system against data breaches. In fact, many of the security solutions on offer are not specific to IBM i. What’s more, solution providers often lack the IBM i administrative expertise to provide effective security against data breaches.

Find out more at
www.Source-Data.com
.

Original article in English :

https://www.linkedin.com/pulse/10-ibm-i-iseriesas400-security-risks-ways-avoid-them-bob-losey/