Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Download as PPTX, PDF0 likes132 views
The document addresses the top three security challenges facing IBM i systems, emphasizing the importance of understanding data value and implementing multiple layers of defense. It presents scenarios illustrating risks such as accidental errors, malware, and malicious attacks, alongside strategies to mitigate these risks, including user education, incident response plans, and securing file shares. The authors advocate for a tailored approach to security based on the organization's specific data value and risks, while ensuring continuous monitoring and proper access controls.
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
- 1. Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems Carol Woodbury | CISSP, CRISC, PCIP DXR Security Bill Hammond | Director, Product Marketing Precisely
- 2. Today’s Topics • Value of Your Data • Top Three Security Challenges • How Precisely Can Help
- 3. © DXRSecurity, All Rights Reserved. Carol Woodbury CISSP, CRISC, PCIP Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
- 4. Goals Understand the benefits of implementing multiple layers of defense (defense in depth) Determine the value and risk level of your data Develop a plan to implement as many layers as needed to reduce risk to acceptable level
- 5. Not all Data is Created Equal Data has value to an organization Most people think that means data under regulatory requirements Data unique to the organization may have even more value Inventory Pricing Vendor list Monthly sales
- 6. What’s the Cost of the Data … Not being accurate? Not being available? Being stolen? Used by a competitor Sold on the Dark Web Being posted on the Internet?
- 7. Previous answers determine Value Implement multiple layers of defense based on Value of the data to your organization
- 8. Scenario #1
- 9. Scenario #1: Protecting Against the Accidental Error Company A has multiple warehouses in different regions, each with their own sales figures Employee in Warehouse 200 wrote an application using ODBC to download his sales figures to a spreadsheet Company A was ok with this, just didn’t want employee to accidentally upload the spreadsheet back to IBM i.
- 10. Acknowledge that Accidental Errors Occur Insiders Malicious insider – 14% Credential theft – 23% Negligence – 63% Ponemon Institute The Cost of Insider Threats – 2020 https://www.ibm.com/security/digita l-assets/services/cost-of-insider- threats/#/
- 11. Stats Prevalence Cost (Annualized) Remediation / Incident Negligence 63% $4.58M $300K Criminal insider 14% $4.08M $757K Stolen credentials 23% $2.79 M $872K Source: 2020 Ponemon Institute The Cost of Insider Threats
- 12. Layers of Defense Implemented Implemented IBM i object level security, setting *PUBLIC to *USE, granting more authority for profiles running processes that wrote to these files Removed users from group that owned the application Reduced number of users with *ALLOBJ Authority required can be discovered via Authority Collection
- 13. Scenario #2
- 14. Scenario #2: Malware Two types of malware affect IBM i: Resident (Stored) in the IFS Coming in via a file share https://www.securityweek.com/industry -reactions-ransomware-attack-colonial- pipeline https://www.securityweek.com/fbi- confirms-revil-ransomware-involved- jbs-attack https://www.securityweek.com/white- house-urges-private-companies-help- fight-against-ransomware
- 16. File Shares Worst possible scenario is to have a Read/Write share to root
- 17. Who Can Use a File Share? Unlike Windows, there is no permission on the share itself What the malware can do will depend on How the share is defined – Read only or Read/Write The user’s authority to the directory and objects in the directory Goals: Remove unused shares If required, reduce to Read only when possible
- 18. Share Permissions Read share Share Permission What can be Accomplished If user has at least *READ authority, contents can be read Contents cannot be updated regardless of user’s authority to the object Read/Write share If user has at least *READ authority, contents can be read If user has at least *W (write) authority, contents can be modified User must have sufficient authority for the operation being attempted (either a read or a write)
- 19. To Reduce the Risk Of Malware Educate your users! Back-ups Do them! Verify them! Store them separately Shares DO NOT SHARE ROOT !!!! (or QSYS.lib) Remove unnecessary shares Set shares to Read-only where possible Secure shared objects
- 20. If Infected … Pull out your incident response plan ! Determine if you’re still under attack or if it’s contained Determine if you can resolve yourself or need to call in experts Determine if you need to notify law enforcement If ransomware, determine if ransom will be paid Quality and availability of your back-ups may determine whether you can recover from a malware attack
- 21. Real Scenario Dear MsWoodbury, I was forwarded your info. As of last night, we are being held hostage.We've been in touch with the FBI and IBM.We have a ransom note on our servers. I can be reached at xxx-xxx-xxxx - via LinkedIn and Voicemail 24
- 22. Layers of Defense Implemented Develop incident response plan Clean up file shares Implement object level security on appropriate directories Use an exit program to control who can use the NetServer server Reduce the number of profiles with *ALLOBJ special authority Encrypt critical/sensitive information MFA
- 23. Scenario #3
- 24. Scenario #3: Malicious Attack Can occur from a variety of sources Malicious insider Nation-state attacks Competitors Attacker exploiting a vulnerability Microsoft Exchange Server https://www.afr.com/technology/thousands-of-aussie-businesses-hit-by- microsoft-security-flaws-20210308-p578rc Malware Current ransomware exploits do recon on the network prior to encrypting files and/or use credentials purchased on the dark web https://www.secureworldexpo.com/industry-news/doj-seizes-colonial-pipeline- ransom-payment
- 25. Why Multiple Layers of Defense? Colonial was attacked using a VPN without MFA using a profile that wasn’t in use with a password that is suspected to have been purchased on the dark web. Layers: Client education – don’t use the same password everywhere! Password management – change passwords regularly even for service accounts Profile management – delete or at least disable inactive profiles Require MFA Any one of these could have prevented access!
- 26. Protect Data Implement object level security on critical data Reduce the number of users with *ALLOBJ special authority Use RCAC to implement additional privileges Encrypt critical data Use exit point software to further restrict access (or at least log access)
- 27. Encrypt all Sessions Internal communications are often not encrypted WFH or WFS (Work from Starbucks ) not using a VPN Vulnerable to sniffing
- 28. Multi-factor Authentication (MFA) Requires two or more ‘factors’ to authenticate (gain access to the system) Something you know (password, pin) Something you are (fingerprint, facial recognition, optical scan) Something you have (token, bank card) Recommended for at least ‘powerful’ profiles Helps prevent credential stuffing
- 29. Use IBM i to Alert to Trouble Are you sending IBM i information to your SIEM? If not, why not? See MC Press article for more considerations https://www.mcpressonline.com/se curity/ibm-i-os400-i5os/what-ibm-i- information-should-i-be-sending-to- my-siem
- 30. Monitor Audit Journal Entries to Detect an Attack PW ‘U’ entries where the User is “root” or “Admin” and attempt originates from outside of the organization ‘P’ entries where many occur within a short period of time and for the well-known IBM i- supplied profiles (QSYS, QSECOFR, QUSER, QSYSOPR, QPGMR, QSRV, QSRVBAS) JS Job start entries that originate from an unknown external IP address Job starts for unknown entries (such as QSECOFR) CP Password changes for QSECOFR and other IBM-supplied profiles Re-enablement of QSECOFR (if kept STATUS *DISABLED) VP Invalid password attempts via NetServer
- 31. Use Intrusion Detection IM – Audit entries – Used to detect DDoS attacks and cryptomining malware See https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubkickoff.htm >>> It takes tuning! <<<
- 32. Layers of Defense to Implement Protect the data Object level security Reduce *ALLOBJ RCAC Encryption Exit points Encrypt sessions MFA Use the audit journal SIEM Alerting
- 33. How many layers of defense is enough? Must first answer: What is the value of the data to your organization? What is the cost of it being inaccurate, unavailable or stolen?
- 34. Focus! Focus on the data which is most valuable to the organization!!!
- 35. Talking with Management Your suggestions for resolving issues need to be high level Avoid technical terms Talking in terms of loss to the business – operational risk and how it can be prevented May have to explain to management what (all) runs on IBM i Again… in business terms
- 36. Talking with Management Your suggestions for resolving issues need to be high level Avoid technical terms Talking in terms of loss to the business – operational risk and how it can be prevented May have to explain to management what (all) runs on IBM i Again… in business terms
- 37. Operational Risk Operational risk is caused by inadequate or failed internal processes or controls and results in loss (e.g., time, reputation, money) Example: We have data on one of our key servers – IBM i – that is vulnerable to being infected with ransomware and I would like to take steps to reduce that operational risk
- 38. Don’t get Overwhelmed! With management, develop a plan to address vulnerabilities Do something! Take a step – ANY step to reduce your organization’s risk
- 39. For More Information RCAC Redpiece http://www.redbooks.ibm.com/abstracts/redp5110.html?Open Intrusion Detection https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzau bpdf.pdf?view=kc IBM i Security Reference – PDF https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzarl/sc415302. pdf?view=kc Chapters 2 and 3 – System Values Chapter 9 - Auditing Chapter 10 – Authority Collection IBM i Security Administration and Compliance, 3nd edition, by Carol Woodbury, 2020. DXR Security www.dxrsecurity.com 42
- 40. How Precisely Can Help
- 41. Assure Security 44 Compliance Monitoring • Assure Monitoring and Reporting • SIEM Integration • Assure Db2 Data Monitor Access Control • Assure MFA • Assure Elevated Authority Manager • Assure System Access Manager Data Privacy • Assure Encryption • Assure Secure File Transfer Malware Prevention • Assure MFA • Assure Elevated Authority Manager • Assure System Access Manager • Assure Monitoring and Reporting with SIEM Integration • Assure Encryption
- 42. Q & A 45
- 43. Thank You 46