Top 5 IBM i Security Threats And How To Avoid Them

Presented by: Software Engineering of America Lloyd Ramdarie (Senior Engineer) Alex Rodriguez (Technical Sales) [email protected] • 38 years of Excellence • Live Support • 85% of the Fortune 500 • 24/7, 365 • 9 of the Fortune 10 Agenda Introduction to Cyberthreats

Employees or People in general

Excessive Authority (higher authority than they need)

Network (Unbridled remote access to the IBM i)

System (Not enough monitoring activated)

IFS (Unsecured usage) Ever Changing Threats

The threat of Cyber-attacks is very real to IBM i

• Digitization has lead to fundamental changes to how businesses operate and how they deliver value to customers • Digitization has attracted hackers and those with malicious intentions. • IBM i is no longer an isolated system but connected to other databases through networked systems and connectivity Data Protection worldwide

Source: DLA Piper https://www.dlapiperdataprotection.com/index.html?t=world-map&c=AO Cyberattacks

• Cyberattack offensive (malware), targets information systems, infrastructures, computer networks, personal computer devices, mobile devices. Malicious acts originating from anonymous sources: expose, alter, disable, destroy, steal or gain unauthorized access, target by hacking the vulnerable system. • Cyberattacks range from installing spyware on a personal computer… attempts to destroy the infrastructure of entire nations. • Cyberattacks take the form of executable code, scripts, active content, and other software. Types of Malware

• Computer viruses • Worms • Trojan horses • Spyware • Adware • Scareware • Ransomware • Other malicious programs Ransomware attacks Some Ransomware statistics

Source: Barkly Blog "Must-Know Ransomware Statistics 2017" Ransomware by Industry

Consider paying of ransom money. 21% of those who paid – didn’t receive the key to decrypt their files

Source: NTT Security 200 Crypto-Ransomware Families

CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Alfa Ransomware, Alma Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, CrypMIC, Crypren, Crypt38, Cryptear, CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 3.1, CTB-Faker, CTB-Locker, CTB-Locker WEB, CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, NYton, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt 3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus- Encoder, WannaCry, WildFire Locker, Xorist, XRTN, Zcrypt, Zepto, Zimbra, Zlader / Russian, Zyklon Ransomware & IBM i

• The IFS appears as a mapped How Ransomware works in an IBM i environment network drive. • From the point of view of any system that has access to an IFS folder, the IFS folder files are regular files. • Ransomware – it encrypts every data file that it has access to. IFS files included ! Let’s Dig Deeper Employees or People in general

Excessive Authority (higher authority than they need)

Network (Unbridled remote access to the IBM i)

System (Not enough monitoring activated)

IFS (Unsecured usage) #1 People and adherence to security protocols

• Leaving notes lying around • Unattended workstations • Password sharing • Default password usage • Clicking unknown links • Bringing external devices from home • Relaxed access to data center or server room What can we do to avoid or prevent a people enacted security disaster

• Monitor or track data access • Setup an inactivity monitoring solution • Implement a change tracking solution • Password Reset solution • Layered AV solution for the IBM i How can we monitor data accesses?

• Develop your own solution to: • Monitor data accesses • Generate reports for Audit • Produce alerts when exceptions occur or • Simply find a reputable 3rd party solution Examples of data accesses that are typically monitored?

• Login Failures • Audited command usages • System values changes • Object creation, deletion, modification, movement etc… • Changes to user profiles • Network attributes changes • Auditing values changes How to setup inactivity monitoring?

• Setup an inactivity monitoring solution • Develop and maintain your own program or • Simply take advantage of existing 3rd party tool How to setup inactivity monitoring?

• IBM System Values

• QINACTMSGQ - *ENDJOB or *DSCJOB And • QINACTITV – 5-300 mins Change Tracking?

• Implement a change tracking solution • Enterprise CMS • Items to be audited • Reports • Shipped with its own audit trail Automated Password Reset

• Password Reset solution can assist with • Manual PWD resets • Recovery of valuable production time • Avoid lengthy outages Anti-Virus on the IBM i

• Layered AV solution for the IBM I • Prevents IFS from becoming a propagator • Proven to be foolproof • Still protects when 1st level is compromised Anti-Ransomware on the IBM i

• Additional solution for the IBM I • Prevents IFS from becoming encrypted • Proactive solution • Still protects when 1st level is compromised #2 Users with too much authority

• Implement granting authority on demand • Remove command line access • Remove *ALLOBJ special authority Hidden danger with too much authority

• Accidental or deliberate access to sensitive data • Potential for hacker to gain elevated authority • Untrusted users are given unnecessary special authority Best approach

• Start with least privilege access to perform tasks • Elevate only when required and fully audited • Generate reports over the activity #3 Network access

• Remote access protection • Secure Exit points • Monitor, Report and Prevent Securing Exit Points and Remote access protection

• Implement exit point program • Writing your own requires more overhead • TCP protocols are widely used to connect to IBM i #4 Securable system operating system was not configured

• System security journal inactive • Sensitive data unprotected at rest Securable system operating system was not configured

QAUDJRN • Shipped security Audit journal • WRKSYSVAL SYSVAL(*SEC) • QAUDLVL • QAUDLVL2 Securable system operating system was not configured

Security Levels

• Most should be at 40 • Consider level 50 • SYSTEM VALUE (QSECURITY) Securable system operating system was not configured

Password security levels

• Level 10 is obsolete • Consider at least Level 20 or 30 #5 Securing IFS

• Virus or malware detection • Monitor changes as they occur • Set permissions based on specific rules • Restrict access to QSYS.LIB (https://www.ibm.com/support/knowledgecenter/ en/ssw_ibm_i_73/ifs/rzaaxlibfs.htm) • Implement security measures Summary • Ensure that users are not bypassing security policies and implementations • Power users are audited • Securely connect to the IBM i remotely • Monitoring local activity with QAUDJRN • Protect the IFS from being exploited externally as well as internally. Questions?

SEA ‘s IBM i Solutions for Process Automation and Security

IBM i Job Scheduling

Message & Resource Management Thank You!

CONTACT US [email protected] WWW.SEASOFT.COM 1(800)272-7322