IBM i is securable BUT not secured by default. To help protect your organization from the increasing security threats, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing your risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can assure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise, on your IBM i systems.
Watch this on-demand webcast to learn:
• How to secure network access and communication ports
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Precisely’s Assure Security can help
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Lock it Down: Access Control for IBM i
1. Lock It Down
Access Control for IBM i
Bill Hammond | Product Marketing Director
2. Housekeeping
Webinar Audio
• Today’s webcast audio is streamed through your
computer speakers
• If you need technical assistance with the web interface
or audio, please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the
presentation using the Q&A box. If we don't get to your
question, we will follow-up via email
Recording and slides
• This webinar is being recorded. You will receive an email
following the webinar with a link to the recording and
slides
3. Agenda
• The growing threat
• Understanding your risks
• Reducing your risks with Access
Control
• System Access
• Authentication
• Elevated Authorities
• Q & A
3
4. Ransomware attacks
• 51% of companies faced ransomware attacks
• 26% of companies paid the ransom to cybercriminals
• The average ransom amount in 2020 was $180,000
for big companies
• The average ransom amount in 2020 for small
businesses was $6,000
• A set of software tools needed to launch a
ransomware attack costs about $50 on the darknet
• A new ransomware attack is detected every 11 seconds
4
5. Impact of Covid-19 pandemic
• Initial response to the pandemic was the transfer of a large number
of employees to remote work mode
• The security perimeter became blurred for many companies
• Dramatic rise in malicious sites with the words like “covid” or
“coronavirus” in their domain names
• Many of these rogue websites host ransomware and other malware
that is designed to capture login information
5
6. Looking for passwords
• A significant part of malicious
operations is devoted to obtaining
passwords.
• Legitimate accounts allow
cybercriminals to remain
undetected in a compromised
system
• Attackers use special tools to steal
logins and passwords processed in
browsers, as well as other places in
the system where cached
information is stored.
6
8. Too often risks are neglected
• Lack of a Security Policy
• Lack of regular security health checks (often a regulatory
requirement)
• Lack of expertise – a dedicated security officer doesn’t exist
• Not using qualified external resources to validate security
• No security or penetration testing
• Too many powerful users
• Auditing not turned on
• Audit logs not checked
• Patches not applied
Is ignorance bliss?
Security by obscurity?
8
9. Thinking the IBM i is
secure by default?
• IBM i often hosts the most critical data
in a corporation.
• IBM i is securable BUT not secured by
default
• Being compliant does not mean you are
secure
• Protecting the well-known interfaces is
not enough for TODAY’s networks
• The IBM i has become a target for
hackers
9
12. Why Secure Access Points?
12
The IBM i is increasingly connected
• Prior to the 1990s, the IBM i was isolated
• In the 1990s IBM opened up the system to the network
• The number of ways the system can be accessed has grown
• Legacy, proprietary protocols now cohabitate with new,
open-source protocols – creating access point headaches
• The worldwide hacker community now recognizes the IBM i
as a high-value target
4 important levels of access must now be secured
• Network access
• Communication port access
• Database access
• Command access
13. Exit Points and Exit Programs
13
What are exit points and exit programs?
• Exit points and exit programs are powerful tools for access
control
• Introduced in 1994 to the AS/400 in V3R1 of the operating
system
• Exit points provide “hooks” to invoke one or more user-written
programs—called exit programs—for a variety of OS-related
operations
• Exit point programs are registered to particular exit points
How are exit programs used for access control?
• Exit programs can allow or deny access based on parameters
such as permissions, date/time, user profile settings, IP
addresses, etc.
• Command exit points can allow or deny command execution
based on context and parameters
• Exit programs can also trigger actions such as logging access
attempts, disabling user profiles, sending an alert, etc.
14. Key Features to Look for in
an IBM i Access Control Solution
14
Comprehensive control of external and internal access
• Network access
(FTP, ODBC, JDBC, OLE DB, DDM, DRDA, NetServer, etc.)
• Communication port access
(using ports, IP addresses, sockets - covers SSH, SFTP, SMTP, etc.)
• Database access
(open-source protocols - JSON, Node.js, Python, Ruby, etc.)
• Command access
Powerful, flexible and easy to manage
• Easy to use graphical interface
• Standard configuration easy deployment
• Powerful, flexible rules for controlling access based on conditions such as
date/time, user profile settings, IP addresses, etc.
• Simulation mode for rules testing
• Provides alerts and produces reports
• Logs access data for SIEM integration
16. Complex Password Issues
16
• Should we add more complexity to passwords? Not really.
• Why not? Because we write them down!
• Complex password increase costs and introduce weaknesses:
• Management is complex
• Management is expensive
• Impacts productivity (re-enabling users, password changes, etc.)
• Reliance on passwords alone puts all your eggs in the same
basket!
NIST’s latest Digital Identity Guidelines at
https://pages.nist.gov/800-63-3/
recommend against complex passwords
17. Why Is Multi-Factor
Authentication Required?
17
Multi-Factor Authentication supports the requirements of numerous
industry and governmental regulations, such as:
• PCI-DSS 3.2 and greater
• 23 NYCRR 500
• GLBA / FFIEC
MFA is also mentioned, or the benefits of MFA are implied, for:
• GDPR
• HIPAA
• Swift Alliance Access
Selective use of MFA is a good Security practice
• Avoids issues with weak passwords
• Avoids issues with complex passwords
You may be required to use multi-factor authentication tomorrow,
if you’re not already using it today.
• SOX
• And more
18. Multi-Factor Authentication
Adds a Layer of Login Security
18
Multi-Factor Authentication (MFA), sometimes called Two-Factor
Authentication (2FA), uses two or more of the following factors :
• Something you know or a “knowledge factor”
• E.g. user ID, password, PIN, security question
• Something you have or a “possession factor”
• E.g. smartphone, smartcard, token device
• Something you are or an “inherence factor”
• E.g. fingerprint, iris scan, voice recognition
Typical authentication on IBM i uses 2 items of
the same factor – User ID and password.
This is not multi-factor authentication.
19. Authentication Options
19
Authentication options
beyond the basic factor that
the user knows, are delivered
by:
• Smartphone app
• Email
• Phone call
• SMS/text message (see box)
• Hardware device such as
fobs or tokens
• Biometric device
Authentication services
generate codes delivered
to the user. For example:
• RADIUS compatible (RSA
SecurID, Entrust, Duo,
Vasco, Gemalto, and
more)
• RFC 6238 (Microsoft
Authenticator, Google
Authenticator, Authy,
Yubico, and more)
• Others (TeleSign, and
more)
Use of SMS for Authentication –
PCI DSS relies on industry standards, such as NIST,
ISO, and ANSI, that cover all industries, not just
the payment industry. While NIST currently permits
the use of SMS authentication for MFA, they have
advised that out-of-band authentication using
SMS or voice should be “restricted” as it presents a
security risk.
20. Key Features to Look for in
an IBM i MFA Solution
20
• Option to integrate with IBM i signon screen
• Ability to integrate MFA with other IBM i applications or
processes
• Multiple authentication options that align with your budget
and current authenticators
• Certification by a standards body (e.g. RSA, NIST)
• Rules that enable MFA to be invoked for specific situations
or user criteria such as:
• Group profiles, Special authorities
• IP addresses, Device types, Dates and times
• And more
• Real risk-based authentication policy (integrated with access
control and elevated authority management capabilities)
22. What Is Elevated Authority?
22
• A user’s authorities define what they can do on an IBM i system,
including
• menus they can access
• commands they can run and
• actions they can take
• Elevated authorities are those that give users more powerful
privileges
• Some people may refer to elevated authority as privileged access
23. Why Limit Elevated Authorities
23
• Having too many powerful users leaves the system and data exposed
• Controlling user authorities is required by regulations such as SOX, HIPAA, the
Federal and North American Information Practice Act, GDPR and more
• Compliance auditors require that additional authority be granted only when
needed and only for the time required
• Security best practice is for users to only have the authorities required to do their
jobs
• Even administrators should have their actions monitored (separation of duties) as
a best practice
• Outsiders who obtain credentials will attempt to elevate authority unchecked
unless you have control of that process
24. Challenges of Managing
Elevated Authority
24
• Elevated authority should only be granted as needed –
and then revoked
• Manually granting and revoking elevated authority is
time consuming and error prone
• A log of the activities of users with elevated authorities
should maintained so their actions can be monitored
• Remember that administrators, who have elevated
authority, also need to have their actions monitored
I need to be
*SYSOPR for this
assignment!
I need
*ALLOBJ to
do my job!
Can I have
*SPLCTL for
my project?
25. Key Features to Look for in an
IBM i Elevated Authority Solution
25
• Reduces the number of powerful user profiles to satisfy audit
requirements
• Makes it easy to manage requests for elevated authority on
demand
• Reduces risk of unauthorized access to sensitive data
• Produces necessary alerts, reports and a comprehensive audit trail
• Lowers security exposures caused by human error
eWeek – May 3, 2021 - New Ransomware Trends Causing Fear in 2021 – David Balaban
https://www.eweek.com/security/new-ransomware-trends-causing-fear-in-2021/?utm_medium=email&utm_source=newsletter_it_scoop&utm_campaign=May.07.2021
More than half of companies have transferred from 50% to 100% of their employees to home offices.
2nd most popular activity used by ransomware gangs after phishing
and leave no traces, unlike attacks involving Trojans or exploitation of vulnerabilities…. Many times, a hacked user account can only be identified using behavioral analysis tools