21
Thu, Nov
1 New Articles

Could IBM i Have Been Part of the Equifax Breach?

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Wall Street Journal stated that, as part of the Equifax breach, database queries were performed “that provided access to documents and sensitive information stored in databases in an Equifax legacy environment.” Many organizations have dubbed their IBM i as “legacy.”

We don’t yet know the details of the Equifax breach. But just for fun, let’s assume for the moment that their legacy system was indeed an IBM i. What could Equifax have done to protect themselves?

IBM i provides many options for implementing “defense in depth”—the approach you want to use if you’re serious about protecting the data on your IBM i. Another way to think of defense in depth is implementing “multiple layers of defense.” With this approach, you assume that one layer will fail or be breached, so you have another layer that will stop the breach or allow you to detect it. You implement as many layers of defense as you need to come into line with your organization’s risk-tolerance level. Let’s take a look at the options we have available.

Run at QSECURITY Level 40

Your first layer of defense is to make sure the system is running at security level 40 or 50. Otherwise, profiles can elevate their privileges without having authority to the higher-powered profile. In addition, some tasks may be performed without being audited. Which brings me to the next layer of defense.

Use Auditing

Turn on auditing! Too many organizations don’t bother turning on auditing because they never intend to look at the audit journal. If you don’t configure auditing and at least send it to your SIEM (if not look at it yourself), you’ll be limited in your ability to recognize and be alerted to what may be inappropriate access or attempts to access your system and organization as a whole.

Get Rid of Default Passwords

I realize that I must sound like a broken record by now, but really…you must stop allowing profiles to have default passwords. This is possible beginning in V7R2. If you specify *LMTPRFNAME and *ALLCRTCHG in the QPWDRULES system value, you cannot create or change a profile to have a default password. It’s well-known, when encountering an IBM i system, that the first password to try is the profile name. Don’t give hackers that opportunity!

Set QSECOFR to Status of *DISABLED

You can protect QSECOFR from misuse by setting it to STATUS(*DISABLED). As long as you know the password, you can always sign on to the console, even when QSECOFR is *DISABLED.

Reduce Excess Special Authorities

Reducing the number of profiles that have special authorities will reduce the damage that can be done should the profile be compromised. Obviously, limiting the number of profiles that have special authorities—especially *ALLOBJ—to as few as possible is key to keeping your system and data secure.

Use a Method to Elevate Privileges

There are times when special authorities are required to perform tasks on IBM i. Rather than assign the special authorities to a user’s profile permanently, use a method that will elevate users’ privileges. One method is to write a utility that adopts authority. Another method is to purchase a utility, such as HelpSystems’ Authority Broker, that provides a more structured method of elevating authority. These products typically allow you to choose between adopting authority and swapping and provide logging and reporting of the elevated authority.

Implement Object-Level Security

If an object is *PUBLIC *EXCLUDE, unless a profile has *ALLOBJ or has been granted authority to the object, users (and hackers) will not be able to access it. Regardless of how the object is accessed, object security is in effect.

Use Row and Column Access Control (RCAC)

Beginning in V7R2, you can use SQL to apply additional permissions beyond object-level security to limit which rows a user is allowed to access.

Implement Exit Programs

Exit programs are a great secondary line of defense for when a profile requires access to an object. For example, a service account may need authority to read a file via a JDBC connection. Using an exit program, such as HelpSystems’ Network Security product, you can restrict the connection to a specific IP address and then prevent access via other network access methods such as DDM and FTP. This is just one example of how exit points aid in the defense in depth strategy.

Encrypt Data

Last but not least, when protecting data, consider encrypting it. If the data is lost or stolen but has been encrypted, it will be much more difficult (if not impossible) for the hacker to sell the data or exploit it themselves.

Encrypt All Communications

One of the ploys of hackers is to sniff the internal network for user IDs and passwords. If all your communications—both internal and external—are encrypted, credentials cannot be sniffed.

Use Multifactor Authentication (MFA)

While MFA is no guarantee that your credentials cannot be misused, multifactor authentication makes it much more difficult.

Stay Current

If there’s only one lesson to learn from the Equifax breach, it’s the importance of staying current. I realize that there are operational restrictions to staying current. Some PTFs require an IPL, for example, and outages are not always possible. I discussed the benefits of staying current in a previous article.

Scan Your Web Application

Even if you are running your web application on IBM i, use a web application scanner to ensure the application doesn’t contain vulnerabilities or is susceptible to issues such as SQL injection errors. I’m surprised that most organizations skip scanning their IBM i web applications. All web applications—regardless of the web server on which they’re run—can be poorly coded. Running the web application on IBM i doesn’t magically exempt them these vulnerabilities.

Assume Your Organization Is Going to Be Breached

If you take the attitude of when rather than if you’ll experience a breach, you will be much better prepared if an event occurs. I’m still surprised at the number of organizations that haven’t developed an incident response plan. Do you know what you’d do if you discovered your organization was breached? Who should you call first? Do you stop processes or let them continue? Do you have an arrangement with an organization that will help you investigate the breach? Have you talked with the local field office of the government organization that should be notified if your organization is breached? In the U.S., that would be the FBI, but obviously the appropriate agency will vary by country. Do you know when/how you’d have to notify individuals that their personal data was compromised? The specifics vary by country and are rapidly changing. For example, both Australia and Canada have recently broadened their breach notification laws, and the EU’s General Data Protection Regulation (GDPR) is just around the corner.

Summary

Even with highly publicized breaches, the details are often not published; therefore, we may never know what kind of “legacy system” was compromised in the Equifax breach. But I’m hoping that you will take my suggestions seriously and implement “defense in depth,” using as many features as you deem appropriate to protect the data residing on your IBM i systems. The last thing you want is the possibility your IBM i configuration contributing to a data breach.

 

Carol Woodbury

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.


MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: