22
Sun, Dec
3 New Articles

Top 10 IBM i Security Wishes for Christmas and the New Year

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Carol provides the top 10 actions she wishes people would take to make their organizations more secure.

The holidays are upon us, and gifts are being given. I don’t know about you, but it’s definitely easier to know what to gift, especially to kids, when they’ve given me a Wish List. So for this article I’m pulling out my inner child and providing you with my list of actions I wish everyone would take when it comes to IBM i security. And lest you wonder whether these wishes are simply pulled from my dreams, they are not. These wishes are based on working with administrators and reviewing many organizations’ IBM i security settings.

#10: I wish people would make use of the security tools that come with the operating system. Simply type GO SECTOOLS to access tools to identify profiles with a default password, disable inactive profiles, and disable or delete a profile on a specific date. Also included are reports showing the authority settings of user profiles, libraries, directories, and more. These tools are especially useful if you’re new to IBM i security and need a place to start…and they’re available for no extra charge!

#9: I wish administrators would stop creating read/write shares to /root, which shares the entire system (including your libraries and the operating system) and exposes it to malware.

#8: In addition to not sharing /root in the first place, I wish organizations would review file shares. File shares are ransomware’s entryway into the system. I’ve found that many file shares aren’t needed, even if people are currently mapping to them. Often, people have changed jobs within the company and no longer need access to what’s being shared or someone mistakenly checked the “Reconnect at signon” box when initially connecting to the share, so they are perpetually connecting when, in reality, they only need the connection periodically. When you reduce the number of connections via file shares, you reduce the chances of malware spreading to that system. And this is not just a wish for IBM i. I wish organizations would review file shares throughout their entire organization.

#7: I wish critical data would be secured, not just data containing personal information but an organization’s business-critical information. I’ve seen too many instances of organizations ignoring the security of the data that runs their organization and makes them unique.

#6: I wish organizations would take the threat of being hacked or infected with malware seriously and develop an incident response place before the event instead of attempting to figure out what to do in the middle of the breach. Literally one of the first calls I received after we started DXR Security was from someone in a panic because his company had been infected with ransomware and he had no idea what to do!

#5: If systems are still running at QSECURITY level 20 or 30, I wish organizations would put plans in place to move them to 40. Moving from level 30 to 40 is usually quite easy. Read chapter 2 of the IBM i Security Reference manual or chapter 3 in my book to find the exact steps you need to take. Moving from 20 to 40 takes more planning and testing, but it’s still doable. Systems need to be running at level 40 or 50 to ensure auditing cannot be bypassed, users cannot elevate their authority, and operating system integrity is intact.

#4: I wish administrators would manage inactive profiles. I’ve seen organizations with profiles that have never been used, yet are enabled and have a default password. These profiles are ripe for someone to abuse. Most IBM i security software vendors have products that you can use to manage inactive profiles, but you can also use one of those integrated security tools on the SECTOOLS menu to at least disable inactive profiles. But I would really prefer to see inactive profiles deleted so they can’t be abused. This includes profiles associated with administrators and programmers who are no longer with the organization.

#3: I understand there are many business decisions about when organizations update their operating systems and even when they apply PTFs, but I wish organizations would stay current. IBM is providing administrators with so many tools to modernize how we do our jobs that it’s a shame more organizations can’t take advantage of them. See my article on the New Navigator interface and another article on new security features for what you’re missing.

#2: I wish more systems were running at a higher password level (set by the system value QPWDLVL). Running at QPWDLVL 2 and 3 (3 should be your goal) allows for passphrases. Studies have shown that a longer password or phrase is easier to remember than a shorter, cryptic password. A passphrase—that is, a password 14 characters or greater—is an option for those organizations tempted to allow default passwords (passwords the same as the user profile name) and never requiring passwords to be changed because they have many end users who have a difficult time remembering a cryptic password. Using a long password may allow you to increase the length of time between password changes, again, helping those end users who have a hard time dealing with password changes. Also, you can use the QPWDRULES system value to choose password composition rules that match your network rules. You can also specify the *ALLCRTCHG value to not allow a default password even when creating or changing a profile.

#1: I wish organizations would stop ignoring IBM i for the more advanced security technologies. For example, IBM i audit journal information should be sent to organizations’ Security Information and Event Manager (SIEM). A SIEM is a way to correlate events from around the network to detect trends and abnormal events (e.g., intrusions.) Many organizations send events from firewalls, routers, and Windows servers but ignore their IBM i. When they omit IBM i, they have a hole in their view of what’s happening. Another technology often ignored is Multifactor Authentication (MFA.) Many organizations have implemented MFA to access other parts of their organization. Why, when IBM i is the heart and soul of many organizations, do they not require MFA to protect against credential theft for access to IBM i? It’s a mystery to me!

Summary

I have one final wish that has nothing to do with IBM i security. It has to do with you and with me. The last couple of years have been hard, and we may have no idea what has caused someone to have the viewpoints they have or act the way they do. I wish that all of us will have more grace with those we encounter. Merry Christmas and Happy New Year, everyone!

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: