10 IBM i (iSeries/AS400) Security Risks And Ways to Avoid Them

IBM i security remediation differs from other platforms such as Windows, UNIX and Linux.?The purpose of this blog is to briefly highlight 10 IBM i Security Risks and explain what you can do to remedy them.

This list just hits the highlights and is NOT comprehensive.

Disclaimer: IBM i is an operating system. iSeries and AS400 are servers. I use these terms interchangeably to make it easy for folks to find this kind of information on the web.

Too Many IBM i Operator/Admin Users

Almost all?IBM i systems?have too many users with far more authority than they require. In fact, many organizations grant access to all database files and objects on the IBM i OS to an overwhelming number of user profiles.

This means that there is nothing to prevent employees from accessing and sharing unauthorized data or wiping the entire operating system.

Solution: Make the effort to evaluate user-profiles and their activities on a routine basis. Standardize role-based authorization, keep track of who has access, and keep an eye out for employees who gain access through unexpected means.

Allowing Default IBM i Passwords

Users frequently keep passwords that match their usernames…BIG MISTAKE. As you must know, hackers will always try to utilize login credentials where the username and password match or it is easier for them to guess.

This aids hackers in testing if they can obtain access to the system, and they frequently succeed in doing so. This puts your entire IBM i system at risk of being exploited or having all important and confidential data wiped away.

Solution:?User authorization during hiring and training is mandatory to solve this. Ongoing compliance monitoring will also aid in the creation of reports to determine how many profile users have default passwords and to seek suitable password settings.

Ignoring Compliance Mandates

Some organizations might not even understand how to properly install security measures to meet their applicable mandates. In fact, they might fail to properly implement the tools or controls required to achieve the standards.

Postponing the task entails risking penalties or hoping auditors would not detect any problems. It is highly possible that an auditor will not realize the IBM i lacks virus protection since they do not grasp how the platform works, offering administrators an ‘escape.’

Solution:?It is imperative to conduct research on the specific requirements that your organization must meet. At that time, you can use the appropriate software or other procedures to guarantee you are doing everything possible to comply fully with these guidelines and safeguard your data.

Running on an Unsupported Version of IBM i

As with any operating system, not running the most recent version can cause issues, especially if you are running on a version that the vendor company no longer supports.

Having an outdated version of the?IBM i?means you might not have the most recent upgrades for your security tools and could be vulnerable due to lack of security patches. Furthermore, if your version is too old, you might not be able to get help from IBM.

Solution:?The only wise option is to stay up to date and current.

Relying on Menu Security

The green screen’s menu security provides each user with unique options based on their position. However, there is nothing in the system to control because these are the only places a user can access.

Experienced users can easily go to areas beyond the menu options. These entry points allow a user to bypass the menu options that are initially displayed.

Solution:?It is critical not to rely on the security policies on the menus that users can access via the system. Similarly, you must pay attention to other PC interfaces in use and implement object-level authority.

Relying on a Single Layer of Security

It is unwise to assume that a firewall or PC virus protection will give adequate security against an attack. A multi-layered solution is required, including exit point management, virus protection, firewalls, and stringent user profiles.

Solution:?Evaluate your security position from several aspects.

You do not want to neglect any of the ways in which users or those malicious actors impersonating users could obtain access to the system.

Not Using Multi-Factor Authentication (MFA) with Privileged Accounts

Using multiple levels of authentication to ensure you identify who is accessing the?IBM i system?is becoming more prevalent. It is especially important when working with users with administrative access.

Solution:?Indeed, some guidelines, such as PCI DSS, necessitate multi-factor authentication for any IBM i system administrator who enters the cardholder data environment.

This extra layer of security, when combined with other access control measures, can significantly minimize the amount of harm leaked credentials can cause.

Allowing End Users to Have Command-Line Permission

Organizations frequently utilize menus to limit users’ ability to use a command line. However, even the most inexperienced user can cause errors that allow them access to the command line.

They could use it to execute over 2,000 commands in the operating system of IBM i, some of which can have disastrous effects. These could include things like deleting data, deactivating subsystems, and even exposing data.

Solution:?You need to control the environment in which any?IBM i operator?can run commands, such as green screen vs. FTP. You should also keep track of the authorizations that users have, as mentioned in earlier threats.

Operating Below Security Level 40, even 30

IBM strongly recommends that you set the security level of your operating system to at least 40. Some users, however, back-level the configuration during updates to incorporate outdated programs, intending to re-establish the security level later and then never reverting to it.

This is a major vulnerability since a user might possibly execute a task as another user without authorization.

Solution:?It is critical to reach security level 40. This, however, is not a quick solution for your IBM i system. You must plan for the update and do the necessary testing to ensure that no linked processes are disrupted.

Not Having a Cyber Attack Response Plan

A cyber-attack response plan is not the same as a normal disaster recovery plan. A cyber-attack might necessitate a very different response. You would have to figure out where the security threat is coming from, how to stop access, and the best strategy to restore damages or evaluate data loss.

Managing a virus is a different case, a malicious attacker attempting to steal data from your system is another. The customer impact of a cyber-attack might differ from that of another type of disaster. For instance, if a hacker obtains client data, the risks are not the same as if a server is damaged beyond repair.

Solution:?Make sure you have two separate countermeasures in place to deal with these scenarios, as well as the necessary solutions and communications.

Now you know about ten of the top security threats an IBM i system administrator needs to watch out for and how to tackle them. Let’s lead you to an IBM i software development company that can help you with that.

Need Help?

When it comes to IBM i Security, there are lots of options. Unfortunately, many are not IBM I specific to help you protect your system from data breach. That is because many of the security solutions proposed are not IBM i specific. Further, often the solution providers do not have the IBM i administrative expertise to provide an effective security against data breach.

Call me at 714-593-0387 or email me at?[email protected]. Let us know how we can help!

To learn more about us, and view our customer testimonials, please visit our website:?www.Source-Data.com