Evaluating the State of Your IBM i Security

We are all aware of the Colonial Pipeline and JBS ransomware attacks recently reported in the news.  Ransomware is a significant threat to businesses around the world. The problem isn’t that people don’t consider the risks. It’s that they don’t know for sure if they are protected.  They put controls in place but don’t take steps to ensure that those controls are adequate, leaving them with a false sense of security.

Some companies are a bigger target than others, but there is no denying that the threat is real and that any company can be affected.  According to Check Point Research, ransomware attacks are up 300% in the past nine months.  We have had to recover as many companies IBM i environments in 2021 due to ransomware attacks as we did in all of 2020.  Luckily, these companies had a good backup and only lost a small amount of data.  Now they are serious about investing in security remediation, but the damage is done.

We all have heard the myth that IBM i is secure from viruses.  While it’s true that the object-oriented architecture of the IBM i means a virus cannot infect your DB2 database, your IFS directories are a completely different story.  The IFS is an integral part of the IBM i, and companies often store documents and images here.  It affords you the benefits of IBM i for non-IBM i data, but the problem is companies don’t realize that their IFS is exposed.


How do you properly evaluate the state of your IBM i Security? 

You can do two things to evaluate the state of your IBM i security; an independent third-party assessment and an IBM i penetration test.  These two things combined can help you identify your risks and vulnerabilities, providing you with a roadmap to protecting your IBM i from unauthorized access.

An independent third-party assessment of your security should be broad and look at your system values, users with excessive authorities and default passwords, file shares, exit points, encryption, open ports, and vulnerable applications.  The report should include recommendations for areas of improvement that focus on fixing your most significant vulnerabilities first.  Be wary of free security assessments if you want to assess your overall IBM i security, ultimately.  These assessments do have value in helping you to identify some areas for improvement, often with a slant towards a product.

You can often remediate security gaps by rolling up your sleeves, putting better user authorities in place, and protecting your data. IBM i security is layered with system-level security controls, user access, and object-level security.  When done correctly, you can provide users with only the authority they need to do their job.  Often companies do an excellent job in one area, such as having their Security Level set to Level 50, but then they have users with *ALLOBJ.  This helps lead to the false sense of security companies have with IBM i.


One of the most significant risks is having a user with a default password.

A default password is low-hanging fruit for someone trying to gain access to your system.  You should not have default passwords for any user period. This leads me to my next suggestion: to have an IBM i penetration test done by someone who understands the IBM i.

Lots of companies do network penetration testing, which is great.  However, the biggest threat to the company’s data is not from outside the organization; it’s within.  Disgruntled employees are still your biggest threat, and they work inside your network.  It’s not enough to be sure your network is protected. Your IBM i data needs to be protected too.  An IBM i penetration test can help you to identify your vulnerabilities to protect your IBM i data.

If you are one of the companies that do network penetration testing, an IBM i penetration test can focus on gaining access to the IBM i from within your network.  The testing can start from outside your network and identify vulnerabilities in each layer for those who have not.  Either way, you will have a better sense of the true state of your IBM i security.  Even better, you will know what you need to fix to ensure that your system is protected.


There hasn’t been an IBM i that we haven’t been able to penetrate.

One took only eight minutes to gain access to the system with *ALLOBJ authority.  Imagine if that were someone looking to do damage to that company?  The best system took four hours to penetrate.  This company had really good controls in place, but with one open exposure on a Windows server, all was undone.  The good news is that when we break into your system, we prove that we can do it and tell you how we did it.  We want you to fix it.  Then we want to come back next year and do it again.

Please don’t become one of the victims we hear about on the news.  Take steps to assess all the risks your IBM i faces, especially those you are not even aware exist.  Security assessments and penetration testing are necessary in today’s world to protect our most valuable asset, our data.


More from this month:

Leave a Comment

Your email address will not be published. Required fields are marked *