February 2022 IBM i Security Alert

With the armed conflict in Ukraine developing, we forecast Russian and Belarussian cyber-attacks against Western nations to escalate imminently. This page will be updated as the situation unfolds.

While critical infrastructure customers are likely the most obvious targets, you need to be prepared to defend against cyber-attacks and protect your business no matter your industry. Every organization is at risk.

The following is a quick cheat sheet of proactive advice for your IBM i:

  • Ensure you have a recent and successful full system save readily available
    • On the GO SAVE menu, this happens when you take option 21.
    • If you run Backup and Recovery Media Services, ensure you have a good *SYSTEM backup.
    • If you don’t have a recent full system save then please schedule it ASAP. We can only recover what you save.
  • Download the latest Licensed Internal Code resave for all IBM i releases you are running in case the need arises for a bare-metal recovery
  • Ensure you are auditing security events on your IBM i
    • Run command DSPSECAUD to check your security auditing status
    • Federal law enforcement will want extended logging that QHST and the QSYSOPR message queues do not provide
  • Reduce the amount of read/write-capable file shares
  • Stop sharing critical IBM i directories such as
    • Root (/)
    • /QIBM
    • /QOpenSys
    • /QDLS
  • Do not share critical user data directories if at all possible
  • For all user directory file shares, ensure that proper object security is in place
    • Exclude *public
    • Only allow the users you want to allow access
  • Considerably reduce the number of users with special authorities, especially *ALLOBJ.
  • Ensure you have minimal to zero Network Address Translation rules that directly forward port traffic from your firewall to your IBM i. Do not assume. Have your network team prove this out to you well in advance.
  • Ensure you are up to date on Program Temporary Fixes (PTFs)

More generally speaking:

  • Educate your users that:
    • Foreign cybersecurity attacks are imminent and likely.
    • Any suspicious activity must be reported immediately.
    • Take precautions when opening email attachments or if asked to provide secure information over the phone/Internet

If you suspect you’ve been breached, please contact one of the following federal authorities:

  • United States:
    • Department of Homeland Security
      • Cybersecurity and Infrastructure Security Agency (CISA)
      • United States Secret Service
    • Department of Justice
      • FBI
    • If you notify any single DOJ or DHS entity, the other two are notified on your behalf. There is no need to call all three.
  • Canada:
    • Canadian Centre for Cyber Security

Lastly, iTech Solutions has been providing cybersecurity hardening and remediation against ransomware frequently over the last two years.

If you have any questions or concerns about IBM i cybersecurity risks or have become the target of a breach, please contact iTech Solutions support at helpdesk@itechsol.com.

We will help you immediately.

Leave a Comment

Your email address will not be published.