The fact that network and data security breaches have grown more frequent and sophisticated over the last 18 months is not exactly a revelation to frontline IT administrators. The element of surprise, however, comes from the random, illogical, and potentially non-existent motives now driving malevolent behavior. With hackers no longer focused exclusively on ex-filtrating corporate and consumer assets for their own financial gain, it has become much more difficult to determine who will be targeted, how, or why. Simply put, even IBM i—a platform known for its impenetrable security—has been inched into the proverbial crosshairs.
While this new reality is a sobering thought, no doubt, IBM i security administrators need not feel helpless. Though they might not be able to predict the next attack lurking around the corner, they can protect themselves with an informed perspective and a smartly assembled slate of system monitoring and compliance assurance tools.
No Target Too Safe
Some companies and individuals are upfront about their security vulnerabilities; if asked in closed-door meetings they admit to “they don’t know what they don’t know” in this complex climate. Other entities are not as willing to admit defeat, understandably assuming that the considerable knowledge amassed and money invested over the years can stand up to any attacker. The trouble is, an emerging class of hackers would like nothing more than to exploit that flawed logic and broadcast their success to the masses.
For example, conventional wisdom would suggest that the robust pedigree of IBM servers makes additional security measures non-essential. But as Pakistani government officials learned not too long ago, today’s cybercriminals could be capable of obtaining access to the core operations if presented with the right opportunity. Infamous Indian hacker “Godzilla” leveraged a bit of black magic to crash the official departmental websites for the Pakistani Ministries of Science and Technology; Economic Affairs and Statistics; and Information Technology, among others. The perpetrator claims to have breached a centralized IBM server with a Layer 2-3 Gigabit Ethernet Switch Module for IBM eServer and BladeCenter. The damage was then dispersed across the 22 local machines connected back to the affected server.
Today’s cybercriminal isn’t just targeting corporate reputations either; sometimes it’s personal. Earlier this year, esteemed IT security columnist Brian Krebs was the victim of an almost-surreal plot that transcended the digital space and landed heavily armed law enforcement agents at his front door. After initially targeting Krebs’ website with a frustrating but trivial distributed denial-of-service (DDoS) attack, hackers ultimately started spoofing 911 calls from his local residence and triggered a response from the Federal Bureau of Investigation. While it would be unfair to suggest that Krebs did anything to provoke the cybercriminals, the perpetrators were all too happy to knock a revered security expert down a peg.
The ironic wit of the hacker community was also recently evidenced by a series of attacks directed at international email security advocate The Spamhaus Project. Although the scope of the attack was initially overstated, the sport hacking plot highlighted serious vulnerabilities in common DNS server configuration techniques and revealed that attackers are now capable of escalating DDoS attacks beyond a monumental 300 Gbps traffic threshold.
Guilt by Association
Another disturbing development is the inflated sense of morality that has bubbled to the surface of the cybercriminal community. Globally distributed hacktivist collectives like AntiSec and its derivatives have proven themselves equally capable of smearing media moguls on a whim or leaking government documents in retribution for unpopular legislative proposals. Similarly, state-sponsored cybercriminals recently disrupted the operations of several American banks and credit unions due to a perceived affiliation with imperialistic political agendas.
Now that a target can be placed over your data center—not necessarily because of who you are, but rather what some distant hacker is convinced you represent—there’s little logic left in vulnerability calculations. A tasteless Tweet published by an employee or the questionable ethics of a business partner are not something you can necessarily control or predict, but they are now legitimate security threats. As such, more companies are starting to act under the assumption of their own vulnerability and instead allocate their resources toward tools and processes that can quickly identify dangers and mitigate their impact.
Conduit to Chaos
The final complicating factor that has ratcheted up security risk levels is the increasingly clever and elaborate blue prints laid out by determined hackers. Instead of confronting their intended targets head-on, digital deviants have started scooping up unsuspecting systems to serve as pawns in a much larger game.
One of the longest cons in recent memory came courtesy of hackers from Chinese and Korean origins. According to the Kaspersky Lab researchers who exposed the plot, seeds were planted more than four years ago as approximately 3 dozen online gaming companies had servers across four continents injected with malware that pilfered digital certificates. Interestingly enough, the perpetrators displayed little interest in abusing their unauthorized privileges to exploit the credit card information of millions of gamers. Instead, the stolen assets were later used to sign malware code designed to frustrate the efforts of Tibetan political activists.
For a company coding the next great role-playing game from an office in Utah, whether or not its systems are being tapped to further a geopolitical agenda problem is hardly something discussed at Monday meetings. But as more cybersecurity conspiracies are deconstructed, analysts are discovering that there is often a laundry list of middlemen being unwittingly recruited into these nefarious plans.
These case studies are only a drop in the bucket, and similar scares are likely being perpetrated as we speak. But companies cannot allow themselves to be paralyzed by fear.
Power Systems hardware and the IBM i operating system are not usually considered vulnerable. Weaknesses are caused by poor or missing configurations, which can—and should—be corrected.
The first step is knowing where you stand. Are the configurations on your IBM i keeping your data as secure as possible?