On-Demand Webinar

10 Practical IBM i Security Tips for Surviving Covid-19 and Working from Home

IBM i
Recorded:
April 8, 2020

 

Now that many organizations have moved to a work from home model, security concerns have risen. 

During this session, we discuss the issues that the world is currently seeing such as increased malware attacks and then provide practical actions you can take to both monitor and protect your IBM i during this challenging time.
 

Introduction to Security Tips for Surviving Covid-19 and Working From Home

The agenda for today is that I will be talking true general exposures and concerns. These are the issues that Security Professionals around the world are facing, they are not unique to IBM i but just the general type of security exposures, and then I'll get to into specific recommendations that I'm going to make for the IBM i organizations to take now and in the future.

Security Exposures and Concerns with Working from Home

What are those general security issues that we are all facing? One of the biggest issues is email phishing.

This is where people are sending out email that is increasingly looking like its legitimate email but is looking to have you click on a link and either enter private information like credentials, user IDs and passwords, or social security numbers, or social insurance numbers, or some type of information about you, or you click on a link and it downloads a payload on to your workstation, and infects it with some sort of malware, and there is a variety of different malware. 

These emails unfortunately are looking increasingly legitimate, and so it's much more difficult to catch. We all have to be very diligent. Unfortunately, people are taking advantage of this time when people are a little bit distracted and are in their own elements, maybe they aren’t using their same workstation set up and things are just a little off. People are exploiting, that and the email phishing is rampant right now.

Another thing that's coming about is spoofed links to Covid-19 websites. There was a huge increase in the application for Covid related domain names when this first came out, and so there are a lot of spoofed websites out there.

Here in the United States, there's a medical organization called Johns Hopkins, and they are well known to have pretty accurate stats on the countries around the world and what their coronavirus numbers are. Someone in Germany spoofed that and again led them to a malware site, where malware was downloaded before they presented them with the information. So, there's spoofed websites going on. 

Another one is a horrible thing. A lot of people have unfortunately lost their jobs during this and there are some sites out there offering work-from-home job offers.What happens is that these people apply, they supposedly get a job, and it's kind of a feel good job because you're soliciting funds to go to other people who have lost their jobs. But what happens is that people donate to the site and, instead of actually transferring the funds into another charitable organization, it's transferring the funds into the attacker’s bank account, so you're basically the money mule thinking you have a job, but you're actually transferring money for the bad guys. The imagination and the evil that is behind this when everybody is suffering so much is just baffling to me.

Another one that's playing out is that people are buying USBs, loading them up with malware, and then mailing them out with an offer to allow you to get two free things and the things you can choose from, whatever it is, that's on the USB. But of course, you don't get a free offer, you get free malware and that's downloaded. If you ever get a USB in the mail, throw it away. You never want to attempt to open that thing.

How to Combat Phishing Attempts During Covid-19

To combat fishing the key is really education. Everybody is out of their element, and so you may have to draw attention to the fact that people need to pay better attention. This is probably typically not how somebody in their office would be sitting, right? But, when you're in your home office, I can sit on my dining room chair, and I can sit sideways, and I'm just really not paying good attention.

Education is really key, especially for warnings of ongoing attacks. We had a phishing attempt going on within HelpSystems, and it looked quite legitimate. The email looked like it was coming from Microsoft Outlook warning you of invalid sign on attempts, and it was trying to get you to enter your credentials. Our tech team did a great job of cleaning that up, but they warned us, so that until they could get it cleaned up, nobody will click on the link. It's things like that. Just make sure that you are doing all the education you can, make sure that you are educating on the current types of attacks, so we can pay better attention.

Three Elements of the Insider Threat

The other thing we have to acknowledge is that there is an insider threat. Again, we're just kind of all outside of our element, and there's three issues or three elements of the insider threat:

  • Stolen credentials
  • Malicious insider
  • Misconfiguration

There are stolen credentials, where somebody has gotten your user ID and password, shipped it off to the dark web, somebody has purchased that, and now they're trying to reuse those credentials to get into the network. That is one insider threat.

There’s another insider threat that, again, most people just don’t like to acknowledge, and that’s that of a malicious insider. When people again are out of their element, they may do things that they would never ever do. There's also evidence that says that there are some people that may do a little fraud and may do a little stealing on the side, you know, but if they think they're going to get caught, they will never do that. 

The story that I like to tell on this is that I went to a fraud and breach summit in New York City a couple of years ago, and the speaker was from a very large organization and to prove his point they put up cameras in their supply cupboard, where their folders and their pencils and erasers and paper and notebooks are stored. Every Fall, before the kids went off to school, there was a run on the supplies. They put up a camera one year, and it wasn't even working, but they put up a camera, and with that camera, remarkably those school supplies didn't disappear that Fall. It’s just proof that if you think you're going to get caught, you're not going to do something. 

Well, we're all alone and people aren't sitting side by side anymore, and the temptation may be there to do something that people may not want to do, so we have to make sure that we have increased our monitoring, and the other thing is that we have to maybe remind people about the fact that our organization's data belongs to the organization. It's not theirs to take. 

Management needs to acknowledge that insider threat. There's a really great document from The Ponemon Institute, and I give that link a little bit later, that talks about the cost of the insider threat. 

The other part of the insider threat is the “oops” or the misconfiguration. People didn't mean to misconfigure something, but they did and that's typically the largest percentage of the insider threat. Again, I think that that's going to be more prevalent now because you don't have your person next to you to kind of double check your work or say, “hey, can you come over and look at this? I just want to make sure I'm doing it right.” Maybe you can't get them on Teams, or maybe you can't get them on Skype, or however your communication is, WhatsApp, to validate something. You might just go ahead and do something and maybe it wasn't quite right, where if you were in the office, you may be double checking yourself more. 

The message is go ahead and double check. If it takes longer to do something, it takes longer, but make sure you're doing it right, just like you would if you were in the office.

So again, we need to remind our ourselves and our organization that customer lists and other intellectual property belongs to the organization. That's just a little bit of a reminder to say look don't be thinking of doing things that you would not normally do.
Increase monitoring. Of course, we have to do things within our own laws and regulations, but I'll be talking about some of the increased monitoring that you can do on your IBM i to detect some suspicious activity. 

And then, if you happen to be using data loss prevention or DLP technology, you may consider ratcheting down your rules. Now if you aren't familiar with DLP, what that does is actually inspects attachments to things like email or there's an endpoint solution that will go off and look at the contents that are being downloaded to like a USB device. For the organizations that are using DLP, they typically have a rule set that says X amount of numbers can be either emailed off or downloaded. So, maybe it's 10 can be downloaded, you might even want to ratchet that down to five. Yes, you're going to have to release more things for the legitimate traffic, but you are going to catch those users that are trying to download things that again they never would do in normal circumstances.

Tips for Taking Control of Your At-Home Workstation

Earlier, I talked about the end-point. An end-point is really the workstation you're working on, the PC. Whether it's a standalone PC or a laptop, in this work from home environment, you likely do not have as much control over those end-points as you do when everybody is in an office. 
For example, Windows updates may not be occurring. How? Well, take my workstation, for example. A lot of my work can be done without connecting back to the VPN back in Eden Prairie, Minnesota. So, if I don't need to take up the bandwidth, I don't, but that also may mean I'm not getting the regular updates pushed out. So, I consciously have to get connected periodically to get those updates. 

The other one is that the AV signatures, Antivirus signatures, or anti-malware signatures may not be updated on a regular basis.

If you are using the technology that allows you to have a dashboard to see who's been updated and who isn't, use it. And, you may have to reach out to those end users and say, “hey, I need you to connect. We need to get your Windows updates or we need to get antivirus updated”. So, make sure you are conscious of the fact that your end-points may not be getting updated like they used to.

And again, this kind of picture says it all, you may need to be reminding the employees that your work stations are for work purposes only, not to play games with your daughter or your son, not to let your teenager do video gaming. This is for business use only.
The other thing is that you may not even have an end-point that belongs to the organization. Employees may be using their own devices, so in that case the antivirus might not be installed at all or it might not be licensed or it might not be the type of antivirus you’re used to having run, it may not be the strongest ones. 

Also, the employees’ home networks may not be secure, so you may be needing to give some advice to your people working from home using their own devices about changing their routers’ default passwords because they all come with a default password. All vendors have a default password, that's quite well-known. Also, make sure that your employees’ routers are auto-updating because just like everything else, routers have bugs and security vulnerabilities and fixes need to get pushed out to them. So again, this is some education that needs to be done.

The other thing that you have to worry about is what others can see on the network. Again, that teenager that is also on the network, what are they viewing on this workstation? Is it your employee database if it’s an HR person? Again, education. Make sure that nobody else can see what is normally confidential information and to not make it confidential. 

The other thing we have to worry about is something called wardriving. That's when people drive around the network and see whose wireless network they can get on and see what they can see. So again, you have to make sure that your employees’ home networks are secured.
IBM X-Force has put out some interesting information about two things. They have some advice on securing the end-points. They also have put out a page that looks at the active exploits that are going on very specifically for Covid. I know that Sophos has done something similar, so I encourage you to check out the IBM X-Force pages for some free advice.

They're offering the Covid exploits and access to those for free, and they're actually asking people to contribute to that, so it's more of a community effort to gather all of the current exploits going on.

The other thing that could be going on is the use of unsecured tools. So, you kind of have to not be paying attention to not have seen things about the security issues associated with Zoom. One of my favorites, maybe I have kind of strange sense of humor, but the “Zoom-bombing”, when somebody enters your meeting uninvited. I think of it from The Wedding Crashers movie, probably not with as good of an ending, however. Zoom is fine, especially in a social setting. I mean, it's fine for my virtual happy hours that I have of my girlfriend's, not a problem there. But, if you are doing anything with like HR issues or having Trade Secrets or you're an attorney and you're doing attorney-client privilege, Zoom is probably not the right tool for you.

Other tools, things like file transfer tools. The last time I looked at Dropbox, it was not a secure solution. So, if you are needing to move files and email around securely, we have solutions for that. We have secure file transfer, that would be the better alternative than using unsecured practices there. 
I have a quote here from Thomas Rid, who is a well-known nation-state attack expert. He looks at how other nations attack each other, and he said that, “Covid-19 has created and continues to create awe-inspiring intelligence collection opportunities.” We have to be really careful and use encrypted communications and encrypted methods of sending our data around when at all possible.

The other thing that is running rampant and has increased is business email compromise. Now before this ever happened, it was increasing, but this year and with the Covid, it's even worse again. It's playing on the fact that people aren't in their element and may not have the exact attention to detail that they used to have and or there are ways to create a sense of urgency because of this situation.

Business email compromise is when email has been infiltrated, and it's when a conversation gets infiltrated.

So, someone has compromised credentials somewhere along the line, and the attacker will come into an email box and watch the conversation going past. What they're really trying to find is someone in finance. When they find that person, they watch the conversations that the organization has with their vendors, and they kind of track the communications, and at the right time will insert themselves into a communication and either attempt to send a different invoice with a different routing number to a different bank or they'll insert themselves into the conversation and say with the sense of urgency based on Covid-19, I need this bill paid today or you know we are low on funds, we really need these funds, can you pay early. 

Anything that is coming with a sense of urgency or an unexplained routing difference for a new contact, especially again with any kind of sense of urgency should be a red flag to anybody that does anything with money in your organization that something is wrong, and it needs to be verified. And again, the attackers are playing on the Covid sense of things are just not normal. Somebody might think, “oh, yeah, they probably do need money. Okay, we can pay this early,” and just pay the invoice, but instead of paying your vendor, you have actually paid the attacker.
So, the problem is when that payment is made, if you catch the fraud within about 24 hours, most banks can pull that fund back, but, once it goes past 24 hours, the funds are gone, and it's in a completely different country. Not yours. Again, it's playing on the urgency.

The Key to Minimizing Security Risk

The way to combat this one is education. I really can't emphasize it enough: education, education, education. If something doesn't look right, take the extra time and call the vendor that you're used to working with, make sure you reach them and verify with your known contact that this is actually a change that they have requested. A lot of times people will say I can't be reached by phone, so just reach me by email, and that's the attacker. 

Now, the other thing is that it might not have been your email that has been compromised. It may have been your vendors’. All the attacker has to do is infiltrate one side or the other. I work with a client quite closely. They pay high attention to security, they have great antivirus, they have great anti-phishing software, they pay very close attention, and their Finance group has received numerous business email compromises attempts because their vendors have been infiltrated.

You may have the strongest defenses up there, but they've infiltrated your vendors, so be very careful and make sure you are helping your finance department understand what's going on to take.

Finally, does your security policy need to be updated? With all of the things that are going on, the collection of personal information, especially Healthcare information, there's talk about needing to take peoples’ temperatures before they can go in or know if they have or haven't had the virus or have they or haven't they been exposed, a lot of security policies don't allow for that right now. Of course, nobody would have predicted a Pandemic and added that into their security policy, but it probably needs to be changed to allow for that. So, look at your security policies and make sure that it gets updated for the time that we're living in right now.

Obviously, we have to comply with the laws and regulations of whichever country you’re in, so be mindful of that especially GDPR. If you're going to collect personal information, you have to have a policy that allows for that. Then finally, you have to make sure that your employees are aware of that policy change.

Steps to Secure Your IBM i Right Now

Okay, so let's get into what can be done from an IBM i perspective. I sat back, and I thought, “if I was going to attack an IBM i, what would I go after?” Okay, so here are my recommendations for things that hopefully you can change immediately. They don't involve a large project hopefully, but hopefully they are things that you can just lock down right now.

>> Check out the HelpSystems COVID-19 Security & Automation Resource Library

First of all, are getting rid of inactive profiles. If I'm an insider or I have infiltrated your network and I have seen user IDs and passwords go by, I know you're naming convention, so what I'm going to do is try to go after profiles. So, why have such a broad attack vector or why do you have so many things that the attacker can exploit? Why don't you narrow down that field? Inactive profiles are especially ripe for being compromised because if the person has already left the organization, there's no way that that person is going to know that their profile was compromised, right? So, why leave it on the system and allow it to be exploited? Get rid of inactive profiles. Save them first in the rare occasion that they would have to be brought back, so do a Save Security Data (SAVSECDTA) first and then get rid of those profiles that are not being used.

The other one is change any profile that has a default password. It is well known that profiles are created with a default password. That is a password that's the same as the user profile name. Now is the time to change those profiles that have that default password.

The other thing is to set a reasonable number of sign-on attempts. This is the QMAXSIGN system value. I have seen that value in some of the risk assessments that we do, that's one of the values that we look at, I have seen some organizations have that set to no max. If you set your max sign system value to no max, that means you're leaving an attacker an unlimited number of tries to get a valid user ID and password combination. That is like a gold mine because they will eventually get on. So, now is the time to set it to a reasonable number. Best practices says three to five attempts.

Finally, get rid of those read/write shares to root. I said early on that the phishing and the attempts to get malware installed on workstations is rampant right now. Why am I concerned with the read/write shares to root? Well, if somebody is attached to your VPN and has mapped a drive to root, and they click on the wrong link, the first thing that will be infected is there workstation. Yes, but then that malware will go and look for any mapped drives that are available. And, if it's your IBM i system, it will march right across and infect your IBM i system and when root is shared, the entire system is shared.
The entire system is shared including QSYS.Lib, it's not just the IFS, it is the entire system. We have seen many many IBM systems be infected with ransomware because of the shares that people have assigned. So, if you have to share root, then make sure it's backed down to a read-only share, but it's best to not share root at all. In this day and age, you need to get rid of those read/write shares to root. Protect your system. 

Additional Actions to Take to Secure IBM i

What are the additional actions that you can take now? Some of these are going to be more of a project, and I realize that projects aren't probably going on today, but some of these are just clean up items too, so maybe you can take this time to go ahead and resolve some of these things.
One of them is decommissioned servers. I got a call one day from somebody that says, “Hey do you do forensics?” and it's like, “Well, not really but what's your question?”, “Well, we have a decommissioned server, but it was still attached to the network and was still running.” I'm thinking it’s de-commissioned, why is it still attached to the network and still running? But the point was somehow that server had been infiltrated, and data was being exfiltrated off of their system to another country. They traced the IP address.

So, now is the time if you truly have decommissioned servers, then decommission them. Turn them off. Get them off the network.

The other thing is get rid of that data that has passed your retention schedule. GDPR says very clearly that data should only be kept for a certain length of time, and it should not be on the system if it's past that schedule. So, now is the time to clean that up. Also, copies made of files before changes made. Maybe a developer needs to adjust certain values in a database file or add a column or do something different to a database file. Best practice is to make a copy of the file before that change is made. I get that, and I would agree to that practice. But, once you know the change is fine and you don't have to back up a change, then you need to get rid of that old copy of that data. 

I was working with somebody the other day, and we found clear text Social Security numbers. That's the same as a social insurance number in the EU. Many of these copies of this information were in developer libraries, again, I'm sure either for testing purposes or to make a copy before a change was made, but those needed to go away, so we got rid of those. 

The other thing is just to look at your file shares, not just the read/write shares to root but look at all of your file shares and especially the read/write file shares. Those are the ones that leave whatever the path is associated with that share vulnerable to malware. If you're not using the share, get rid of the share. If it doesn't need to be a write share, change the attribute and back it back to just a read only share. 

The other thing to clean up are past versions of vendor products and vendor products that are not in use any longer.

The other thing we need to do is to stay up-to-date. And again, I realize that sometimes patching will involve an outage and maybe you can't take that or maybe this is the perfect time to take an outage. We have to make sure that at some point we are up to date on our IBM i systems, especially with the PTFs for Java and Open Source. Those are vulnerabilities that are available on any platform, the open source vulnerabilities, so they are just as open on IBM i. Make sure you're up to date with those PTFs. A good way to know whether you're up to date or not is to use the view in the SYSTOOLS Library called systools.group_PTF_currency.

Now interestingly, there was a publication that came out not that long ago about the Equifax breach, and it was basically a discussion about the investigation into the breach. It detailed more of what went wrong and how it could have been prevented. Now, it didn't go into the details of what the operating systems were, so we don't know if IBM i was involved at all, but I found it really interesting.

I think everybody knows that The Equifax breach came in through an unpatched server, but what came out in the study is that and so that comes under this category of stay up to date. But what was one step before that is that Equifax actually sent out a memo to everyone to the server owners saying hey, we need to get this vulnerability patched, but guess what? That distribution list was out of date, so the person that owned the server that was breached never got the memo.

So, what a better time than right now to go through your distribution list and make sure that you're up to date. Make sure your contact lists are up-to-date in your breach notification team. All of these things that we just let sit idle and it's like, “oh, yeah, we’ll get that updated,” or, “we’ll review that later,” now is the time to do that. Just think if that attribution list had been up to date, this breach may never have occurred. How sad is that? So, just a simple review of your distribution list may prevent your organization from being breached.

If you do not get the alerts from IBM on IBM i, as well as AIX and Linux or any of the IBM products, we have a simple step-by-step on how you get that done. So, I encourage you to get those alerts. 
The other thing is that there are other things to review:

  • Group membership
    • Users are added to a group when they start work, maybe they get another group when they move to a different department, but is the old group ever cleaned up? Now is the time to review group membership
  • Special Authority assignments
  • Authorization list assignments 

Examine TCP/IP Configuration Settings on IBM i

The other thing I encourage you to do is look at your TCP/IP configuration setting. If a server or service isn't required, don't start it. For example, The Remote Execution (REXEC) Server is one of those services that has well known vulnerabilities and exploits associated with it. Most IBM i shops aren't using REXEC, so it shouldn't be auto started if it is not in use. 

Also, now is the time to make sure you have secure encrypted communications. I talked about those before, but now is the time and now maybe you can see the need for all communications to be secured. A lot of people have taken the time to secure their communications when it goes outside of the organization, but it is vital that the internal communications be encrypted, as well.

The other thing you can do is to limit who has *IOSYSCFG special authority because that's a special authority that allows someone to manage your TCP/IP settings.

If you need to understand what servers are used for Access Client Solutions (ACS), here's a link to that and then if you need to or are wondering what ports are used by those services here is a link to that information.

Recommendations for Proactive Security Monitoring on IBM i

I talked about increased monitoring, so what would I monitor on IBM i? 

  • From the Audit Journal, I would be looking for unexpected changes to system values, especially the auditing and the password composition rule. 
    • You may look for other ones, things like any change to QSecurity. 
  • I would be looking for authority changes or authority failures to critical files. 
    • Files that contain HR information or maybe your inventory or your pricing, things that are critical to your organization.
    • Changes in creation to user profiles by unexpected users, which are users that sit outside the team. 
  • Invalid sign-on attempts.
    • If you are seeing invalid sign-on attempts for root or admin, and it's not coming from something like an internal scan server, especially if it's coming from an external IP address, something has happened, and your IBM i has been exposed to the Internet. So, any kind of invalid sign-on attempt from root or admin, I'd be perking up and doing more investigation on that. 
    • I'd also be looking for widespread invalid sign-on attempts.
    • Attempts to use IBM-supply profiles.
  • Activities of powerful profiles 
    • I may even try to review the activity of my powerful profiles, such as QSECOFR.

Also, if you have purchased an exit point solution, like Exit Point Manager from HelpSystems, now is the time to use it. A lot of you have purchased it and not ever fully implemented it, now is the time. If you have and you have the logs, look at them. Now, if you haven't been looking at them, you may have to go back in time a little bit to see what is normal activity to detect abnormal activity, but now is the time to look at those logs.

Also, I would be sending my IBM i information to your SIEM. If you are not sending IBM i information you have a big hole in the activity of what you are actually wanting to be looking for. You don't have a complete picture if you're omitting your IBM i data. I've written an article for MC Press online, I do a monthly column there, on what should I be sending to my SIEM so some recommendations for that.

The other thing you can do is stay informed on the latest threats. Here are the sites that I go to. The first one is a blog by Brian Krebs, he always has some interesting stories to read. The rest are sites you can go to and just read their articles or they have newsletters that you can subscribe to. Finally, I'll link to that Ponemon Institute, where they have the survey on the insider threat also, things like the cost of a data breach, and so forth. 

Defense in Depth to Reduce Risks and Security Threats

At some point, you're going to examine, we're going to get past this and I'm thankful for that. At some point, we will get past this, and there's going to be some analysis done. Analysis of what was done right and what was done wrong and what do we need to do differently in the future?
What most organizations are going to look at is, did I have enough players a defense in place to reduce the risk to the acceptable level? The idea with the defense in depth is that if something is broken through, how many more layers do I have to put up to thwart the threat before I can either detect it and shut it down, or they're just shut down totally.

I would encourage you to take this opportunity when that analysis is being done. Take that opportunity to examine your security practices and bring to your management the things that could have been put in place that would have put you in the Zen Zone and made you feel much more comfortable about the situation you're currently in should it happen again. We hope that it never does, but at this point everybody I think is planning for it to happen again. So, what could you have had in place, or what of these technologies if you had had these things in place, would have put you in a much better place?:

Don't miss this opportunity to put into place or suggest things that could have made your organization more secure during this time, so that you can get to a Zen place. Again, if it happens again, you're in a much better place, so don't miss this opportunity. I encourage you.

In Conclusion

Now, I just want to say thank you. Thank you to you all for taking the time out of your day. I know it is not a normal time, so thank you for taking time out of your day for joining me to have this discussion, and I just want to thank the health care workers that are out there. They're putting themselves on the front line. The grocery store workers, the farmers, the people that deliver the food, everybody that helps us make our lives be able to continue, all of those delivery people. I think we just need to take some time and thank all those people when they come to our door or we go through the checkout line at the grocery store, just say a thank you. I know I have, and I think this world has become a kinder, gentler place and if that's what comes out of this then that's a good thing.

I'm just going to spend the next couple moments before we get to questions and answers, so you can start thinking of any questions you might have and start typing those into the question box and I'll take a couple minutes and talk about our HelpSystems Professional Security Services and the software that we have for the IBM i. During this presentation, you have received a lot of information and things to think about. One of the things, and I’m going to start in the upper right hand corner, that you should take into consideration is possibly doing a risk assessment.

I don't know if you remember that slide about do these things now, there were several points that she made, and well during a risk assessment, you get a very in-depth look at over one hundred different risk points on your system, you get to do a Consulting session for about an hour or an hour and a half with one of our Security Consultants here on the team that I manage, and they can take you through the results of that risk assessment and give you an idea of the high, medium, and low risks that you might be facing in your organization. So that's one thing you could be doing.

One of the things that we are doing as a part of this Covid presentation is please contact your HelpSystems sales representative and ask about our deeply discounted price for risk assessments. We are doing that as a special offer to people who attend this particular webinar and making that available through the end of May, so please contact them and ask about that.

Another thing that we're doing is penetration testing. Penetration testing, think about it as being a bad actor inside your network. Defense in depth and people break through a wall and get into your system. Now, what can they get access to? Think about compromised credentials. Remember she talked about QMAXSIGN, the value where you can sign on the maximum number of times, if that's set to no max, people can continue to guess user IDs and passwords, and eventually they're going to hit something. Well, that's compromising your user credentials and suppose somebody got on with that brute force attack and got on to your system, what could they see? What data could they get access to? So when we do penetration testing, we act like a user in your system, and we go about exploiting your system, doing ethical hacking if you will.

We sign on as a valid user with a typical user you might have or a developer user or maybe a system admin and maybe a few other profiles that we’ll look at, and we try and sign on to your system and just see what those particular profiles have access to. We do that take pictures of that, if you will, screenshots illustrate the access that have they have and then review that with you at the end of the penetration test, so that you have a very good picture of what people have access to on your system. And then that maybe will guide your plans in terms of remediation going forward. 

So another thing that we offer is architecture engagements. This, think of it as a risk assessment, we’ll tell you what the risk is, an architecture engagement will basically start to lay out a plan to address those risks, and so we do that. We work hand-in-hand with you and go through and create this plan and then you're welcome to take that plan and go off and do the remediation on your own and fix your system, or if you need help we, and you can continue around the circle to the left here, we offer remediation services. That's where we go through and help you secure your system and harden the security on that system. Executing on the plan and covering the risk that we've discovered during the risk assessment. 

Now two other things that we offer, our Single Sign-On Managed Services and Managed Security Services. Single Sign-On Managed Services is basically connecting your Windows AD through Kerberos to your IBM i, so a person logs on to Windows Active Directory in the morning and onto the network, they would have access directly to the IBM i and that's done via Kerberos and it's done through ticket system.

So, you know security has actually improved in that one of the things that you are doing is you're setting your passwords on your IBM i user profiles after this is in place to *NONE, so nobody can actually use those profiles to log on. That's something to consider if you're wanting to make your life a little bit simpler and just a little bit more secure is Single Sign-On Managed Services.

Another thing we do is Managed Security Services. We know that a lot of resources on the IBM i world are strained, and they need just a little help monitoring that security and seeing whether you're in compliance with your own security policy, and we've set up Managed Security Services where our team will actually monitor, they will set up a system where reports are sent to us each month through secure email, and we will monitor your system from afar, if you will, by reviewing those reports and then sending you a summary of where you're at and what's out of compliance and what you need to address. So, that's Managed Security Services.

Now, if you recall about two slides ago, there's going to be a time when we have to review and look at the defense in depth and what could we possibly do to harden security on our IBM i? We have a number of pieces of software in the HelpSystems security arsenal for the IBM i that you might want to consider.

There's Compliance Monitor for the IBM i. We talked a lot about reviewing those Audit Journal records, well compliance monitor is a great tool for combing through all of that forensic evidence of the events that are occurring in terms of security on your system. So you might want to consider that.
We have privileged access management. There's a product that's called Authority Broker for IBM i, and Authority broker basically allows you to track when you have to elevate somebody's privilege to get something done on the system. And that's a good thing that you have records of that, and that you can refer to those and make sure that what has gone on is appropriate. The other thing you can do is, also with Authority Broker, is release that person from that authority once the job is done. You don't have to have somebody sitting there with All Object (*ALLOBJ) Authority all the time. 

We have self-service password reset, database monitoring, user provisioning, multi-factor authentication (MFA), You should put in place, you know, two of the things that thwart the bad guys from the outside that are very obvious or the next two things one if you go and look at what Black Hat has published the things that thwart hackers are multi-factor authentication and encryption. Why aren't we doing that as an IBM i Community? Why aren't we looking at multi-factor authentication tools and also native encryption for the IBM i to just thwart any sort of outside access to the system? Those are things that you should consider. We have native encryption, we have multi-factor authentication, Exit Point Manager, that's Perimeter Access Control, we have that tool, as well. It's been a long-storied tool in the HelpSystems Arsenal for many years and something you should consider. Take a look at what we have to offer from an exit point perspective and cover the network access to your system. 

Then there's command monitoring, automated risk audits, that's a product called Risk Assessor for IBM i,  it actually just gathers data, it doesn't make any changes. It's a tool we use when we perform that risk assessment for you, where we get the data through risk assessor and then we interpret that for you and create a high, medium, and low-risk presentation that we review with you at the end of the risk assessment. So, Risk Assessor is that tool we use to do that. We also talked about feeding stuff to your SIEM. We have a SIEM Agent for IBM i that you can send the data to the SIEM that you currently have. A lot of people have SIEMs gathering logs from all kinds of systems, and there seems to be a blind spot when it comes to the IBM i. We have this SIEM agent that does that, something that you should really consider and take a look at from our sales reps here. 

We talked about native virus protection or basically the need to do virus protection on your IBM i because of the IFS, and the shares that possibly could be in action out there. We do offer Native Virus Protection, that’s something you should consider. We also have a policy tool for inputting your security policy and then reviewing that and seeing if you're in compliance with your own security policy. That's a product called Policy Minder for IBM i. Then we also offer Secure Managed File Transfer through a product called GoAnywhere

Now, I've talked about a Risk Assessment, which is an in-depth assessment using the people that we have from our IBM i Professional Security Services team to really dive deep under the carpet, and we also offer kind of a first look at security in something called a Security Scan. It is going to give you a first look, give you some ideas of things to look at, maybe it leads you to the next step which would be an in-depth risk assessment, but the security scan is great. It's free. You can go to our website and sign up for that, and then you can determine whether you should move on to a risk assessment. If you do have any questions, please type them in now. 

I can only imagine what's going to happen once we get past Covid-19 in terms of people reviewing what worked, what didn't work. We could probably have another session on just that. Probably so. I'm sure that people are going oh, I wish we had, oh, I wish we had, so you know when that meeting comes up, I just wanted to throw some topics out there so that it might jog people's memories to say, "yeah, if we had had this, we would have been in a much better place.” At some point, there will be that meeting and hopefully, you know, that's the opportunity to get more security layers of defense in place. 
I agree, and I can't wait to get to the other side of this for multiple reasons. One, just to get to the other side of this. It's kind of a trying time for just people in general, but just to see the effect of it is on business and security, so that will be interesting. 

I'm also sure you've heard the reports, that a lot of people are thinking that many organizations will allow more broad work from home policies since they know it will work, and so these issues may not be going away. 
 

Find the Vulnerabilities on Your System

Identify the vulnerabilities on your system with a comprehensive IBM i Risk Assessment.