Is your organization’s AS/400 security up to current standards? When it comes to IBM i security, even a small step is better than no step at all. That’s why we recommend conducting a security assessment.
But what exactly is an IBM i security assessment and what should you expect? We’re sharing examples from two of our clients to help clear up confusion and give you insight into how to improve your current IBM i security.
Our first client example concerns a retail company specializing in outdoor sporting supplies. Because they sell firearms for hunting, the client is regulated by the Bureau of Alcohol, Tobacco, and Firearms, which requires them to meet certain standards.
This client contacted our team and requested a basic information security assessment and recommendations for improvement. They had recently suffered a cyber security incident where a ransomware attack damaged a portion of their infrastructure and took far too much IT effort to contain and remediate. In order to reduce their risk of experiencing this again, they wanted to improve their security.
Our security assessment takes a wholistic approach to cyber security because security is not determined by any one specific thing, but is the combined effort of people, policies, procedures, and technology.
The Briteskies security team is led by senior consultant Rob Nettgen. He has 30 years of IT experience, 15 years of information and cyber security experience, and became a Certified Information Systems Security Processional (CISSP) in 2009.
This client has an IT team dedicated to operational support and they maintain most of their infrastructure onsite, including email, file, database, and application servers and network security. Here are a few things they were doing right.
- Their IT team was highly capable and appropriately staffed for the size of their company
- Operational resilience was enhanced with dual internet providers
- UPS units on key systems also contributed to their resiliency
- An impressive generator could power their infrastructure in the event of a power outage
- They were following good operational practices, like running up-to-date software and implementing appropriate patches
Although all of that was a good start, there were still a few things this client had to work on, including:
- Processes were informal, with no written IT policies or procedures
- Internet boundary security was limited to the router, NAT, and firewall features
- The computer room was not locked and did not have security cameras nearby
- No email filtering service in use
- Limited experience in server and data backup with no rotation of physical or virtual backup media offsite
IBM i Security Assessment Findings and Recommendations
While this client had taken modest steps towards improved security, there were still plenty of opportunities for further enhancements. Here are a few of the recommendations that our team made:
- Implement written information technology and security policies
- Strengthen internet boundary security
- Implement second factor authentication for remote access
- Consider implementing a SIEM server and web URL filter
- Limit mail server to receive email only from the email filter
- Implement regular Security Awareness training
- Increase system and data backup depth; implement formal offsite data rotation, encryption, and key storage; and test backup media regularly
- Formalize process of continuous improvement
With these recommendations in place, our team was able to help the client create a plan for implementing the necessary changes. They were able to implement practices that allowed them to handle their security in-house moving forward, of course our team is always available for additional help.
Our second client example is with a client who manufactures sand for the oil and gas industries. As a publicly-traded company, they are regulated by SOX. While they had established security practices in place, this client wanted an external assessment to identify any additional opportunities for security improvement.
This client already had a well-developed and implemented information security program. Here’s what that entailed:
- The program was supported by company management
- The program is reviewed and improved at least annually
- Information security policies are logically designed and reviewed and updated periodically
- The client performs external penetration testing and internal vulnerability scans
- Any critical issues found in those tests are scheduled for remediation
Along with those best practices, this client’s data center is located offsite with strong physical security. They also perform an annual IBM i-focused disaster recovery test to stay on top of backup media and recovery procedures.
IBM i Security Assessment Findings and Recommendations
Because of all of the hard work this client had already done on their cyber security, nothing our team found during the IBM i security assessment was deemed a critical risk. However, that doesn’t mean we didn’t find potential security vulnerabilities. Here are a few risks our team identified:
- Conflicting reports from IBM and the client’s additional security software caused contradictions in potential profiles with security risks
- Some PUBLIC objects owned by QSECOFR were using Adopted Authority, which could lead to a privilege escalation exploit
- Authentication for remote access was not multifactor
- The IBM i server was not running the most recent version
- Firmware was not running the most recent version
- IBM i PTFs were not being installed quarterly
- Network connections to IBM i were not encrypted
- Native IBM i Auditing features were not in use
- Older password restrictions and algorithms were in use
- Third-party vendor information security requirements were unclear
By identifying these vulnerabilities and helping the client establish a plan for remediating them, this client was able to further improve their information security.
Because this client already had the basics of cyber security in place, our assessment was able to get more granular with our findings. This more advanced IBM i security assessment highlights the fact that there are always next steps to be taken when it comes to protecting your system and data.
Are you ready to perform an IBM i security assessment? Our team is ready to help. Contact us to get started.