Carol describes terminology prevalent in the security world, explains what it means, and identifies how it applies to IBM i.
I subscribe to several security-related newsletters. I was reading an article the other day, and it used the phrase “good security hygiene.” I thought I knew what that meant but did a bit of research to make sure. That experience made me think that it might be helpful to explain some security terminology and describe how it relates to IBM i. Let me start with the phrase that inspired this article.
Good Security Hygiene
You might be able to guess what this term means. Basically, if you practice good security hygiene, you’re implementing security best practices. Most of my columns focus on implementing IBM i security best practices, so I’m not going to provide a comprehensive list, but examples of best practices include running at QSECURITY level 40 or 50, configuring auditing and saving audit journal receivers, requiring strong passwords, appropriately securing data, using secure (encrypted) communications, eliminating excess special authorities, staying current on PTFs, etc.
Data Loss Prevention (DLP)
DLP is not a process or practice but a technology. The purpose of this technology is exactly what the name says—to prevent the loss of data. How, exactly, does it work? Most of you are familiar with exit point software such as PowerTech’s Network Security product. Think of DLP as exit point software for your entire organization. Just as IBM i vendors create an interface for you to define rules as to who is allowed to use FTP or download a specific file via ODBC for example, DLP allows you to define rules as to how much data can be downloaded or sent outside of your organization as well as who can do so.
The reason I say DLP is for your entire organization is because the rules can be applied to email, USB ports, FTP to external sites, etc. A rule can be defined for almost anywhere data flows. Rules can be quite granular. For example, you can specify that any email containing more than two cleartext credit card numbers going to an external address is to be blocked. Or you can say that file containing certain types of information can be emailed or FTPed out of your network by a specific group of people but attempts by anyone else are to be blocked. And just like IBM i exit point software, you can choose either to just log the flow of data or to stop it.
While DLP is incredibly powerful technology, getting it implemented is quite time-consuming. “Tuning” the rules so that you are not blocking legitimate business traffic and you are eliminating false-positives takes significant effort.
So is DLP available on IBM i? All DLP software can read data being sent off of IBM i. Some DLP vendors have modules that look at data residing specifically on IBM i, but many just look at the contents of files in the IFS. A handful examine DB2 files. So depending on your requirements, yes, DLP is available for IBM i. And one could argue that exit point software provides some functions of the DLP technology.
Viruses vs. Malware
What’s the difference between a virus and malware? Malware is the term for code whose intent is malicious. A virus is a form of malware as are ransomware, spyware, logic bombs, Trojan horses, and (my favorite) nagware. Can malware affect IBM i? The answer is a resounding yes. To date, no viruses have been written specifically for IBM i (thank goodness!), but that doesn’t mean one couldn’t be written. In addition, many IBM i shops have been affected by ransomware. Users’ PCs have become infected and, because they were mapped to a share defined for a directory in the IFS, the objects in that directory have been encrypted. Several steps can be taken to reduce your risk: Don’t share root, define shares as read-only whenever possible, and set appropriate object-level authorities on the directories to limit the type of activity the ransomware can take on the objects in the directories.
Which brings me to my next term…
Phishing is when an attempt is made to gain access to confidential information—user IDs and passwords, bank account information, credit card numbers, etc. Phishing usually occurs via email. The email typically contains a link to a site that downloads some form of malware or has an attachment that will install malware when opened. Spear phishing is email that appears to come from a legitimate source such as your CEO or CIO. Spear phishing is often more successful because it has a much more legitimate “look and feel” about it. Targeted spear phishing are attempts targeted at specific individuals or organizations. At the time of this writing, the healthcare industry is the most targeted industry. It’s being hit by ransomware because the need to have access to healthcare information by healthcare professionals is usually immediate. So unless the organization has immediate access to a recent backup, healthcare organizations are more apt to pay the ransom to get its information unlocked.
Regardless of the operating systems or technology in use by an organization, all users throughout all organizations need to be educated on phishing and know how to avoid being a victim. The holidays will be upon us before we know it, and with that comes a rise in spear phishing. Users must be educated to not click on links that appear to be from FedEx or UPS, for example, but are instead an attempt at phishing.
I continue to hear that IBM i has never been hacked. This is simply not true. Let’s define the term “hacking.” According to Computer Crime Research Center, hacking is defined as the “unauthorized use of computer or network resources.” I know of specific cases in which an IBM i has been hacked. But even if I hadn’t been aware of these facts, you couldn’t tell me, given this definition, that the data residing on all IBM i’s around the world hasn’t been accessed inappropriately. Why do I bring this up? Some organizations still have their heads in the sand when it comes to the need to secure their data residing on IBM i. They continue to believe that IBM i is secure rather than secure-able and they don’t see the need to take any action. Actually, I think they just don’t want to “go there” so the “IBM i is secure” line is their excuse for not taking action.
How has IBM i been hacked? The answer takes me full circle to the original term I discussed. IBM i was hacked not because of vulnerabilities in the operating system. IBM i has been hacked in organizations that have failed to practice good security hygiene. Need I say more?
I hope this discussion of security terminology has been helpful and has opened your eyes to how IBM i can be affected.