Carol provides the top 10 actions she wishes people would take to make their organizations more secure.
The holidays are upon us, and gifts are being given. I don’t know about you, but it’s definitely easier to know what to gift, especially to kids, when they’ve given me a Wish List. So for this article I’m pulling out my inner child and providing you with my list of actions I wish everyone would take when it comes to IBM i security. And lest you wonder whether these wishes are simply pulled from my dreams, they are not. These wishes are based on working with administrators and reviewing many organizations’ IBM i security settings.
#10: I wish people would make use of the security tools that come with the operating system. Simply type GO SECTOOLS to access tools to identify profiles with a default password, disable inactive profiles, and disable or delete a profile on a specific date. Also included are reports showing the authority settings of user profiles, libraries, directories, and more. These tools are especially useful if you’re new to IBM i security and need a place to start…and they’re available for no extra charge!
#9: I wish administrators would stop creating read/write shares to /root, which shares the entire system (including your libraries and the operating system) and exposes it to malware.
#8: In addition to not sharing /root in the first place, I wish organizations would review file shares. File shares are ransomware’s entryway into the system. I’ve found that many file shares aren’t needed, even if people are currently mapping to them. Often, people have changed jobs within the company and no longer need access to what’s being shared or someone mistakenly checked the “Reconnect at signon” box when initially connecting to the share, so they are perpetually connecting when, in reality, they only need the connection periodically. When you reduce the number of connections via file shares, you reduce the chances of malware spreading to that system. And this is not just a wish for IBM i. I wish organizations would review file shares throughout their entire organization.
#7: I wish critical data would be secured, not just data containing personal information but an organization’s business-critical information. I’ve seen too many instances of organizations ignoring the security of the data that runs their organization and makes them unique.
#6: I wish organizations would take the threat of being hacked or infected with malware seriously and develop an incident response place before the event instead of attempting to figure out what to do in the middle of the breach. Literally one of the first calls I received after we started DXR Security was from someone in a panic because his company had been infected with ransomware and he had no idea what to do!
#5: If systems are still running at QSECURITY level 20 or 30, I wish organizations would put plans in place to move them to 40. Moving from level 30 to 40 is usually quite easy. Read chapter 2 of the IBM i Security Reference manual or chapter 3 in my book to find the exact steps you need to take. Moving from 20 to 40 takes more planning and testing, but it’s still doable. Systems need to be running at level 40 or 50 to ensure auditing cannot be bypassed, users cannot elevate their authority, and operating system integrity is intact.
#4: I wish administrators would manage inactive profiles. I’ve seen organizations with profiles that have never been used, yet are enabled and have a default password. These profiles are ripe for someone to abuse. Most IBM i security software vendors have products that you can use to manage inactive profiles, but you can also use one of those integrated security tools on the SECTOOLS menu to at least disable inactive profiles. But I would really prefer to see inactive profiles deleted so they can’t be abused. This includes profiles associated with administrators and programmers who are no longer with the organization.
#3: I understand there are many business decisions about when organizations update their operating systems and even when they apply PTFs, but I wish organizations would stay current. IBM is providing administrators with so many tools to modernize how we do our jobs that it’s a shame more organizations can’t take advantage of them. See my article on the New Navigator interface and another article on new security features for what you’re missing.
#2: I wish more systems were running at a higher password level (set by the system value QPWDLVL). Running at QPWDLVL 2 and 3 (3 should be your goal) allows for passphrases. Studies have shown that a longer password or phrase is easier to remember than a shorter, cryptic password. A passphrase—that is, a password 14 characters or greater—is an option for those organizations tempted to allow default passwords (passwords the same as the user profile name) and never requiring passwords to be changed because they have many end users who have a difficult time remembering a cryptic password. Using a long password may allow you to increase the length of time between password changes, again, helping those end users who have a hard time dealing with password changes. Also, you can use the QPWDRULES system value to choose password composition rules that match your network rules. You can also specify the *ALLCRTCHG value to not allow a default password even when creating or changing a profile.
#1: I wish organizations would stop ignoring IBM i for the more advanced security technologies. For example, IBM i audit journal information should be sent to organizations’ Security Information and Event Manager (SIEM). A SIEM is a way to correlate events from around the network to detect trends and abnormal events (e.g., intrusions.) Many organizations send events from firewalls, routers, and Windows servers but ignore their IBM i. When they omit IBM i, they have a hole in their view of what’s happening. Another technology often ignored is Multifactor Authentication (MFA.) Many organizations have implemented MFA to access other parts of their organization. Why, when IBM i is the heart and soul of many organizations, do they not require MFA to protect against credential theft for access to IBM i? It’s a mystery to me!
I have one final wish that has nothing to do with IBM i security. It has to do with you and with me. The last couple of years have been hard, and we may have no idea what has caused someone to have the viewpoints they have or act the way they do. I wish that all of us will have more grace with those we encounter. Merry Christmas and Happy New Year, everyone!