“AS/400 is built to be safe and reliable.”
“No one makes viruses for the IBM i. There are no known cases of malware, either.”
“IBM has amazing IBM i server security, so we don’t have to worry about vulnerabilities.”
Do these statements sound familiar? Perhaps you’ve come across these claims in the industry, heard someone say something similar at an event, or maybe even said it yourself. Whether it’s old news or not, the belief that the IBM i (often still referred to as AS/400, i Series, or Power Systems) is secure has circulated around organizations and IBM i shops for decades.
Talk to any industry professional, and they’ll probably agree that "AS/400 is a comparatively safe place for your data." Look up “is the AS/400 secure” on your favorite search engine. Again and again, industry voices like IT Jungle and Computer Weekly reiterate that IBM’s famous hardware is hardy, bulletproof, and impressive.
And it is, of course. There’s a reason why so many organizations still use IBM i servers. But the praise surrounding IBM’s product development and built-in security is a double-edged sword. It lulls people into worrying more about their external network threats than their internal ones.
Which is where the bad news comes in…
The IBM i (AS/400) isn’t as safe as you think. In fact, your data may be vulnerable to attacks right now.
HelpSystems, a company that offers businesses IT management software and services, publishes an annual security study on the IBM i. Every cycle, they audit hundreds of IBM i environments in a variety of industries to pinpoint general cybersecurity trends and weaknesses.
According to the 2017 State of IBM i Security Study, companies who store their data on IBM i servers tend to be at risk in several key places. These areas of improper IBM i security include users with too many authorities, accidental or overlooked *PUBLIC data access, limited control over network access, and susceptibility to, yes, even viruses and malware.
What contributes to these gaps in an organization’s IBM i security methods? Unfortunately, there are several factors involved. The study from HelpSystems lists overextended staff members, complicated server security, and lean IT budgets as a few roadblocks, but problems like hard-to-update legacy systems, a lack of bandwidth for system updates, and a reliance on IBM i to take care of AS/400 security measures can also be quiet culprits of risk.
Related Reading: PGP Encryption for IBM i
To learn how to identify and address dangerous security exposures in your IBM i environment, we recommend reading the 2017 State of IBM i Security Study in full. If you don’t have time to dig into the PDF, though, here’s a quick coffee break read on three things you can do, starting today, to ensure your data is properly secured on your AS/400.
Crack down on user access
It’s considered best practice to give users the minimum amount of permissions they need to do their jobs. This is obvious when it comes to shared folders or departmental groups on a company’s network, but it also applies to the files, IFS directories, and objects that are stored on the AS/400.
There are two things to consider with user access: god-like users and data created or stored with default permissions. Both of these can be easy to overlook in a busy environment, and both of these can create vulnerabilities to user error and malicious intent.
During their analysis of 332 IBM i environments, HelpSystems found that, on average, 200 users had All Object (*ALLOBJ) authority, allowing them “unrestricted ability to view, change, and delete every file and program on the system.” Furthermore, an average of 300 users had Spool Control (*SPLCTL) authority and nearly 350 users had Job Control (*JOBCTL) authority.
The best response to overpowered users is to check how authorities are assigned on the IBM i. They might be passed down as part of a Group Profile, for example, or exist as outdated users who were never cleared off the system.
Once you’ve determined how authorities are assigned, review who has special authorities on the IBM i and limit access for those who don’t need it. Not sure where to start? HelpSystems recommends that businesses “keep the number of users with special authority to fewer than 10,” so use that as a marker for where you should be as you go down the list.
Data with Default Permissions
Overpowered users aren’t the only security issue for the AS/400. Objects created on the IBM i have a default of *PUBLIC, which lets users interact with, change, or even delete data. What’s worse, the study says, “unless [a] user is granted a specific authority … [they] will operate with the object’s default permission.”
Think about it. Do all your IBM i users have authorities assigned that approve or deny data access?
In their study, HelpSystems discovered that 49% of objects in an average IBM i environment had a *PUBLIC authority of *CHANGE, which allows users to “place new objects in the library and … change some of the library characteristics.” Twenty-five percent had *USE, enabling any user to try to access objects, and 10% had *ALL, which lets “anyone on the system … manage, rename, specify security for, or even delete a library.”
If your data has *PUBLIC access rights, you can take steps to identify potential threats by monitoring for changes. Using a tool to log file changes and user activity will help you track unauthorized data access and find potential vulnerabilities in your environment.
HelpSystems also recommends that businesses “use the security capabilities of the IBM i OS [and] secure data using resource-level security to protect individual application and data objects.”
Scan your IBM i servers for viruses
Contrary to popular belief, the files stored on the IBM i can be affected by viruses and malware. The IBM i itself can’t be contaminated by viruses created for computers, but its files are considered excellent “carriers,” delivering viruses, malware, and other threats from one network to the next.
IT Jungle writes in an article on IBM i ransomware that the IBM i's IFS “can store and distribute Windows malware – including encryption-wielding ransomware strains.” This puts your IBM i data and sensitive information on employee workstations at risk. Ransomware is also a threat that can successfully encrypt your files, limiting access to important folders and databases.
Viruses on the IBM i aren’t always detectable at first glance. The 2017 State of IBM i Security Study gives an example of a business that scanned their IBM i environment for viruses for the first time, as they’d believed the AS/400 couldn’t be infected. Upon completion, they were “shocked to find nearly 250,000 files infected by the CryptoWall virus.”
How long had those files been affected—and how many more would’ve been contaminated if they hadn’t checked?
Could this be a scenario you’re living, and you just don’t know it?
The first step toward securing your data from viruses is to scan your files for existing problems. Once you’ve identified whether your environment is infected or not, continue to scan it frequently using a solution like Stand Guard Anti-Virus, a native IBM i virus scanner. This solution, or one similar to it, will protect your data by detecting and removing infections on the AS/400, freeing up your time and attention for other, more important matters.
Use managed file transfer to secure your data transfers
In a previous blog, we discussed 5 Best Practices for IBM i File Transfers, which covered solid key management practices, setting up email alerts for triggered events, and more.
When it comes to file transfers, protecting your data with IBM’s built-in FTP and Open SSH servers isn’t enough. FTP hasn’t kept up with today’s rigorous security standards; it’s considered unsecure and outdated, making the sensitive files it moves vulnerable to packet sniffing tools and potential hackers.
A better way to protect and secure your IBM i file transfers is to use a managed file transfer solution. GoAnywhere MFT can streamline the exchange of data between your IBM i and non-IBM i systems, customers, and trading partners through secure servers and protocols like SFTP, FTPS, HTTPS, and AS2. Not only does it encrypt data in transit, protecting it from ransomware and malicious users, it also encrypts it at rest.
Comprehensive security controls, a helpful user management system, SSH key and SSL certificate creation for IBM i systems, and detailed audit logs all work together to preserve sensitive company data, making your environment a little safer … and a lot simpler. So if you’re looking to make the switch from IBM’s default servers to modern secure protocols, MFT is definitely worth consideration.
The AS/400 lives up to its praise in many ways. It’s sturdy, reliable, and versatile. But that doesn’t mean it’s immune to vulnerabilities. Setting resources aside to protect the data on your IBM i systems will go a long way toward ensuring your information IS safe—100% of the time.
Are you looking for ways to improve your efficiency on the IBM i?
This 60 minute webinar explores how GoAnywhere MFT works with the IBM i to enhance your file transfer and encryption practices. Don’t miss out; view the recording here.