Data Breaches: Is IBM i Really At Risk? HelpSystems LLC. All rights reserved. All trademarks and registered trademarks are the property of their respective owners.
ROBIN TATAM, CBCA CISM PCI-P Global Director of Security Technologies robin.tatam@helpsystems.com
Let s start by defining the term Data Breach
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), personally identifiable information (PII), trade secrets of corporations, or intellectual property. Source: Wikipedia
A compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed. Source: International Standards Organization (ISO)
A compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed. Source: International Standards Organization (ISO)
A data breach may have different origins
Black Hats Typically seeking personal gain Often very skilled Stereotypical hacker Does not notify of vulnerabilities
Organized Crime Typically seeking financial gain Information advantage Often funds Black Hats
National Governments Typically seeking political gain or competitive advantage Often funds Black Hats and spies
Insider Threat Typically seeking personal gain: money, career IT Sabotage Theft of intellectual property Fraud Crimes of opportunity A moving target Often unintentional!
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates. These insiders are often staff that have inside information concerning the organization's security practices, data, and computer systems.
Just 17% Of companies surveyed reported an insider threat incident in the last year. But 85% Of companies actually had an insider threat incident. Source: 2014 Cloud Security Alliance Survey of CIOs
Average annualized cyber crime cost weighted by attack frequency Source: Ponemon Institute
Average resolution time attack type Source: Ponemon Institute
Budget or earmarked spending according to six IT security layers Source: Ponemon Institute
Which industry verticals are most At Risk of a data breach?
We aren t publicly traded Although you may not be required to comply with a forced directive, you likely still have: Financials Customer information Personnel information Vendors Product data Sales information And you need to protect it.
How does IBM i factor into this?
Threat vectors depend on how and what your Power Systems server is connected to.
The majority of Power Systems servers live inside the perimeter and are therefore most at risk from Insider Threat.
Secure Securable
IBM i has a reputation as one of the most securable operating systems on the market. But, securable does not imply you simply plug it in and don t have to configure anything!
It s important to recognize the nuances of IBM i. Both the risks and the steps needed to mitigate risks to this server are very different from other server platforms. The same general principles exist, but how they are addressed may vary widely. It is also recommended to throw out any preconceived notions about IBM i security in case they re wrong!
IBM i Windows UNIX UNIX Vulnerabilities/ Patch Patch Mgmt Management Low Concern Major Concern Major Concern Virus/Trojan/W Worms orms Variable Concern* Extreme Concern Moderate Concern Unauthorized Unauthorized Users and/or Access Users and/or Access Extreme Concern Moderate Concern Moderate Concern *Depends on utilization of the Integrated File System (IFS)
PowerTech uses anonymous audit data from a Security Scan tool to compile an annual study of security statistics. This study, available online, provides a picture of what IBM i shops are currently doing with their security controls. Year after year, it shows that there is still room and need for improvement!
System Security Level
85% 15% Auditing is inactive IBM i s audit facility is turned OFF by default. Too many companies do not turn auditing on, or don t use it for security purposes (such as high-availability). Servers that are auditing are often not collecting the necessary events, or are purging data too soon.
IBM i profiles typically wield too much administrative power. Poor control is often due to profile duplication, or migration from old servers when security was not a priority. Command line access can mean impact is very significant.
Control and auditing of TCP interfaces requires exit programs Many companies are not aware that users can upload & download data through these interfaces Several interfaces allow users to run commands independent of their profile s limit capability settings One or More Exit Programs in Place
Security 1 st ; Compliance 2 nd Security is a state of being. Compliance is adherence. Well-secured servers will often meet or exceed best practice or compliance standards. Secure systems have the advantage of being deliberately and concisely configured to protect the information, not just to satisfy an item on an audit checklist.
Sorry, It Takes Some Work Be realistic: you probably didn t become unsecure overnight so don t expect to turn it around in that timeframe. There is no magic potion or silver bullet in security. Commercial tools can (and should) assist, but be leery of anyone who says just set it and forget it.
Nurture vs. Nature Start simple and grow: 1. Management sponsorship is a MUST 2. Determine business goals and challenges 3. Evaluate risk (often via an assessment or audit) 4. Publish/review a Security Policy of baseline settings 5. Make adjustments to OS controls 6. Implement third-party tools as necessary Repeat from step 2 (sometimes step 1)
Empower users and admins to speak up regarding concerns or observations. Build a strong foundation using the OS-provided security controls. Streamline inefficient or lacking processes with thirdparty solutions.
The day before a breach, the ROI is zero. The day after, it is infinite. Dennis Hoffman, RSA
A Call To Action
Start with an Automated Review Ask Questions
Learn More About IBM i Security Free Download: 2016 State of IBM i Security https://www.mc-store.com/products/ibm-i-security-administrationand-compliance-second-edition
Ask Questions helpsystems.com Product Information Data Sheets Demonstration Videos Trial Downloads Customer Success Stories How-To Articles Request a FREE Security Scan
Question and Answer
Ask Questions www.helpsystems.com