The purpose of this blog is to highlight those issues that can make the IBM i vulnerable to data breach and unexpected downtime. As reliable and secure as IBM i is, there still are areas that require IBM i users to assess and protect.
Disclaimer: IBM iSeries and AS400 are servers. IBM i is an operating system. I use these terms interchangeably to make it easy for folks to find this kind of information on the web.
One of the great things about blogs that allow reader feedback is how quickly I can get educated…particularly by some of the best and brightest from the IBM i security community.
I posted a blog “You Give Up Things With An IBM i (iSeries/AS400) Server … Things Like Viruses, Security Holes, Downtime, Systems Management, and Growing IT Staff.”
While the intent of the blog is to stress the IBM i reliability and its unique characteristics, I made an over-reaching comment that “It is a fact that no IBM i user has experienced unplanned downtime from any virus IBM i.”
Well, I made a mistake. That is simply WRONG, as I found out.
And, I am grateful to have three very smart people clearly explain how I was mistaken. Further, they elaborated on factors beyond virus infection.
Specifically, they are
Bruce Bading, President of BFB Security
Robin Tatam, CISM, PCI-P
Carol Woodbury, CISSP, CRISC, PCIP, Vice President, Global Security Services at HelpSystems, LLC
Bruce Badin Observations
[The IBM i] is one of the most securable systems on the planet, but not necessary the most secure with most of our customers.
Here is a misconception. The IBM i does come unboxed with pretty tight cybersecurity. A few vulnerabilities, such as unencrypted telnet and ftp and JOBACN. It has OpenSystems that are vulnerable to data breaches. Apache Struts is one of them that needed to be patched. But as Robin Tatum states, we need to be careful not to dismiss these and other risks and learn security coding. Least Privileges and watch adopted authority. The IFS can be infected with viruses and make their way into qsys.lib if the root is shared
Customers need to really take cybersecurity seriously. The IBM i community take note, internal actors account for 30% of breaches according to the yearly Verizon DBIR. Most modern Cryptoware doesn’t care about the OS or file types. The latest version of the Ryuk cryptoware I found on a large network was a metamorphic, 6th generation malware that morphed each time we tested and is now off to Infocyte labs for more testing. Both the keys and payload bits changed and it encrypted everything in my testing sandbox including Linux, Windows and MacBook as I thought it would. That leads me to believe that if the root is open, the ENTIRE system possibly including qsys.lib could be encrypted. This is why I authored the IBM i CIS Benchmarks at the request of a customer which points out the risk of the root share and more.
Robin Tatam Comments
In regards to the resistance against viruses, the ‘i’ community must be extremely careful and not be dismissive of this risk. At HelpSystems, we DO have IBM i customers who have experienced unplanned outages due to viral activity. One of the most dramatic examples saw a half-million IFS files encrypted which caused their server to actually fail. My colleague has an often-quoted screenshot of the subsequent virus scan that revealed 248,000 iterations of the virus resident on the IFS. Although I have not personally witnessed a problem in the native file system, a viral attack with access to the root folder could absolutely cause major issues because Qsys.lib is open to *PUBLIC. While Physical Files (PF-DTA) and other native objects are protected from encryption thanks to IBM i, it is absolutely possible for those objects to be renamed and deleted. One could argue that results in an even worse situation than seen with Windows as the company doesn’t have the option to pay the ransom if they wish to (not that I am endorsing that!). Furthermore, HA will blindly damage the backup system a split-second later which presents a precarious position of no viable primary and no viable secondary server. IBM i received integrated anti-virus system values and exit points beginning in V5 of i5/OS in the mid-2000’s. But its important to note that the anti-virus engine must be purchased from a third party. The risks associated with viruses and these integrated controls should be discussed and considered to prevent a horror story. Yes, it’s not Windows but it’s a critical server, an enterprise-level application business server, and shouldn’t be operated without strong protection.
Sadly and ironically, I had another IBM i organization reach out THIS WEEK due to being crashed offline by malware. They use Content Manager OnDemand (or whatever it’s called now) and all their information was encrypted. A full restore was anticipated and that was expected to have them down for an additional full day after diagnostics. How much does that downtime cost? Knowing who this organization is -> very expensive! Sadly, there were common mistakes made including sharing the root folder of the IFS which could have meant native damage as well. Was that the fault of the OS? Certainly not, but that doesn’t change the fact that users were down for a full day (or more). My point is to use common sense and give this amazing system the same respect and consideration of cyber threats as you do for your other critical enterprise servers. Yes, it’s an incredible piece of technology but, if you leave the door wide open, someone is eventually going to walk through it.
Carol Woodbury
I agree with Robin. To say that IBM i cannot be affected by a virus or that an IBM i shop has never had down-time due to a virus is not accurate. Has there been a virus that will specifically target the IBM i operating system? Thankfully and to date, the answer is no. That said, if you have a mapped drive to the IFS the path associated with that share looks like a regular drive to whatever workstation it’s attached to. If the user on the workstation clicks on the wrong link and downloads malware, it will first attack the workstation and then march through the mapped drives and infect them. If you the workstation is mapped to a read/write share to root (‘/’) then the malware can – and has – affected THE ENTIRE SYSTEM. The second way IBM i can be affected by viruses is that it can store them in the IFS – thus the introduction of the scanning exit points (which happened while I was still security team leader at IBM.) They were put in place to allow real-time virus scanning of the IFS – to allow customers to plug in an AV solution and find those viruses stored in the IFS. I have refrained from commenting on previous articles but I could not stay silent with the claim that there has been no downtime due to a virus. This statement is simply not true – I have personally seen the aftermath of malware coming in via a read/write share to root. Can the system be protected? Yes! But we MUST use the features IBM has provided – along with some common sense – to achieve that level of security. It does not happen ‘out of the box.’
I Am Grateful For This Feedback
Thank you for you helpful comments. Your generous sharing of your expertise helps all of us in the IBM i community.
Need Help?
Call me at 714-593-0387 or email me at blosey@source-data.com. Let us know how we can help!
To learn more about us, and view our customer testimonials, please visit our website: www.Source-Data.com and see our other links:
1) IBM I on POWER (iSeries/AS400)
https://www.source-data.com/ibm-i-on-power-server/
2) IBM I (iSeries/AS400) Cloud Hosting
https://www.source-data.com/cloud-400/
3) IBM I (iSeries/AS400) Disaster Recovery Options
https://www.source-data.com/cloud400-disaster-recovery/
4) IBM I (iSeries/AS400) Version Upgrade
Leave a Reply