SlideShare a Scribd company logo

The Best Shield Against Ransomware for IBM i

Download as PPTX, PDF
Precisely, profile picture
Precisely

The document discusses the security measures necessary for IBM i systems, with a focus on the importance of multi-factor authentication (MFA) as a defense against increasing ransomware threats. It highlights the vulnerabilities present in IBM i systems and emphasizes that MFA can significantly enhance security by requiring multiple forms of verification. The document also outlines various authentication options, regulatory requirements, and implementation tips to safeguard organizational data effectively.

Technology
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
The Best Shield Against Ransomware for IBM i Bill Hammond | Director, Product Marketing
Housekeeping Webinar Audio • Today’s webcast audio is streamed through your computer speakers • If you need technical assistance with the web interface or audio, please reach out to us using the Q&A box Questions Welcome • Submit your questions at any time during the presentation using the Q&A box. If we don't get to your question, we will follow-up via email Recording and slides • This webinar is being recorded. You will receive an email following the webinar with a link to the recording and slides
Today’s Topics • IBM i security landscape • Authentication options and tradeoffs • Tips on implementing multi- factor authentication for IBM i 3
• Despite the inherent security capabilities of IBM i (AS/400), it isn’t without vulnerabilities. • These security gaps can range from relatively common configuration issues to more complex and systematic concerns, but businesses must identify and rectify them to maintain the integrity of their IBM i platform. • Even a single network intrusion can put organizational data and operability at risk. IBM i security threats are increasing 10% increase in costs of a Data Breach in 2021* Breaches from compromised credentials surged by 450% in 2020*** Cost of data breach is $180 per record for customer PII* 88% of organizations see malware as extreme or moderate threat** Average total cost of a ransomware breach is $4.62m* * Cost of a Data Breach Report 2021-IBM Security ** 2021 Malware Report-Cybersecurity Insiders *** 2021 ForgeRock Consumer Identity Breach Report
“Ransomware attacks against an organization rely heavily on the scammer's ability to steal the credentials of those accounts. Because the attacks orchestrated require some degree of access to a computer, account, or network system, one of the best defense measures against ransomware is multi-factor authentication (MFA).”* *IS Decisions 5
CISA Guidance 6 • According to the US Government’s Cybersecurity & Infrastructure Security Agency (CISA) Employ MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
7 Ransomware is not just a threat to large enterprises Source: Legal TXTX
Presentation name Anatomy of a Ransomware Attack 8
Defending against Credential Theft Why Do Organizations Need to Control Privilege User Access? Credential theft is when a bad actor obtains users’ user ids and passwords (via theft from another site, via phishing, etc.) and uses them to gain access to an organization’s systems. • When configured to require an additional piece of information besides user id and passwords, i.e., multi- factor authentication, having a valid user id/password combination is no longer sufficient to gain access to the systems. • Think about it. Apple and Google use MFA for phones. How much more valuable is data on an IBM i?
Malware on IBM i • No (current) malware for IBM i ‘proper’ – that is, the operating system itself • IBM i can be affected by malware in the IFS in two ways • An infected object is stored in the IFS • Malware enters the system from an infected workstation to a mapped drive (that is, IBM i) via a file share
Multi-Factor Authentication Overview
Why Adopt Multi-Factor Authentication? • Regulations are evolving to require or recommend MFA. Consult the latest documentation for the regulations that impact your business! • MFA avoids the risks and costs of: • Weak passwords • Complex passwords • MFA is a good security measure when: • It is customizable and simple to administer • End users' adoption is easy • MFA can support internal strategy and legal requirements • BYOD (Bring Your Own Device) vs COPE (Corporate Owned, Personally Enabled) • Multi-Factor Authentication is the direction! 12
Multi-Factor Authentication Adds a Layer of Login Security Multi-Factor Authentication (MFA), sometimes called Two- Factor Authentication (2FA), uses two or more of the following factors : • Something you know or a “knowledge factor” • E.g. user ID, password, PIN, security question • Something you have or a “possession factor” • E.g. smartphone, smartcard, token device • Something you are or an “inherence factor” • E.g. fingerprint, iris scan, voice recognition Typical authentication on IBM i uses 2 items of the same factor – User ID and password. This is not multi-factor authentication. 13
Examples of MFA 14 This is Not MFA Two things the user knows and no other factor is not MFA A combination of things the user knows, has or is provides MFA
Why Is Multi-Factor Authentication Required? • MFA supports the requirements of numerous industry and governmental regulations • Multi-Factor Authentication is required by • PCI-DSS 3.2 • 23 NYCRR 500 • FFIEC • MFA is mentioned or the benefits of MFA are implied for: • HIPAA • Swift Alliance Access • GDPR • Selective use of MFA is a good Security practice. You may be required to use it tomorrow, if you’re not already using it today. 15 • SOX • GLBA • And more
Multi-Factor Authentication Options
Authentication Options 17 Authentication services* generate codes delivered to the user. For example: • RADIUS compatible (RSA SecurID, Entrust, Duo, Vasco, Gemalto, and more) • RFC6238 (Microsoft Authenticator, Google Authenticator, Authy, Yubico, and more) • Others (TeleSign, and more) Use of SMS for Authentication – PCI DSS relies on industry standards, such as NIST, ISO, and ANSI, that cover all industries, not just the payment industry. While NIST currently permits the use of SMS authentication for MFA, they have advised that out-of-band authentication using SMS or voice should be “restricted” as it presents a security risk. Authentication options, beyond the basic factor that the user knows, are delivered by: • Smartphone app • Email • Phone call • SMS/text message (see box) • Hardware device such as fobs or tokens • Biometric device * Not all Authentication Services are supported in Assure Security
Key Features to Look for in an IBM i MFA Solution • Option to integrate with IBM i signon screen • Ability to integrate MFA with other IBM i applications or processes • Multiple authentication options that align with your budget and current authenticators • Certification by a standards body (e.g. RSA, NIST) • Rules that enable MFA to be invoked for specific situations or user criteria such as: • Group profiles, Special authorities • IP addresses, Device types, Dates and times • And more • Real risk-based authentication policy (integrated with access control and elevated authority management capabilities) 18
Your MFA Solution Should… 19 …enable protection for more than just Telnet sign on …make it easy to add a new rule
Your MFA Solution Should… 20 …show the status of all rules at a glance …drill down to details of each rule
Assure Advanced MFA 5250 FTP • Protection against compromised • Credentials • Workstations • Sessions • Add System Access Manager • Starting of check printers • Accessing and updating data • IP ranges • Time of day/week • File Shares • Authentication • Initial Program • Modified Sign on via Telnet • Advanced • System Access Manager • Authentication • Advanced • System Access Manager ODBC NetServer • Authentication • Advanced • System Access Manager • Advanced • System Access Manager • File Share • File Share Directory 21
Advanced MFA protects against credential theft 22 • Credential theft can happen in several ways • An intruder is in the network and sniffs cleartext user ids and passwords off the network • An intruder knows of an application that stores cleartext passwords and steals those • Credential stuffing … • An intruder finds user ids and passwords have been stolen from somewhere else, sold on the dark web and attempts to use them at another organization • This is often successful because many people re-use the same password multiple places – banks, amazon and other online retailers and then at work Multi-factor Authentication can prevent all of these! Even if an intruder has a valid user id / password combination, they won’t have the second authentication piece.
Multi-Factor Authentication Implementation Tips
Notes on IBM i Authentication Process • Can be used to protect not only the signon screen, but also to protect application use and communication protocols (eg. FTP/ODBC/REXEC) • Users can be registered individually or globally (through group profiles, or any other user attribute) • Can identify different populations of users and challenge them using different methods • Use existing authenticators as much as possible • Options for one-step or two-step authentication
More MFA Implementation Tips • The coding must be very robust in order to not let users finding weaknesses. • The coding must not leave any trace of the process in the joblog or anywhere else. • Access to journal(s) should be protected, but this is true anyway for any security policies in place • Changes to the MFA configuration need to be strongly audited and access by administrators should be prevented (using exit points) 25
Additional Uses for Multi- Factor Authentication on IBM i 26 • Enables self-service profile re-enablement and self-service password changes • Supports the Four Eyes Principle for supervised changes • Protects access to certain commands like DFU, STRSQL, STRSST, etc… • Real risk-based authentication policy (integrated with access control and elevated authority management capabilities)
Assure Security for IBM i • Defending against the increasing sophistication and complexity of today’s security threats, including malware requires a comprehensive, multi-layered approach. • The key is to maximize the strength of each layer of your defenses, and then ask: “If this layer is breached, what do I have in place to prevent further damage?” • Assure Security delivers market-leading IBM i security capabilities that help your organization successfully comply with increasingly stringent cybersecurity regulations and effectively address current and emerging security threats.
28 Access Control • Prevent unauthorized logon • Manage users’ system privileges • Control and restrict access to data, system settings, and command line options Monitoring • Automate security and compliance alerts and reports • Monitor and block views of sensitive data • Integrate IBM i security data into SIEM solutions Malware Defense • Harden all systems and data against attacks • Automate and integrate security technologies and management • Design for depth and resilience if one or more defenses fail Assure Security: Addressing Critical Security Challenges Data Privacy • Encrypt IBM i data • Secure encryption key management • Tokenization and Anonymization • File transfer security for Data in Motion
29 29 Assure Security Data Privacy Assure Encryption Assure Secure File Transfer Assure Monitoring and Reporting Assure Db2 Data Monitor Access Control Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Monitoring Malware Defense Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Assure Monitoring and Reporting Assure Encryption Assure Security: Addressing Critical Security Challenges
Q&A
The Best Shield Against Ransomware for IBM i

More Related Content

PPTX
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
Precisely
 
PPTX
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Precisely
 
PDF
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
PPTX
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
PPTX
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Precisely
 
PPTX
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
PPTX
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
PDF
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
Precisely
 
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Precisely
 
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Precisely
 
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Security 101: Multi-Factor Authentication for IBM i
Precisely
 

Similar to The Best Shield Against Ransomware for IBM i (20)

PPTX
Lock it Down: Access Control for IBM i
Precisely
 
PDF
Protecting Your Business from Unauthorized IBM i Access
Precisely
 
PDF
Multi_Factor_Authentication_against_Data_Theft_PPTDark_Blue_Brown.pdf
Meetsolanki39
 
PPTX
Defending Your IBM i Against Malware
Precisely
 
PPTX
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Sirius
 
PDF
The New Assure Security: Complete IBM i Compliance and Security
Precisely
 
PPTX
Multifactor Authentication
Ronnie Isherwood
 
PPTX
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
PPTX
Essential Layers of IBM i Security: System-Access Security
Precisely
 
PPTX
Evolution of MFA.pptx
IsraaAkramBasheer
 
PPTX
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Bert Blevins
 
PDF
What is two factor or multi-factor authentication
Jack Forbes
 
PPTX
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Bert Blevins
 
PDF
The Importance of Multi-Factor Authentication (MFA)
kandrasupriya99
 
PDF
SECURITY THE POWER OF MULTI-FACTOR AUTHENTICATION
Protected Harbor
 
PPTX
What Does a Full Featured Security Strategy Look Like?
Precisely
 
PDF
The Changing Compliance Landscape in 2025.pdf
Precisely
 
PDF
Multifactor Authentication (MFA) and Its Role in CCIE Security.pdf
maheshmitta2525
 
PDF
The Importance of Multi-Factor Authentication_ Protecting What Matters Most.pdf
CyberPro Magazine
 
PDF
Defending Against Cyber Attacks: MFA as Your Digital Shield
Kevin Mathew
 
Lock it Down: Access Control for IBM i
Precisely
 
Protecting Your Business from Unauthorized IBM i Access
Precisely
 
Multi_Factor_Authentication_against_Data_Theft_PPTDark_Blue_Brown.pdf
Meetsolanki39
 
Defending Your IBM i Against Malware
Precisely
 
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Sirius
 
The New Assure Security: Complete IBM i Compliance and Security
Precisely
 
Multifactor Authentication
Ronnie Isherwood
 
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Essential Layers of IBM i Security: System-Access Security
Precisely
 
Evolution of MFA.pptx
IsraaAkramBasheer
 
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Bert Blevins
 
What is two factor or multi-factor authentication
Jack Forbes
 
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Bert Blevins
 
The Importance of Multi-Factor Authentication (MFA)
kandrasupriya99
 
SECURITY THE POWER OF MULTI-FACTOR AUTHENTICATION
Protected Harbor
 
What Does a Full Featured Security Strategy Look Like?
Precisely
 
The Changing Compliance Landscape in 2025.pdf
Precisely
 
Multifactor Authentication (MFA) and Its Role in CCIE Security.pdf
maheshmitta2525
 
The Importance of Multi-Factor Authentication_ Protecting What Matters Most.pdf
CyberPro Magazine
 
Defending Against Cyber Attacks: MFA as Your Digital Shield
Kevin Mathew
 
Ad

More from Precisely (20)

PDF
Reimagining Insurance: Connected Data for Confident Decisions.pdf
Precisely
 
PDF
Introducing Syncsort™ Storage Management.pdf
Precisely
 
PDF
Enable Enterprise-Ready Security on IBM i Systems.pdf
Precisely
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Solving the CIO’s Dilemma: Speed, Scale, and Smarter SAP Modernization.pdf
Precisely
 
PDF
Solving the Data Disconnect: Why Success Hinges on Pre-Linked Data.pdf
Precisely
 
PDF
Cooking Up Clean Addresses - 3 Ways to Whip Messy Data into Shape.pdf
Precisely
 
PDF
Building Confidence in AI & Analytics with High-Integrity Location Data.pdf
Precisely
 
PDF
SAP Modernization Strategies for a Successful S/4HANA Journey.pdf
Precisely
 
PDF
Precisely Demo Showcase: Powering ServiceNow Discovery with Precisely Ironstr...
Precisely
 
PDF
The 2025 Guide on What's Next for Automation.pdf
Precisely
 
PDF
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
PDF
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Precisely
 
PDF
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Precisely
 
PDF
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Precisely
 
PDF
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Precisely
 
PDF
AI You Can Trust: The Critical Role of Governance and Quality.pdf
Precisely
 
PDF
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Precisely
 
PDF
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Precisely
 
Reimagining Insurance: Connected Data for Confident Decisions.pdf
Precisely
 
Introducing Syncsort™ Storage Management.pdf
Precisely
 
Enable Enterprise-Ready Security on IBM i Systems.pdf
Precisely
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Solving the CIO’s Dilemma: Speed, Scale, and Smarter SAP Modernization.pdf
Precisely
 
Solving the Data Disconnect: Why Success Hinges on Pre-Linked Data.pdf
Precisely
 
Cooking Up Clean Addresses - 3 Ways to Whip Messy Data into Shape.pdf
Precisely
 
Building Confidence in AI & Analytics with High-Integrity Location Data.pdf
Precisely
 
SAP Modernization Strategies for a Successful S/4HANA Journey.pdf
Precisely
 
Precisely Demo Showcase: Powering ServiceNow Discovery with Precisely Ironstr...
Precisely
 
The 2025 Guide on What's Next for Automation.pdf
Precisely
 
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Precisely
 
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Precisely
 
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Precisely
 
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Precisely
 
AI You Can Trust: The Critical Role of Governance and Quality.pdf
Precisely
 
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Precisely
 
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Precisely
 
Ad

Recently uploaded (20)

PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Doc9.....................................
SofiaCollazos
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 

The Best Shield Against Ransomware for IBM i

  • 1. The Best Shield Against Ransomware for IBM i Bill Hammond | Director, Product Marketing
  • 2. Housekeeping Webinar Audio • Today’s webcast audio is streamed through your computer speakers • If you need technical assistance with the web interface or audio, please reach out to us using the Q&A box Questions Welcome • Submit your questions at any time during the presentation using the Q&A box. If we don't get to your question, we will follow-up via email Recording and slides • This webinar is being recorded. You will receive an email following the webinar with a link to the recording and slides
  • 3. Today’s Topics • IBM i security landscape • Authentication options and tradeoffs • Tips on implementing multi- factor authentication for IBM i 3
  • 4. • Despite the inherent security capabilities of IBM i (AS/400), it isn’t without vulnerabilities. • These security gaps can range from relatively common configuration issues to more complex and systematic concerns, but businesses must identify and rectify them to maintain the integrity of their IBM i platform. • Even a single network intrusion can put organizational data and operability at risk. IBM i security threats are increasing 10% increase in costs of a Data Breach in 2021* Breaches from compromised credentials surged by 450% in 2020*** Cost of data breach is $180 per record for customer PII* 88% of organizations see malware as extreme or moderate threat** Average total cost of a ransomware breach is $4.62m* * Cost of a Data Breach Report 2021-IBM Security ** 2021 Malware Report-Cybersecurity Insiders *** 2021 ForgeRock Consumer Identity Breach Report
  • 5. “Ransomware attacks against an organization rely heavily on the scammer's ability to steal the credentials of those accounts. Because the attacks orchestrated require some degree of access to a computer, account, or network system, one of the best defense measures against ransomware is multi-factor authentication (MFA).”* *IS Decisions 5
  • 6. CISA Guidance 6 • According to the US Government’s Cybersecurity & Infrastructure Security Agency (CISA) Employ MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
  • 7. 7 Ransomware is not just a threat to large enterprises Source: Legal TXTX
  • 8. Presentation name Anatomy of a Ransomware Attack 8
  • 9. Defending against Credential Theft Why Do Organizations Need to Control Privilege User Access? Credential theft is when a bad actor obtains users’ user ids and passwords (via theft from another site, via phishing, etc.) and uses them to gain access to an organization’s systems. • When configured to require an additional piece of information besides user id and passwords, i.e., multi- factor authentication, having a valid user id/password combination is no longer sufficient to gain access to the systems. • Think about it. Apple and Google use MFA for phones. How much more valuable is data on an IBM i?
  • 10. Malware on IBM i • No (current) malware for IBM i ‘proper’ – that is, the operating system itself • IBM i can be affected by malware in the IFS in two ways • An infected object is stored in the IFS • Malware enters the system from an infected workstation to a mapped drive (that is, IBM i) via a file share
  • 12. Why Adopt Multi-Factor Authentication? • Regulations are evolving to require or recommend MFA. Consult the latest documentation for the regulations that impact your business! • MFA avoids the risks and costs of: • Weak passwords • Complex passwords • MFA is a good security measure when: • It is customizable and simple to administer • End users' adoption is easy • MFA can support internal strategy and legal requirements • BYOD (Bring Your Own Device) vs COPE (Corporate Owned, Personally Enabled) • Multi-Factor Authentication is the direction! 12
  • 13. Multi-Factor Authentication Adds a Layer of Login Security Multi-Factor Authentication (MFA), sometimes called Two- Factor Authentication (2FA), uses two or more of the following factors : • Something you know or a “knowledge factor” • E.g. user ID, password, PIN, security question • Something you have or a “possession factor” • E.g. smartphone, smartcard, token device • Something you are or an “inherence factor” • E.g. fingerprint, iris scan, voice recognition Typical authentication on IBM i uses 2 items of the same factor – User ID and password. This is not multi-factor authentication. 13
  • 14. Examples of MFA 14 This is Not MFA Two things the user knows and no other factor is not MFA A combination of things the user knows, has or is provides MFA
  • 15. Why Is Multi-Factor Authentication Required? • MFA supports the requirements of numerous industry and governmental regulations • Multi-Factor Authentication is required by • PCI-DSS 3.2 • 23 NYCRR 500 • FFIEC • MFA is mentioned or the benefits of MFA are implied for: • HIPAA • Swift Alliance Access • GDPR • Selective use of MFA is a good Security practice. You may be required to use it tomorrow, if you’re not already using it today. 15 • SOX • GLBA • And more
  • 17. Authentication Options 17 Authentication services* generate codes delivered to the user. For example: • RADIUS compatible (RSA SecurID, Entrust, Duo, Vasco, Gemalto, and more) • RFC6238 (Microsoft Authenticator, Google Authenticator, Authy, Yubico, and more) • Others (TeleSign, and more) Use of SMS for Authentication – PCI DSS relies on industry standards, such as NIST, ISO, and ANSI, that cover all industries, not just the payment industry. While NIST currently permits the use of SMS authentication for MFA, they have advised that out-of-band authentication using SMS or voice should be “restricted” as it presents a security risk. Authentication options, beyond the basic factor that the user knows, are delivered by: • Smartphone app • Email • Phone call • SMS/text message (see box) • Hardware device such as fobs or tokens • Biometric device * Not all Authentication Services are supported in Assure Security
  • 18. Key Features to Look for in an IBM i MFA Solution • Option to integrate with IBM i signon screen • Ability to integrate MFA with other IBM i applications or processes • Multiple authentication options that align with your budget and current authenticators • Certification by a standards body (e.g. RSA, NIST) • Rules that enable MFA to be invoked for specific situations or user criteria such as: • Group profiles, Special authorities • IP addresses, Device types, Dates and times • And more • Real risk-based authentication policy (integrated with access control and elevated authority management capabilities) 18
  • 19. Your MFA Solution Should… 19 …enable protection for more than just Telnet sign on …make it easy to add a new rule
  • 20. Your MFA Solution Should… 20 …show the status of all rules at a glance …drill down to details of each rule
  • 21. Assure Advanced MFA 5250 FTP • Protection against compromised • Credentials • Workstations • Sessions • Add System Access Manager • Starting of check printers • Accessing and updating data • IP ranges • Time of day/week • File Shares • Authentication • Initial Program • Modified Sign on via Telnet • Advanced • System Access Manager • Authentication • Advanced • System Access Manager ODBC NetServer • Authentication • Advanced • System Access Manager • Advanced • System Access Manager • File Share • File Share Directory 21
  • 22. Advanced MFA protects against credential theft 22 • Credential theft can happen in several ways • An intruder is in the network and sniffs cleartext user ids and passwords off the network • An intruder knows of an application that stores cleartext passwords and steals those • Credential stuffing … • An intruder finds user ids and passwords have been stolen from somewhere else, sold on the dark web and attempts to use them at another organization • This is often successful because many people re-use the same password multiple places – banks, amazon and other online retailers and then at work Multi-factor Authentication can prevent all of these! Even if an intruder has a valid user id / password combination, they won’t have the second authentication piece.
  • 24. Notes on IBM i Authentication Process • Can be used to protect not only the signon screen, but also to protect application use and communication protocols (eg. FTP/ODBC/REXEC) • Users can be registered individually or globally (through group profiles, or any other user attribute) • Can identify different populations of users and challenge them using different methods • Use existing authenticators as much as possible • Options for one-step or two-step authentication
  • 25. More MFA Implementation Tips • The coding must be very robust in order to not let users finding weaknesses. • The coding must not leave any trace of the process in the joblog or anywhere else. • Access to journal(s) should be protected, but this is true anyway for any security policies in place • Changes to the MFA configuration need to be strongly audited and access by administrators should be prevented (using exit points) 25
  • 26. Additional Uses for Multi- Factor Authentication on IBM i 26 • Enables self-service profile re-enablement and self-service password changes • Supports the Four Eyes Principle for supervised changes • Protects access to certain commands like DFU, STRSQL, STRSST, etc… • Real risk-based authentication policy (integrated with access control and elevated authority management capabilities)
  • 27. Assure Security for IBM i • Defending against the increasing sophistication and complexity of today’s security threats, including malware requires a comprehensive, multi-layered approach. • The key is to maximize the strength of each layer of your defenses, and then ask: “If this layer is breached, what do I have in place to prevent further damage?” • Assure Security delivers market-leading IBM i security capabilities that help your organization successfully comply with increasingly stringent cybersecurity regulations and effectively address current and emerging security threats.
  • 28. 28 Access Control • Prevent unauthorized logon • Manage users’ system privileges • Control and restrict access to data, system settings, and command line options Monitoring • Automate security and compliance alerts and reports • Monitor and block views of sensitive data • Integrate IBM i security data into SIEM solutions Malware Defense • Harden all systems and data against attacks • Automate and integrate security technologies and management • Design for depth and resilience if one or more defenses fail Assure Security: Addressing Critical Security Challenges Data Privacy • Encrypt IBM i data • Secure encryption key management • Tokenization and Anonymization • File transfer security for Data in Motion
  • 29. 29 29 Assure Security Data Privacy Assure Encryption Assure Secure File Transfer Assure Monitoring and Reporting Assure Db2 Data Monitor Access Control Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Monitoring Malware Defense Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Assure Monitoring and Reporting Assure Encryption Assure Security: Addressing Critical Security Challenges
  • 30. Q&A

Editor's Notes

  • #13: To improve Security Passwords alone are insufficient to protect your systems from attack Multi-step is still better than just one step Verizon 2018 Data Breach Investigations Report : “Use two-factor authentication Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.” To comply with regulations and laws HIPAA doesn't explicitly mention MFA, but due to password expiration reinforcement and updates to NIST guidance (800-63), it becomes a very reasonable solution to meet something like section 164.312d Financial companies doing business in the state of New York have to comply with the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). Section 500.12 (b) states that “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” To comply with regulations and laws FFIEC recommends MFA: The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. PCI-DSS version 3.2 requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA by January 2018 - Check document « Multi-Factor Authentication » – February 2017 - Check Requirement 8.3.
  • #16: To improve Security Passwords alone are insufficient to protect your systems from attack Multi-step is still better than just one step Verizon 2018 Data Breach Investigations Report : “Use two-factor authentication Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.” To comply with regulations and laws HIPAA doesn't explicitly mention MFA, but due to password expiration reinforcement and updates to NIST guidance (800-63), it becomes a very reasonable solution to meet something like section 164.312d Financial companies doing business in the state of New York have to comply with the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). Section 500.12 (b) states that “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” To comply with regulations and laws FFIEC recommends MFA: The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. PCI-DSS version 3.2 requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA by January 2018 - Check document « Multi-Factor Authentication » – February 2017 - Check Requirement 8.3.