Ransomware is a threat to organizations of all sizes and is only growing, both in frequency and in sophistication. Using a variety of attacks, criminals will hold a company’s data and systems hostage unless a ransom is paid, and in 70% of those incidents, businesses never recover all of their data, even after paying the attackers.
Any system can be vulnerable to a ransomware attack, including your IBM i systems. While it is unlikely to be the direct source of such an attack, the fact that it’s one of the most critical systems in a company makes it a prime target. The most common source—and biggest risk—is from users on the network. And the biggest point of exposure on the IBM i is the IFS (Integrated File System). An infected PC or server will reach out across the network trying to encrypt and rename files on any system it has access to (this could be a PC that would typically have access to the IBM i IFS shares).
So, what can you do? Let’s go over some of the ways you can protect your systems.
1. Do not leave your system exposed. Lock down the IFS SMB shares.
For the IFS to be at risk, it would need to have shares created and exposed to the network. SMB is the protocol used by Windows and Linux systems to share files and the IBM i IFS can serve SMB shares using NetServer. Check for open file shares, make sure they are shared with the proper access authority requirements, and if you find shares that are not needed, then shut them down. Here’s how:
-
- In Nav4i (Navigator for i), open the NetServer Manager and check all file shares:
- Are they needed? Remove shares that are not needed. [Never share root (/)]
- When your system ships, the public authority to the root directory is *ALL (which is not secure). When you create new directories in the root (/), QOpenSys, or user-defined file systems, make sure you change the authority.
- Check access levels. Is Read Only access enough? Do NOT share with Read/Write access unless it is absolutely necessary for users to be able to write to the shared directory. Limit R/W Access whenever possible
- Set audit level value to *CHANGE or *ALL for existing objects in the IFS as well as all newly created objects using CHGAUD and CHGATR OBJ(‘/’) ATR(*CRTOBJAUD) VALUE(*ALL)
- Restrict file extensions (like .exe) and other activity using a file server exit program
- Using tools from CloudFirst and Precisely Assure Security, many of these steps can be automated
- In Nav4i (Navigator for i), open the NetServer Manager and check all file shares:
* V7R4 lets you run the latest SMB V3 with Encryption… Is it time for an upgrade?
* Manage IBM i NetServer without Navigator for i – GO NETS
2. Check for FTP and other access to system files.
Now that all your IFS file shares are locked down, you may still have and need access to the system and IFS over FTP, SSH or other protocols. FTP as an attack vector is not something new. A 2017 FBI alert warned, “The FBI is aware of criminal actors who are actively targeting FTP servers,” and while that alert was related to healthcare, the risk is real across industries.
-
- Use encrypted protocols (SFTP, SSL, SSH)
- Use a dedicated FTP or SFTP server that does not perform mission critical data processing and does not store sensitive data like PII or PHI
- Use real-time system monitoring capable of sending alerts for abnormal or suspicious activities
- Use Exit Points to lock down and control access
3. Use a DMZ network to keep your more vulnerable systems segmented and safe.
A DMZ server on a separate network segment running Windows or Linux and a company-approved malware and threat protection solution can be a great layer of defense against attacks. Do you need to bring files from external sources for processing on the IBM i? Use a DMZ server with Realtime AV/Threat Protection.
-
-
- Transfer files to DMZ server (SMB, FTP, SFTP, etc.)
- Real-time scan with approved malware and best ransomware protection solutions
- Configure jobs on the IBM to pull files from this server and/or place files back on the DMZ server after processing
- Restrict access on the IBM i, limiting it to only communicate with the DMZ server as appropriate
-
4. Secure the endpoint devices and scan at the edge.
Remember, the user PCs are the biggest risk. Using your standard corporate malware and threat protection already controlled and monitored by corporate security is one of the best places to defend against ransomware. End user security awareness training is also a critical step, as many ransomware attacks start with a malicious email. Companies like Sophos offer endpoint threat protection as well as edge firewall devices that can use deep learning to detect and block ransomware attacks at the gateway. When the IBM i is segmented using firewall capabilities like this, you reduce the attack surface and reduce the threat.
5. Make sure you have a backup plan.
While it won’t stop ransomware, it is important to make sure you have good cloud backups that follow the 3-2-1 strategy (minimum of 3 copies, 2 different media types and 1 off-site). This will allow for quick recovery should you be a victim of a cyberattack. An immutable backup may be your last line of defense against Ransomware!
These 5 steps will have a huge impact towards reducing the risks of ransomware affecting your systems and more importantly your business. As part of a broader trend in IT, systems hosted in the cloud can actually be more secure than their on-premises counterparts and offer many of these capabilities as a built-in part of the solution. For example, an IBM i system hosted in the CloudFirst Cloud includes network segmentation of the IBM i by design, strict firewall policies for access, capabilities for edge threat detection and prevention, secure cloud backup strategies, and system security through Precisely’s Assure Security Enforcive Suite. With the CloudFirst’s default ezSecurity Package, you can configure exit points, system auditing, get real-time alerts for critical security events and scheduled system reports. Also be sure to take advantage of CloudFirst’s Free Annual Risk Assessment!
{IBM i, also known as IBMi, iSeries, System i, AS400, or AS/400}
