The news today is filled with stories about security breaches from Sony Playstation, at Epsilon, EMC, the State of Texas, Google, an FBI affiliate, and Lockheed Martin. Threats are increasing in size and sophistication, and companies are being forced to re-examine their security posture to the outside world and even to known users.
From our perspective, the single most important thing that an organization can do is to implement an Intrusion Detection and Prevention System to provide protection from costly disruptions to their business. According to the National Institute of Standards and Technology, Intrusion Detection and Prevention Systems (IDPS) 'have become a necessary addition to the security infrastructure of nearly every organization'.
"The single most important thing that an organization can do is to implement an Intrusion Detection and Prevention System to provide protection..."
Your IDPS should provide more than a simple firewall with weekly audit and compliance reports. The recent security breaches at Lockheed highlight the need for preventive actions in IDPSs, however it is our view that you need even more from your protective systems. There are times when your business requires immediate alerts and automated actions to shut down and shut off offending user access.
As fantastic as the IBM i's native security is, IBM does not provide a security process for controlling Remote Access. It is therefore essential for organizations with the IBM i to install a full featured IDPS that will provide comprehensive protection from the outside world. Since IBM provides absolutely no security in this area, an IDPS would be the first thing you can do to secure your systems and information.
Here are three important areas to focus on with respect to intrusion detection, control and prevention for your System i:
Whether you build your own or buy an IDPS, it is essential that you monitor your exit points to assure that all external access, both incoming and
outgoing, involves only known and accepted TCP/IP addresses. However simply monitoring TCP/IP addresses is no longer enough. Even transmissions from
known sources should be monitored for approved application servers such as FTP, Telnet etc.. For example, an IP address which is approved to use
the TELNET exit should not be given blanket acceptance to your machine. If that IP attempts to access via FTP, the transaction should cause a real
time alert for immediate further review or be rejected outright.
To prevent unauthorized access to your data, we believe you must also set up rules to control who has access and what your users are allowed to do remotely.
Regardless of what Exit point/communications protocol is in use, controlling the transaction right down to the User and allowed activity level is crucial. Authorizing a transmission to a production library is no longer enough. You need to control who can read, and who can write, update or delete and specifically to which data elements.
Not all activity by your authorized users may be acceptable. Your authorized users should be monitored for access that is appropriate to their job function.
For example, you might have a daily transmission via an approved Exit point/IP address/User combination to update a transaction file. If that approved combination
attempts to download your customer data base it should be denied and appropriate Real Time alerts and immediate actions should be initiated. If your
IDPS does not provide this level of protection, you are leaving your data exposed.
While recent events have highlighted the need for protection from the outside, protections must also cover internal threats. Not all intrusions are from outside the company network or are from unknown users. According to Forrester Research, the majority of security breaches involve internal employees, with the number estimated at 80%-85%.
If a user has the necessary passwords and permissions to enter, you must also control and prevent intruders from taking action to your business by
your taking immediate corrective steps to prevent such occurrences in real time. For example, if a user attempts to copy a critical file, the system
would issue an alert to a security officer and automatically end the job and disable the offending user - or take other actions that you designate to
protect your data.
We believe that to fully protect your data you must have tools in place that will recognize unusual activity wherever it is initiated - and alert/react accordingly.
You need a process that can monitor key data fields for unusual changes by comparing these changes to a threshold value. For example, your protective solution should be capable of issuing alerts if changes are made to the amount of a bank loan if the value of the bank loan was modified by more than 20%.
Now is the time to consider whether you have the right IDPS in place and whether your IDPS takes sufficient corrective steps to avert an embarrassing and disruptive business disruption. At SEA, we offer businesses a free assessment of an organization's security infrastructure that tests your System i network security vulnerability within minutes. Our network security assessment solution checks your ports, sign-on attributes, user privileges, passwords, terminals, etc and provides instant results, with a score of your current network security status with its present policy, compared to the network if our iSecurity were in place. Taking steps now to detect, prevent and control access will protect your IBM i, facilitate Compliance - and protect your business.
Software Engineering of America (SEA) is a leader in the field of enterprise software solutions. SEA is one of the most successful companies in the enterprise software industry, with products used at thousands of installations worldwide.