Edit: This was published as an ebook by TechChannel
Rob McNelly explains what questions you and your team should be
asking to make sure data is locked down
I will also archive it here in case the original link stops working in the future.
You’ve seen the headlines about malware attacks and cyberhacks. Whether it’s a competitor looking to steal your secrets or criminals looking to extort money, system administrators have myriad reasons to be wary. After all, the only absolutely secure system is one that is powered off.
Luckily, if you’re running AIX on IBM Power Systems hardware, you are officially “secure” and don’t need to take further action (in case you couldn’t tell, that’s sarcasm).
Don’t get me wrong; AIX is great. It’s my favorite OS. But it still requires monitoring and patching, and that’s for starters. If you don’t believe me, check IBM’s APAR security information or CVE vulnerability data.
It may be true that Windows and Linux systems, which number in the millions, are higher profile and thus more commonly targeted. However, that’s no reason for AIX admins to be complacent. If anything, systems running AIX make more tempting targets for bad actors. Look at it this way: The data held on AIX systems is incredibly valuable.
These machines typically run mission-critical workloads and essential databases and applications for some of the world’s largest enterprises. What are the ramifications of someone gaining access to or corrupting this data? What happens if records are deleted or destroyed? Yes, most AIX systems are behind a firewall, and most large corporate environments have disaster recovery sites and detailed recovery plans. Again though, that’s not enough. More must be done to reduce the chances of a damaging attack.
Put Yourself on Notice: IBM Support
I like to keep up to date on the latest known vulnerabilities by subscribing to IBM’s notifications. You can bookmark the links I cited earlier, or just do what I do and register for IBM updates. I receive weekly emails from IBM. Go to the IBM Support site to subscribe and manage your subscriptions and delivery preferences.
While I prefer weekly updates, you can opt for daily email. You can also limit update topics to ensure the information you receive is relevant.
Once you check these boxes, ask yourself some questions about your own environment. For instance, if an attacker gains access to your internal network, how quickly or easily could you identify the vulnerability? Are unnecessary services running on your machine? It’s harder to attack a system that’s listening on only a limited number of ports.
I mentioned firewalls: They’re a nice line of defense, but attackers can still beat them and gain access via the network. They could gain a foothold by compromising VPN credentials or some Windows or Linux machine on the network, and then move laterally within your organization by behaving as an authorized network user. Your network team should be watchful for unusual behavior such as logins at odd hours or atypical actions.
Asking the Tough Security Questions
To see if you are covered, ask yourself these 18 question
1. Do the user IDs on your system have strong passwords?
2. Have you changed your default password algorithm?
3. Have you disabled or deleted accounts that are no longer needed?
4. Are you authenticating via LDAP or some other central service, or are you trying to manually manage user IDs across your machines?
5. Once users log in, are they allowed to escalate their privileges via sudo or some other mechanism?
6. Are those permissions regularly audited?
7. Are the sudo logs themselves audited?
8. Are you tracking attempts, successful or not, to log into your system? Put a machine on port 22 on the public facing internet and see how quickly it gets inundated. If you’re seeing that sort of activity behind your firewall,
something may not be right.
9. If you’re tracking logins, are log files being monitored and reviewed?
10. Do you have a security information and event management (SIEM) server that actively checks logs across your environment?
11. Are log files growing without being rotated, or are they allowed to grow indefinitely? Considering the huge amount of disk that we can allocate to filesystems these days, log file size may seem insignificant, but rotating these logs is still a good idea.
12. Do you keep logs locally or send the files to a central system? This information can help diagnose an intrusion, particularly if an attacker gains access to a machine and alters the files stored there. Of course, if an attacker accesses the logging machines and deletes those files, that’s another matter.
13. Are your systems regularly patched? Besides the OS, are you up to date on patching system firmware, device firmware and any VIO servers that are in use?
14. For those who continue to rely on legacy applications and older AIX versions, are you taking extra precautions? Those using unsupported hardware and software don’t have the options of opening a problem ticket with IBM support or applying security patches. If you’re dealing with these limitations, you must be extra vigilant in assessing and monitoring risks to your environment.
15. What are your procedures, who gets notified, and what actions are taken when an intrusion attempt is detected or recognized after the fact?
16. Who determines when systems should be removed from the network, and who decides how to analyze the system after an event occurs?
17. At what point do you declare a disaster and move operations to another location?
18. Do you have a disaster recovery plan?
Help From the Outside: Lab Services and Documentation
IBM Lab Services for Power Systems or your IBM Business Partner can help you assess your organization’s security and compliance practices and procedures.
Another option is to engage a penetration testing company. Penetration testers simulate attacks to determine how your system would hold up against the real thing, and how well your staff responds to notifications of anomalies in real time. Knowing that there was no detection of an attack is valuable information as well.
While this overview offers a few things to keep in mind as far as managing the security of your systems, it is by no means intended to be an exhaustive list. Rather it is meant to help jump start conversations in your organization to start considering how important your data is and what you can do it keep it safe. I encourage you to read this detailed look at AIX security strategies authored by lifetime IBM Power Champion Jaqui Lynch