This rant is intended as a wakeup call to companies and ITSecurity experts.
I have 25 years of experience in Security on IBM i and all too often my observation of the poor implementation of IBM i Security of many companies is truly alarming!
All players are responsible for this situation, but first and foremost companies.
One would have thought that the ever more restrictive regulations would significantly improve their level of Security, but it is clear that this is not (yet) the case.
Companies that have suffered violent attacks have, months later, still not decided to put anything in place…… Studies are still in progress……. Worse, some do not try to understand where the hackers have entered! This is distressing!
Often, the recommendations of audit reports follow the current trend – For example, it is not in fashion to offer basic remediation on IBM i; integration with a SIEM/SOAR Solution is quickly pushed, and it doesn’t matter what is sent to this SIEM or even if people at the helm know how to decipher specific IBM i events.
However, there are real experts in this field, who will have a more pragmatic approach. They will be able to focus on the main flaws and propose appropriate solutions. They obviously don’t know everything (one can’t be an expert in all areas!), but they do very well what they know.
Given the terrible news, the threat this time is very serious and requires immediate action.
Let’s just mention 2 flaws that have shaken up our quiet IBM i ecosystem: Log4j and SolarWinds.
It is highly likely that the hackers have already positioned backdoors via these 2 flaws, in order to be able to come back quietly later once the patch has been applied.
Since hackers have been able to introduce malicious code into security software like SolarWinds, it can be considered that other software is also affected and that hackers are waiting for the right moment to use it.
Hackers certainly have a stock of exploitable flaws not known to date. The attacks will certainly become more sophisticated than current ransomware, or even undetected because they are focused on data theft. Worse, the databases of the attacked systems could be slightly modified to cause pernicious malfunctions spread over time and therefore loss of integrity and inconsistencies not detected quickly, which will cause even more chaotic situations (no more reliable recovery point).
And to complete the situation, your email addresses and phone numbers are probably already in wrong hands.
Tomorrow, you could receive messages from your government (or who claims to be) by email or SMS. It will be necessary to redouble attention on the URL links – For example: Cyrillic characters close to Roman characters.
THE DEAL HAS CHANGED!
Experts: Make yourself known, participate in the surveillance and defense effort.
Companies: Stop Procrastinating! Start today to create a more pragmatic approach. Work with experts with in-depth knowledge of your servers (and not “generalist experts”).
PLEASE ACT NOW!
Author: – Guy Marmorat www.Resiliane.com