The IBM AS400 (rebranded as IBMi) remains a cornerstone of enterprise IT infrastructure in many trucking and logistics operations. Known for its reliability, object-oriented architecture, and ability to handle a diverse range of workloads, the AS400/IBMi continues to power mission-critical operations in businesses worldwide.
Despite its strengths, the AS400/IBMi is not immune to security challenges, contrary to several common misconceptions, such as “it’s so old that no one targets it” or “it isn’t affected by computer viruses or malware.” The IBMi can be impacted by malware and ransomware.
The Integrated File System (IFS) contains all kinds of file types: PDFs, JPEGs, Word documents, etc. These files can just as readily contain malware on an IBMi system as on a Windows system and can end up propagating infected files to other servers on the network. The IFS encompasses the entire system, including the native environment. There are both scan on open and scan on close options for integrated antivirus controls; unfortunately, these are underutilized in most deployments, leaving them vulnerable to infection.
Frequently, there is little to no audit visibility to data flowing on or off the AS400/IBMi platform via protocols such as File Transfer Protocol, Open Database Connectivity, Distributed Data Management, etc. IBM has included several exit points into the operating system to allow an application program to supervise these connections, but IBM does not provide the exit program itself. Properly restricting and thoroughly auditing all movement of data is vital to maintaining a good security posture.
See also: Cybersecurity training is crucial
Clearly, there are some strengths in the AS400/IBMi series systems, but misconfigurations, evolving cyberthreats, and a reliance on outdated practices and assumptions can quickly expose significant vulnerabilities. The following configuration issues and security recommendations must be addressed to minimize the risk of a successful cyberattack.
- Legacy configuration weaknesses: Many AS400/IBMi systems were configured decades ago, based on older security paradigms. Over time, organizations may fail to update system values or patch vulnerabilities, leaving their infrastructure exposed.
- Insufficient password policies: By default, usernames and passwords are often configured to match on AS400/IBMi systems. Without enforcing strong password policies, systems are left vulnerable to brute-force attacks. Additionally, password protection alone should not be considered sufficient. Enable centralized multi-factor authentication (MFA) using IBMi Access Client Solutions or third-party tools.
- Overly broad user privileges: Configuring a systemwide security level of 40 is the recommended starting place (50 is even better). However, systemwide security settings alone are not sufficient. Assigning excessive privileges to users or accounts, particularly administrative accounts, increases the risk of insider threats and accidental misconfigurations. It is important to remember simply limiting menu access only controls what is visible to the user on the menu screen, not what they can accomplish via the terminal. Many inputs can result in an error state in an AS400/IBMi system and expose the terminal prompt, allowing the user to bypass any menu security controls. Access controls and user privileges must be configured at the object level.
- Lack of encryption: Data transmitted over networks or stored in the system may not be encrypted, exposing sensitive information to unauthorized access. The AS400/IBMi systems by default rely on FTP and open SSH for file transfers. These methods can easily expose data in transit and so alternative methods such as forcing SSL for Telnet and FTP services using the CHGFTPA command with the SSLTLS parameter set to *YES or additional external tools should be considered to allow for secure data transfer.
- Weak auditing and logging: Inadequate or nonexistent monitoring can allow malicious activities to go unnoticed, delaying detection and response to breaches. Comprehensive auditing must be enabled, and those logs need to be ingested into a centralized SEIM and monitored for anomalies and alerts.
- Integration risks: Modern integrations, such as APIs, can introduce vulnerabilities if not securely implemented, particularly when connecting to external applications or networks. Every integration must be considered from a secure-by-design mindset and carefully evaluated for any potential security concerns or additional risks that it may bring with it.
- Neglected security program temporary fixes: Organizations often fail to apply IBM’s regular security updates, leaving systems exposed to known vulnerabilities. This is a universal truth in security: Keep your systems patched.
While no system is impenetrable, it is possible to reduce the risk to a system and the risk that system poses to the rest of the enterprise by ensuring configurations are hardened in line with best practices from the manufacturer and the cybersecurity community. It is also critical to follow cybersecurity best practices to ensure that your systems are patched, unnecessary accounts and services are disabled, all activity is logged and monitored, and data remains encrypted in transit and at rest.
