2023 STATE OF IBM i

SECURITY STUDY
 2023 State of IBM i Security Study

Organizations around the world are waking up to the

business impact of lax cybersecurity: unexpected
downtime, lost productivity, resources tied up in lawsuits
and data breach notifications.

It’s no surprise that two-thirds of IBM i pros ranked

cybersecurity as a top concern in this year’s IBM i
Marketplace Survey.

The latest State of IBM i Security Study—now in its

20th year—reveals concrete, impartial data about how IBM
i systems are protected and where the gaps remain.

Fortra.com 2
 2023 State of IBM i Security Study

Executive Summary
For the 20th year, this study provides compelling insight into the security posture of 112 IBM i servers and partitions—systems that are used to host business-critical
applications, and that often house electronic Personal Health Information (ePHI), financial data, and personally identifiable information (PII).

This is not a recurring study of the same systems each year, but general trends are apparent. Cybersecurity is becoming a higher priority for participating
organizations, and in recent years businesses have made gradual improvements with basic system security and password controls.

However, many organizations are still in the early stages of implementing IBM i security.

Data from seven critical areas of IBM i security, summarized below, reveals the extent of the risk:

Security Enforcement Level Network Access

70% of systems meet the minimum best practice, Control and auditing of PC connections is nonexistent
70% but this setting can be undermined by other factors. in most IBM i shops, so both authorized and
unauthorized access occurs without traceability.
Users with Powerful Authorities IBM i’s exit points provide the ability to control and
Overwhelmingly, the IBM i servers studied have too many monitor network data access, but adoption rates
profiles with powerful authorities. This could easily lead to remain alarmingly low.
data loss, theft, or damage. Auditors should check for excess
special authorities as part of any standard IBM i audit. Detecting Security Violations
Most lack an efficient strategy for monitoring and
Password and Profile Security interpreting security event data, allowing violations to
Password policies are frequently sub-standard and 30% of occur undetected.
systems studied have more than 100 user profiles where the
password for the profile matches the profile name. Malware Protection
Ransomware, viruses, and other malware continue
Access to Data to affect IBM i organizations, but most IBM i systems
Reliance on application security controls means that in this study are still not running native malware
virtually every system user has data access that far exceeds protection.
any demonstrable need.

Fortra.com 3
 2023 State of IBM i Security Study

Table of Contents
About This Study 05

Security Enforcement Level: QSECURITY 06

Basic System Security: Key Values for Restoring Objects 07

Users with Powerful Authorities 08

Password & Profile Security: Inactive Profiles 09

Password & Profile Security: Default Passwords 10

Password & Profile Security: Password Length 11

Password & Profile Security: Other Password Settings 12

Password & Profile Security: Invalid Sign-On Attempts 13

*PUBLIC Access to Data 14

*PUBLIC Access to New Files and Programs 15

Network Access 16

Command Line Access 17

Security Event Auditing 18

Protection from Ransomware, Viruses, and Other Malware 19

Conclusion 20

About The Authors 21

About Fortra 22

Fortra.com 4
 2023 State of IBM i Security Study

About This Study

Trends in IBM i Security Why This Study Matters to You Methodology
Cyberthreats grow more sophisticated every The 20th annual State of IBM i Security Study The data shared in this study is collected by
year, raising the importance of proper security strives to help you understand common IBM Fortra security experts auditing IBM i systems
controls. The 2023 State of IBM i Security Study i security exposures and how to correct them using our proprietary Powertech Security
proves that many organizations rely on system quickly and effectively. Scan. This free software runs directly from
settings that leave data vulnerable. any network-attached PC without modifying
Your IBM i server likely runs mission-critical systems settings, interrogating Power servers
But in recent years, Fortra has observed an business applications. But because Windows running IBM i (System i, iSeries, AS/400) across
encouraging trend: organizations large and and UNIX platforms often require more seven critical audit areas:
small increasingly prioritize IBM i security. resources, it’s easy to let IBM i security projects
take a back seat. • Server-level security controls
A deeper understanding of the risks and the
• Profile and password settings
security controls built into the OS is currently Consequently, the administration of IBM i
driving a wave of interest in prioritizing security controls has lapsed even as threats to • Administrative capabilities

cybersecurity issues on IBM i. your system grow. • Network-initiated commands and data
access
The weaknesses identified through our scans
• Public accessibility to corporate data
and documented in this study are caused by
poor or missing configurations that can—and • System event auditing

should—be corrected. • Virus scanning

This study shows you the most common and This year’s study includes 112 IBM i servers and
dangerous IBM i security exposures and offers partitions that were audited throughout 2022.
tips for improvement. The average system scanned for this study
has 1,075 users and 567 libraries. The majority
of scanned servers are running on supported
versions of the OS; however, 18% are on v7.2,
which IBM ceased supporting in April 2021.

Fortra.com 5
 2023 State of IBM i Security Study

Security Enforcement Level: QSECURITY

IBM i security best practices start with the
QSECURITY Level
configuration of numerous system values,
The system security level (QSECURITY) sets the overall tone, although it is often undermined by
which regulate how easy or difficult it is for
other settings. IBM recommends and ships security level 40 as the minimum, due to a documented
someone to use or abuse your system. Poorly
vulnerability found in level 30 and below. It should be noted that, despite the revision of the default
configured or unmonitored system values are
setting, a server migration will typically reload this to the same value as found on the previous
an unacceptable security risk
generation of the server.

Figure 1 shows the distribution of security settings on the systems included in the 2023 dataset. Out of
PRO TIP: the 112 systems studied, 27 percent are running at system security level 30 and four percent are running
at security level 20. Overall, 30 percent fall short of IBM’s recommended minimum level (Figure 1A). Many
Bring your system up to QSECURITY
running on a sub-par security level are doing so without deliberate intent after having migrated their
level 40 or higher. Outsourcing this task
system values from an older server and are now recognizing the need to take corrective action. Room for
to IBM i security professionals like
improvement remains within this area of IBM i security.
the team at Fortra is a way to quickly
eliminate all the guesswork from the
process. Fortra’s security professionals
can move your security levels from 20
FIGURE 1A: Meeting the Recommended Minimum Level
to 40 or from 30 to 40.

Fail
FIGURE 1: System Security Level 30%

80 74
70
Number of Systems

60

50

40
30
30
Pass
20 70%
10 4 4
0
0
10 20 30 40 50

Security Level (QSECURITY)

Fortra.com 6
 2023 State of IBM i Security Study

Basic System Security:

Key Values for Restoring Objects
Several other system values related to object restoration often remain at their shipped levels, reflecting a typical IBM i configuration of "load and go.”

The system values in question are designed to work together as a tri-pass filter that prevents restoration of malicious or tampered objects. But IBM i’s default
values fail to provide this protection, which may leave the system vulnerable.

The system values below work consecutively to determine if an object should be restored, or if it is to be converted during the restore:

Verify Object on Restore (QVFYOBJRST)—71 percent of servers are This value, preset at level 1, controls whether a signature will be
running below the recommended level of 3. validated when a digitally signed object is restored.

Force Conversion on Restore (QFRCCVNRST)—93 percent of servers This value, preset at level 1, controls whether some types of objects
are running below the recommended level of 3. are converted during a restore.

Allow Object Restore (QALWOBJRST)—Less than three percent of This value controls whether programs with certain security attributes,
servers have altered this system value from its default *ALL setting. such as system-state and authority adoption, can be restored.

PRO TIP:
A proactive approach to system values starts with defining and implementing a security policy that incorporates the most secure settings your
environment will tolerate. (Seek professional expertise if you are unsure of the impact of certain settings.)

The free open source IBM i Security Standard from Fortra can help you get started with defining your own policy

Fortra.com 7
 2023 State of IBM i Security Study

Users with Powerful Authorities

IT professionals require special authorities to manage servers.
These can also permit the ability to view or change financial
applications, customer credit card data, and confidential PRO TIP:
employee files. In careless, misguided, or malicious hands, a user Keep the number of users with special authority to fewer than 10, or less
with special authorities can cause serious damage. than three percent of the user community. We recommend working
with an IBM i security expert, who can advise on ways to determine
IBM i special authorities are administrative privileges and always if authorities are necessary and suggest possible alternatives in
pose a security risk, so auditors require you to limit the users marginal cases. Here are some best practices for powerful users:
who have these special authorities and carefully monitor and
• Document and enforce separation of duties for powerful users.
audit their use. Of the special authorities, *ALLOBJ is the one
providing users with the unrestricted ability to view, change, and • Avoid having any all-powerful users, all the time.

delete every file and program on the system. This is sometimes • Monitor, log, and report on the use of powerful authorities.
referred to as “root” authority. As shown in Figure 2, this authority
• Be prepared to justify the use of powerful authorities to auditors
is granted to users in unacceptably high numbers.
and managers.

Only three systems have 10 or fewer users with *ALLOBJ

authority. This year, only 11% of users held *ALLOBJ—a significant
improvement from the previous two years’ average of 30%.

The most frequently granted special authorities were Job Control FIGURE 2: Powerful Users (Special Authorities)
(*JOBCTL) and Spool Control (*SPLCTL), which have been granted 500
442
Number of Users (Average)

to 41 percent and 27 percent of users, respectively. 450

400
350
Job Control provides the capability to change the priority of jobs 289 276
300
and printing, or even terminate subsystems in some cases. Spool 250
200
Control enables users to fully access any spooled file in any
150 122
output queue, regardless of imposed spool restrictions. 100 57 61
50 22 36
0
*ALLOBJ *SECADM *IOSYSFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Type of Authority

Fortra.com 8
 2023 State of IBM i Security Study

Password & Profile Security: Inactive Profiles

Inactive profiles are user profiles that have not been used in the
last 30 days or more. They create a security exposure because
these accounts are not actively maintained by their users, which PRO TIP:
make them prime targets for hijacking. Develop a process for inactive profiles. Start by defining how long a
profile must be inactive before you take action (perhaps 60 days),
Many of these inactive profiles belong to former employees or disable those inactive profiles, and remove all special authorities and
contractors—people who might carry a grudge or who might group profile assignments. Wait another 30 days to make sure the
find their former employer’s data useful in their new role at a profile really is inactive before removing it from the system, or until the
competitor. name of the user is no longer required for reconciling with the audit trail.

The threat persists even if ex-employees never attempt to utilize This process can be performed manually or automated using
these profiles. Other users within the organization might know, Powertech Policy Minder or IBM’s built-in security tools.
for example, that the former IT director’s profile is still on the
system. And whether an inactive profile is exploited by a former
employee, a malicious insider, or a hacker, unusual use of the
profile won’t be detected and reported by the profile owner.

FIGURE 3: Inactive Profiles

Figure 3 shows an average of 424 profiles (39
450 424 percent of the total) have not signed on in the
Average
400 past 30 days or more. Of these, 279 of them
350 remain enabled and ready to be used.
Median
Number of Profiles

300 279

250

200

150 126
100 76
50

0
All Inactive Profiles Enabled, Inactive Profiles

Fortra.com 9
 2023 State of IBM i Security Study

Password & Profile Security:

Default Passwords
On IBM i, profiles that have a default password have a password that’s
FIGURE 4: Default Passwords
the same as the user name. Hackers—or even your own employees—
can guess profile names like jsmith and try default passwords. 200
174 Average
180
Regulatory and legislative standards typically mandate that users 160 Median
must utilize unique credentials known only to the user, ensuring that

Number of Profiles
140
any actions can be tied to that specific individual. Organizations might 120
struggle to prosecute illegal or unauthorized activity if it became 100 83
evident that the credentials couldn’t unequivocally identify the culprit. 80
60
42
In this study, 16 percent of user profiles have default passwords (Figure
40
4). 61 percent of the systems studied have more than 30 user profiles 21
20
with default passwords. 30 percent are even worse off, with more than
0
100 users with default passwords. One system has a total of 2,256 user All Default Accounts Enabled, Default Accounts
profiles with default passwords and nearly 90 percent of them were in
an enabled state.

PRO TIP:
Establish and enforce strong password policies. The QPWDRULES system
value can ban default passwords, although consideration must be given
to applications or vendor software that create profiles during installation.

Reporting tools like Powertech Compliance Monitor for IBM i make it

easy to generate audit reports on a regular basis that compare IBM i
user and password information against policy.

Fortra.com 10
 2023 State of IBM i Security Study

Password & Profile Security:

Password Length
Shorter passwords may be easier to remember, but they’re also easier for others to guess. Although short passwords can be strengthened by using random
characters, the odds of correctly guessing a four-character password are greater than a longer password.

NIST now recommends using eight-character passwords, up from their previous recommendation of six characters.

Figure 5 shows the setting for the minimum password value on the systems reviewed. According to our results, 48 percent meet or surpass the best practices
standard of eight characters or more. 48 percent of servers in this study fail to satisfy PCI’s requirement of seven-character passwords. Shockingly, 11 percent of
systems permit users to select a password that is less than six characters long and five servers permitted the use of single character passwords.

PRO TIP:
Create a password policy that requires users to use eight or more characters in their passwords. Consider switching from passwords to passphrases,
which are typically 20 to 30 characters long and make brute force attacks impractical.

FIGURE 5: Minimum Password Length

50
45 42 43

40
35
No. of Systems

30
25
20
15
10
5 4 4 5
5 2 3
1 0 0
0
1 2 3 4 5 6 7 8 9 10 12
Password Characters

Fortra.com 11
 2023 State of IBM i Security Study

Password & Profile Security:

Other Password Settings
IBM i allows systems administrators to define password policy at a
granular level. Password settings include length, character restrictions,
digit requirement, expiration time, and how soon a password can be
reused.

These settings help make passwords harder to guess and increase

the protection of your system, since simple, easy-to-guess passwords
like “123456” and “password” remain disturbingly common. Imagine
what could happen if your users with simple passwords have special
authorities or access to sensitive data.

The latest data shows that IBM i administrators aren’t utilizing all the
password controls available to them:

• 51 percent of systems don’t require a digit in passwords.

• 99 percent of systems do not impose any restrictions on characters.

Simply restricting vowels would add extra security by preventing
users from choosing simple, easily guessable words for their
passwords. PRO TIP:
Require passwords of at least eight characters. IBM i can even
• 40 percent of systems do not require passwords to differ from the
support passwords up to 128 characters, which are more
previous password
accurately called passphrases.

Password expiration is one area where we see progress. For the systems
Multi-factor authentication can also protect your systems
in our study, the average password expiration interval is 91 days.
from unauthorized access. Another option is eliminating
passwords entirely by implementing single sign-on SSO based
on technology that is included in the IBM i operating system.

Fortra.com 12
 2023 State of IBM i Security Study

Password & Profile Security:

Invalid Sign-On Attempts
Passwords are forgotten, mistyped, or simply mixed up with other FIGURE 6: Default Action for Invalid Sign-On Attempts
passwords. Help desk personnel charged with resetting these
passwords often work with the same users over and over. How do you Disable Device
11%
track which users have multiple invalid sign-on attempts? What if
your powerful profiles are targeted? Larger numbers could indicate an
intrusion attempt, while single-digit attempts are probably the sign of a
frustrated user.

48 percent of systems have a profile that experienced more than 100

denied attempts. 22 percent have more than 1,000 invalid sign-on
attempts against a single profile. One system in our study has more Disable Profile
than three million attempts against a single profile. Disable Both 54%
35%

Figure 6 shows the action taken when the maximum number of allowed
sign-on attempts is exceeded. In 89 percent of cases, the profile is
disabled and this is always recommended. When using explicitly named
devices (as opposed to virtual device names) the recommendation
is expanded to include disablement of the device description. It is
not recommended to disable virtual devices, as the system typically
creates a new device when the user reconnects. The device setting
does not apply to all connections, such as ODBC and REXEC services.
PRO TIP:
The other 11 percent of servers disable the device, but leave the profile To protect your system, make sure profiles are disabled by default
enabled. This creates risk if the user re-establishes a connection, or after the maximum allowed sign-on attempts is exceeded.
perhaps connects to a service that does not require a workstation
device. A tool for self-service password resets can help the users who
have truly forgotten their passwords. Password Self Help for IBM i
Shockingly, about 10% of systems evaluated don’t have a maximum is one option that makes it easy for IBM i users reset a password
number of invalid sign-on attempts defined, allowing an unlimited and it sends instant alerts to designated personnel when
number of guesses at users’ passwords. unsuccessful resets occur.

Fortra.com 13
 2023 State of IBM i Security Study

*PUBLIC Access to Data

FIGURE 7: *Public Authority To Data
On most servers, users typically have no authority to an object or task
unless they’re expressly granted permission. With IBM i, every object *AUTL
*EXCULDE 3%
has a default permission that applies to non-named users, known
8%
collectively as *PUBLIC. This default permission is initially set by IBM with
enough authority to read, change, even delete data from a file. Unless
the user is granted a specific authority (grant or deny access), the user
*ALL
can leverage the object’s default permission. When *PUBLIC access 31%
rights are left unrestricted, there is a risk for unauthorized program
changes and database alterations—red flags for auditors.
*USE
This study uses the *PUBLIC access rights to libraries as a simple 22%
measurement indicating how accessible IBM i data is to the average
end user. Figure 7 shows the level of access that *PUBLIC has to libraries
on the systems in our study.

*USE: *PUBLIC can get a catalog of all objects in that library, and
attempt to use or access any object in the library

*CHANGE: *PUBLIC can place new objects in the library and to change *CHANGE
some of the library characteristics 36%

*ALL: *PUBLIC can manage, rename, specify security for, or even delete a
library (if they have delete authority to the objects in the library)
PRO TIP:
Where possible, secure data using resource-level security to protect
individual application and data objects. When this is not possible or
Our findings demonstrate that IBM i shops still have far too many
practical, use exit program technology to regulate access to the data.
libraries accessible to the average user—libraries that often include
critical corporate information. With virtually every system user having Ensure that application libraries are secured from general users on
access to data far beyond their demonstrated need, administrators the system. Although it requires some planning, consider setting the
need better processes to control access to IBM i data. System Value and Library values for Default Create Authority to the most
restrictive setting [*EXCLUDE].

Fortra.com 14
 2023 State of IBM i Security Study

*PUBLIC Access to New Files and Programs

When new files and programs are created on most systems, the average user FIGURE 8: Default Create Authority by Library
automatically has change rights to the vast majority of those new objects. Non- *ALL
named users (*PUBLIC) have the authority to read, add, change, and delete data 1%
from the file. These users can copy data from, or upload data to, the file, and even *EXCLUDE *USE
2% 1%
change some of the object characteristics of the file.
*CHANGE
13%
This is because *PUBLIC’s authority to newly created files and programs typically
comes from the library’s Default Create Authority (CRTAUT) parameter. Figure
8 shows that 14 percent of libraries have Default Create Authority set to *USE,
*CHANGE, or *ALL. However, 83 percent of libraries defer the setting to the QCRTAUT
system value (*SYSVAL). Figure 8A extends the library level assignment of *SYSVAL
*SYSVAL
and reflects that the system value typically remains at the shipped default of 83%
*CHANGE. Just two percent of servers are configured to use the deny-by-default
requirement of common regulatory standards such as PCI DSS.

Another issue occurs when a user profile is created with permissions granted
to the general user population (*PUBLIC). When *PUBLIC permissions exceed
the strongly recommended setting of *EXCLUDE, this is known as an “unsecured
profile.” It is possible for an alternate user to run a job that leverages the privileges
FIGURE 8A: Default Create Authority by System
of the unsecured profile. This activity will not be logged by the operating system as
a security violation, since it is deemed permissible at all security levels. 70 percent *USE
*EXCLUDE 6%
of systems have at least one unsecured profile and 14 percent of systems have 10
6%
or more profiles that are publicly accessible. This may create a loophole around a
*ALL
QSECURITY setting of level 40 or 50.
7%

PRO TIP:
*CHANGE
There’s a clear need to prioritize cybersecurity and implement security
81%
tools that provide users with secure, frictionless access to the data they
need. Fortra’s Powertech tools can help with that.

Be sure to monitor changes to your database information, so you can

meet compliance requirements.

Fortra.com 15
 2023 State of IBM i Security Study

Network Access
FIGURE 9: One Or More Exit Programs in Place
Services such as FTP, ODBC, JDBC, and DDM can send IBM i data across
the network as soon as the machine is powered on. All end users need
is a free tool from the internet or even tools pre-loaded onto a PC. For
example, Windows comes with FTP client software that easily sends or YES
retrieves data from an IBM i server. 35%

Some TCP services even permit the execution of server commands.

The easily accessed FTP service enables commands like Delete Library
(DLTLIB) to be run by all users—even those without command line
permission on their profile.

Firewall protection leads some IBM i pros to question whether systems

NO
are ever actually accessed in this way. However, the Fortra team 65%
witnessed an attack in progress where an intruder had successfully
penetrated the perimeter and repeatedly tried to access a client’s
system via FTP using several different user profiles, including
ADMINISTRA and ROOT.

To reduce this exposure, IBM provides interfaces known as exit points

that allow administrators to secure their systems. An exit program
attached to an exit point can monitor and restrict network access to
the system. An exit program should have two main functions: to audit
PRO TIP:
access requests and to provide access control that augments IBM i
At organizations that lack a commercial-grade exit program solution,
object-level security.
this tends to be the most highly prioritized remediation item. Without exit
programs, IBM i does not provide any audit trail of user activity originating
Fortra reviewed 27 different network exit point interfaces on each
through common network access tools such as FTP and ODBC.
system to check whether an exit program was registered. 65 percent
of the systems have no exit programs in place to allow them to log
Organizations can write their own exit programs or use software to
and control network access (Figure 9). Even on the systems with exit
accomplish this. The advantage of commercial solutions like
programs, coverage is often incomplete. Just three percent of systems
Powertech Exit Point Manager for IBM i is that you get broader
have all 27 exit points covered. Adoption of exit programs has grown
coverage that protects all critical exit points.
steadily in recent years, but many companies are still unaware of this
wide-open network access problem.

Fortra.com 16
 2023 State of IBM i Security Study

Command Line Access

The traditional way to control access to sensitive data and powerful
commands was to limit command line access for end users. And in the
past, this method was effective.

In addition to configuring the user profile with limited capabilities,

application menus controlled how users accessed data and when they
had access to a command line. However, as IBM opens new interfaces
that provide access to data and the opportunity to run remote
commands, this approach isn’t as sound as it used to be.

25 percent of users have had their command line access revoked,

leaving them unable to run most commands through traditional menu-
based interfaces. 18 percent of users studied have both command line
access and an enabled profile, which presents a very clear risk.

18%
of users studied have
Several network interfaces do not acknowledge the command line both command line access
limitations configured in a user profile and must be controlled in other and an enabled profile!
ways. This means that users can run commands remotely, even when
system administrators have purposely taken precautions to restrict
them from using a command line.

PRO TIP:
Based on the broad *PUBLIC authority demonstrated in earlier sections, anyone on these systems can access data, commands, and programs
without the operating system keeping a record.

Start addressing this problem by reviewing network data access transactions for inappropriate or dangerous activity. Be sure to establish clear
guidelines for file download and file sharing permissions. Remove default DB2 access in tools like Microsoft Excel, IBM i Client Access, and Access
Client Solutions.

Fortra.com 17
 2023 State of IBM i Security Study

Security Event Auditing

IBM i can log important security-related events into a tamperproof FIGURE 10: IBM i Security Audit Journal in Place
repository—the Security Audit Journal. This feature allows organizations
to determine the source of critical security events, such as “who deleted
NO
this file?” or “who gave this user *ALLOBJ authority?” This information
19%
can make the difference between responding promptly to a security
event and discovering a breach after significant damage has occurred.
The challenge is that the volume of data contained in the Security Audit
Journal is large and the contents are cryptic. Most IT staff have trouble
monitoring and making sense of the logged activity.

19 percent of the systems reviewed do not have an audit journal

repository. 28 percent of systems are operating with the QAUDCTL
system value setting at its shipped value of *NONE (Figure 10). This is
the master on/off switch for auditing and globally blocks any system
or object level events from being logged, regardless of the existence
YES
of the system audit journal. Setting QAUDCTL to *NONE suggests that
81%
administrators fired up the auditing function but subsequently turned
it back off or perhaps were unaware of the necessity for additional
configuration.

When organizations have activated the Security Audit Journal, it’s

unclear how much insight the extensive data is providing them. A few
software vendors provide auditing tools that report on and review the
system data written to the Security Audit Journal. But only 25 percent of PRO TIP:
the systems in this study have a recognizable tool installed. Use the Security Audit Journal and automate the process
of analyzing the raw data. Auditing tools reduce the costs
associated with compliance reporting and increases the
likelihood that this work will get done. Software that integrates
with IBM i can send security data to your Security Information
and Event Management (SIEM) solution in real time.

Fortra.com 18
 2023 State of IBM i Security Study

Protection from Ransomware,

Viruses, and Other Malware
The traditional IBM i library and object infrastructure is considered FIGURE 11: Scanning on IFS File Open
highly virus-resistant, but other file structures within the Integrated File
System (IFS) are susceptible to hosting infected files, which can then YES
13%
be propagated throughout the network. Recognizing this reality, IBM
created system values and registry exit points to support native virus
scanning.

Results from the 2023 IBM i Marketplace Survey indicate that 30% of
IBM i professionals regard ransomware as one of their greatest IBM i
cybersecurity challenges. Administrators are also starting to recognize
that IBM i contains file systems that are not immune to infection and,
under certain circumstances, native applications and even IBM i itself
can be impacted.

When the servers in this study were reviewed for antivirus controls, 13 NO
percent were scanning on file open, which is a noticeable increase over 87%
prior years. But this means the other 87 percent are at risk of having
internal objects impacted or of spreading an infection to another server
in their network (Figure 11).

PRO TIP:
Register an exit program to exit point QIBM_QP0L_SCAN_OPEN to intercept file open attempts from the network and scan files before they are opened.
This prevents viruses from spreading outside the IBM i environment.

Install an antivirus solution that runs natively on IBM i, such as Powertech Antivirus for IBM i, to detect and remove infections, as well as prevent malware
from spreading beyond the current environment.

In addition, utilizing an exit program registered to the QIBM_QPWFS_FILE_SERV exit point can help limit actions of remote viruses operating on other
servers on the network, including ransomware attacks.

Fortra.com 19
 2023 State of IBM i Security Study

Conclusion
IBM i has a reputation as one of the most securable platforms available. One of IBM i’s great advantages is
that sophisticated tools for securing, monitoring, and logging are built into the OS. But experts agree that
FORTRA IS HERE TO HELP
IBM i security is only as effective as the policies, procedures, and configurations put in place to manage it.
WITH IBM i
This study highlighted a number of common security exposures and configuration management practices Check how secure your IBM i is with a
that must be addressed to protect the data on IBM i systems. No system became vulnerable overnight, Security Scan from Fortra. Security Scan
nor is it possible to fix every security problem in a single day. What’s important is starting somewhere and is free, fast, and reveals your system’s
making continued progress toward a stronger security profile. security gaps. Our Security Advisers
can then help you formulate a plan to
If you’re unsure how to proceed, start with top priorities for IBM i security: remedy your security vulnerabilities.

System Security: Check the QSECURITY level and make sure it’s 40 or higher

Security Auditing: Enable QAUDJRN and find a tool to help interpret it

Network Access: Register the most common exit points like FTP and ODBC first

Reduce unnecessary user privileges

Most experts recommend starting with an assessment of vulnerabilities to understand where your system
security stands today and how it could be improved. Security professionals with IBM i expertise and user-
friendly software solutions are available to make this project faster and easier. Fortra offers a range of
options, from a very thorough Risk Assessment to a quick, no-charge Security Scan.

Once you have all the information, you can begin formulating a plan that addresses your organization’s
security vulnerabilities. And from there, security will become business as usual—not a moment of panic
after a failed audit or a data breach.

Fortra.com 20
 2023 State of IBM i Security Study

About The Authors

Sandi Moore has been working Amy Williams is a Senior Security
with Fortra customers for 15 Services Consultant who joined
years, helping them to effectively Fortra in 2015. She holds CISSP,
address systems monitoring and CISA, and PCI-P certifications. Amy
cybersecurity challenges on IBM i. first began working on the IBM i
Organizations throughout the public platform in 1994 and her experience
and private sector rely on Sandi’s includes application testing, system
expertise, whether they’re looking installation, system administration,
to proactively protect their systems and architecture.
or improve security controls after a
malware attack.

Our Security Solutions

Fortra is the leading expert in automated security solutions for IBM Power Systems servers, helping users manage today’s compliance regulations and data privacy
threats. Our security solutions and services save your valuable IT resources, giving you ongoing protection and peace of mind.

Because IBM Power servers often host sensitive corporate data, organizations need to practice proactive compliance security. As an IBM Advanced Business Partner
with an expansive worldwide customer base, Fortra understands corporate vulnerability and the risks associated with data privacy and access control.

Fortra security solutions and services are the corporate standard for IBM i security at many major international financial institutions. Fortra has demonstrated
a proven commitment to the security and compliance market and leads the industry in raising awareness of IBM i security issues and solutions, leveraging the
experience of some of the world's foremost IBM i security experts.

Fortra.com 21
 About Fortra
Fortra is a cybersecurity company like no other. We’re creating a simpler, stronger future for our
customers. Our trusted experts and portfolio of integrated, scalable solutions bring balance and
control to organizations around the world. We’re the positive changemakers and your relentless ally
to provide peace of mind through every step of your cybersecurity journey. Learn more at fortra.com.

© Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners. fta-pt-gd-0423-r1-79d