IBM Systems Magazine, Power Systems - July 2017 - 22
SPECIAL REPORT: AIX SECURITY
here's no denying it:
Good intentions alone
won't protect your
organization's critical data.
Indeed, according to a recent AIX*
security survey conducted by
IBM Systems Magazine, a majority
of respondents indicated they
were either very (55.6 percent)
or somewhat (34.8 percent)
concerned about the platform's
security (see Figure 1, below).
These numbers may be large for
a number of reasons, according to
Stephen Dominguez, worldwide
AIX security lead for IBM Systems
Lab Services. "It could be due to
the critical nature of their data,
whether it's credit card numbers
or health data. In the case of
a data breach, organizations
storing such sensitive data
can face devastating business
consequences, not to mention
the stress their customers may
experience if their data is sold on
the black market and exploited in
"The large percentage of
concerned participants could also
be due to the lack of confidence in
their existing security defenses."
Most organizations would
have greater confidence in their
security defenses, Dominguez
continues, if they approached
their information security
holisticly, leveraging enterprise
risk management and defense in
"Enterprise Risk Management
involves identifying all types of
security threats and vulnerabilities
(and not just those involved with
compliance) in an organization,
prioritizing and fixing them to
reduce risk to an acceptable
level. Defense in depth is where
an organization implements
many layers of security defenses,
so if one layer is compromised,
other layers will protect an
organization's assets from an
attacker," he says.
According to the survey, the top three current
worries regarding security involved authorized
system user access or credential abuse, external
hackers and unauthorized users, in that order.
Clearly, data has the potential of being assaulted
from all sides, whether by internal or external
actors-and protecting it needs to be taken seriously
(see Figure 2, page 23).
"We're mostly concerned about unauthorized
system users or credential abuse, because any
logged-in user can compromise the system if they use
the appropriate tools," notes Enid Vrenozaj, head of
IT systems with Societe Generale Albania, a banking
organization based in Tirana, Albania.
Of concern, however, is the 54 percent of
respondents who reported they don't have
methodologies in place to identify unauthorized users.
The remaining 46 percent indicated they use a variety
of solutions, including access monitoring tools, active
directory audits, biometrics passwords, cognitive
passwords and one-time dynamic passwords.
SNS Bank, headquartered in Utrecht, Netherlands,
uses the IBM Security Directory Server (SDS),
role-based access control (RBAC) and IP access control
on AIX to address this issue. As an added layer of
defense, it's also using several firewalls.
When asked what procedures they followed when
they uncover unauthorized access, 53.5 percent of
respondents said they had no procedures in place,
while the remaining 46.5 percent indicated they did.
Methods included escalating reports to their security
teams, blocking access and determining its origin
point, and collecting evidence and notifying their
Christian Sonnemans, UNIX* system engineer
with SNS Bank, has concerns similar to Societe
Generale Albania's Vrenozaj. However, he notes
22 // JULY 2017 ibmsystemsmag.com
Figure 1: How concerned are you
about AIX security?
the bank is worried about both
internal and external threats,
in keeping with the survey's
top-cited AIX security concerns.
"Most threats come from inside,
such as unauthorized users, but
we're also concerned about outside
hacks, such as Heartbleed or other
SSH and SSL exploits, including
known AIX defects," he says.
And then there's the double
whammy of an external hacker
gaining root access. If a hacker can
get the credentials of an admin, he
or she can use that access to launch
a sophisticated, multipronged
attack that may not be detected for
a long period of time.
"Many hacking groups are
well-funded and patient-it's their
job. They'll just keep probing
and probing until they find a
vulnerability, and that includes
gaining root access and installing
malware that can be used to
launch even more attacks,"
Dominguez says. "But we have a
pretty robust tool in AIX, Trusted
Execution (TE), that will flag
malware, and I hope people are
SNS Bank certainly is.
"We put a lot of effort into
implementing Trusted Execution
and RBAC, including for our
software administrators. We've
also deployed an SDS LDAP
environment, which is also used for
storing the extra databases needed
for TE and RBAC-in read-only
mode," Sonnemans says.
But thwarting credential abuse
is no small feat. In order for
administrators to do their jobs,
they need almost unfettered
access to the entire system. If
they don't, their ability to best
perform their day-to-day tasks
may be hampered. That said,
implementing "the principle
of least privilege can be
challenging," Dominguez says.
"It's not a simple task ensuring
administrators don't have too