Security Breach Tips: Stopping IBM i Application Security Breaches

Security Breach Tips: Stopping IBM i Application Security Breaches

A good system monitoring package is essential for any IBM i shop. System monitoring packages like SEA Software’s absMessage provide a number of benefits when a system or programming error occurs on an IBM i system, including alerting on-call responders, automatically answering messages, and escalating issues to the next responder in a call tree.

But as valuable as system monitoring packages are, they are only half of the total monitoring solution most IBM i shops need. To get complete IBM i monitoring, you should consider adding Application security monitoring to your monitoring scheme.

What’s application security monitoring?

Application security monitoring packages such as SEA’s AP Journal Application Security & Business Analysis Solution (AP Journal) are a relative new type of monitoring category that combines application database monitoring and auditing. Just as system monitoring detects and responds to IBM i system and programming issues, application security monitoring detects and responds to IBM i application and database activity security breaches.

Application security monitoring software analyzes file field level activity (READ, WRITE, and UPDATE) to detect, report, and archive suspicious activity in sensitive files. Application security software detects and reports on suspicious database access and updates such as:

• When an unauthorized user views and changes regulated information, such as stored credit card numbers (regulatory violation)
• Users entering data that exceeds compliance thresholds or business requirements, such as a salesperson who offers customers excessive and unnecessary order discounts (profit margin destruction)
• Unauthorized or illegal expenditures, such as when an unauthorized user accesses the payroll file and changes their pay rate or when managers order large capital items without approval (fraud detection and unauthorized spending)
• Database updates that are performed by utility programs such as IBM’s Data File Utility (DFU) or interactive SQL, rather than by allowed and authorized programs (unsecured updates)

Most application security breaches leave traces in your IBM i database. A package like AP Journal polices your database looking for security infractions, according to rules and regulations (filters) that you define.

Filters can be set up to look for specific changes in any IBM i database field (a critical field is changed outside of defined limits), such as when a salesperson enters an order with excessive discounts that lower gross profit below its minimum amount. Filters can also be set up to examine information about how critical files and fields were accessed or changed, providing information about who’s reading your critical files, what IP address they were using to access the data, what program they were using, and more.  Application security filters are flexible in that they can find data breaches (changes to critical data outside of defined limits) and they can also find access breaches (non-authorized users and devices gaining access to restricted files and data).

Four ways to detect an application security breach

Once an application security monitoring package finds a security breach (as defined by your filters), it can performs several actions to alert, remedy, record, or report on the breach and patterns of access to restricted data. Application security software generally responds to a security breach in four different ways.

1. It can alert a security officer that an application security breach has occurred. Security alerts are usually sent out via text, email, tweets, IBM i message queues, or by a syslog or SNMP entry. These alerts can also contain specific information about the breach.
2. It can perform specific actions to help remedy or reduce the effects of the breach, including kicking off a CL script processor that can execute commands and call specific programs.
3. It can record relevant subsets of journal receivers in special containers for long term storage, retrieval, and reporting, allowing you to retain application security information for longer periods of time than is possible by keeping history in an IBM i journal receiver.
4. It can generate reports on database events from either journal receivers or the container subsets mentioned in item 3. These reports can be queried, printed, and emailed to management or auditors requesting information.

Flexible and valuable

An application security package such as AP Journal can solve several different security issues in any IBM i shop.  Application security monitoring programs are valuable additions to any IBM i shop’s toolbox. They monitor and report on business-specific issues that make a difference to your bottom line. If you want to learn more about application security monitoring, feel free to contact us at SEA for more information or a demonstration.