ibm 银行风险管理软件_ibm i中两个常见的安全风险以及如何处理

The highest points of vulnerability in data centers using IBM i aren’t IBM i related at all. They are simply caused by human error. IBM i is highly securable when protocols are enforced to secure it.

使用IBM i的数据中心中漏洞的最高点与IBM i根本无关。 它们仅仅是由人为错误引起的。 强制执行协议以保护IBM i时，它的安全性很高。

Breaches happen when lack of standardizations, automation, and sensible oversight fail to protect critical data. The most common threats also happen to be the most avoidable.

当缺乏标准化，自动化和明智的监督无法保护关键数据时，就会发生违反行为。 最常见的威胁也恰巧是最可避免的。

Super users (users with access to too many systems with a single authentication) and simple password settings, when left unmanaged, could lead to data breaches. Unmonitored, those simple settings could point to a lost security opportunity for firms that don’t follow defined password security protocols or simply fail to manage them.

超级用户(通过单一身份验证可以访问太多系统的用户)和简单的密码设置(如果不加以管理)可能会导致数据泄露。 对于那些未遵循定义的密码安全协议或只是无法对其进行管理的公司，这些简单的设置可能不受监视，这可能会导致失去安全机会。

具有不受限制的系统访问权限的用户所构成的潜在威胁 (The Potential Threat Posed by Users with Unrestricted System Access)

The systemic failures that most commonly result in security breaches are rooted in human behavior and company culture. Whether through negligence or actual malicious intent, users with overreaching authority across too many databases and directories can pose serious security threats. This includes admins.

最常见的导致安全漏洞的系统性故障源于人类行为和公司文化。 无论是出于疏忽还是出于恶意目的，具有过多数据库和目录权限的用户都可能构成严重的安全威胁。 这包括管理员。

At the very least, even the most cautious of users can mistakenly download malware. The worst-case scenario would be an admin with an axe to grind with your company or one that is excessively careless and retains system access long after their departure.

至少，即使是最谨慎的用户也可能会错误地下载恶意软件。 最坏的情况是管理员用斧头与您的公司打磨，或者是一个太粗心并且在离开公司后很长时间仍保留系统访问权限的管理员。

When a user with administrative privileges erroneously imports phishing software, that could make data like customer credit card information, employee records, and other secret information accessible to criminals.

如果具有管理特权的用户错误地导入了网络钓鱼软件，则可能使犯罪分子可以访问诸如客户信用卡信息，员工记录和其他机密信息之类的数据。

So, what’s the solution? If you have IBM i architecture, you can simply implement IBM i’s existing special authorities to limit the users who have special authorities. Then put in place a process to monitor those users carefully so that the worst-case scenario is less likely to happen.

那么，有什么解决方案？ 如果您具有IBM i体系结构，则可以简单地实现IBM i现有的特殊权限来限制具有特殊权限的用户。 然后建立一个流程来仔细监视那些用户，以便最不可能发生最坏的情况。

Best practices for such a process include:

此类过程的最佳做法包括：

• Limiting the users with special authority to fewer than 10. A good rule of thumb is to keep this number to less than 3 percent of the user community.

  将具有特殊权限的用户限制为少于10。一个好的经验法则是将这个数字限制为少于用户社区的3％。

• Maintain and update proper documentation to enforce the separation of duties for users with powerful authorities.

  维护和更新适当的文档，以强制分离具有强大权限的用户的职责。

• Avoid establishing users that retain powerful authentications across all systems.

  避免建立在所有系统上保留强大身份验证的用户 。

• Keep a regular record and log the use of those powerful authorities.

  保持定期记录并记录这些强大权限的使用。

• Create a chain of reporting for auditors and managers to retain and protect transparency.

  为审计师和经理创建报告链，以保持和保护透明度。

• Ensure that admins are accountable for their activities and establish audits and review for all admin behavior.

  确保管理员对其活动负责 ，并对所有管理员行为进行审核和复查。

密码和无效配置文件的问题 (Problems with Passwords and Inactive Profiles)

It’s not uncommon that in most IT arenas, staff is resistant to time-consuming documentation. But a standardized documentation process is critical to maintaining data integrity.

在大多数IT领域中，员工抵制耗时的文档并不少见。 但是标准化的文档编制流程对于维护数据完整性至关重要。

If you don’t have password security standards in place, all the other security measures you’re taking might not matter.

如果您没有适当的密码安全标准，则您采取的所有其他安全措施可能都没有关系。

Accounts that haven’t been used for 30 days or more are especially ripe for hacking. Inactive profiles belonging to former employees or contractors are equally vulnerable. If securing data is your objective, then the last thing any company needs is a former consultant working for a competitor who has full access to your directories.

30天或更长时间未使用的帐户特别容易被黑客入侵。 属于前雇员或承包商的非活动配置文件同样容易受到攻击。 如果保护数据安全是您的目标，那么任何公司所需要的最后一件事就是为竞争者工作的前顾问，该竞争者可以完全访问您的目录。

An ex-employee stops monitoring their account once they walk out the door. They will never know if anyone else is using their inactive profile. Login or other activity will go unreported, and you may not know that an inactive account has been used to hack your files until it’s too late.

前雇员一旦走出门，便停止监视其帐户。 他们将永远不会知道其他人是否正在使用他们的非活动配置文件。 登录或其他活动将不会被报告，并且您可能不知道一个不活动的帐户已被用来黑客入侵您的文件，直到为时已晚。

Of the systems audited for the HelpSystems report, inactive profiles showed some of the biggest areas for improvement:

在为HelpSystems报告审核的系统中，不活动的配置文件显示了一些需要改进的最大方面：

Thirty-six percent of the average 438 profiles sampled were not used in 30 days or more. Of those, 295 had an active status.

30天或更长时间未使用平均438个配置文件中的36％。 在这些人中，有295人处于活跃状态。

Solution: IBM i has both manual and automated solutions to manage and monitor inactive profiles. They won’t do you much good, however, if you don’t have a standardized and monitored methodology in place to use them. So, define and develop a protocol for inactive profiles and users.

解决方案：IBM i具有手动和自动解决方案，用于管理和监视非活动概要文件。 但是，如果您没有使用它们的标准化和受监控的方法，它们将不会给您带来太大的好处。 因此，为不活动的配置文件和用户定义和开发协议。

Establish regular audits to flag any profiles that haven’t been used for a certain period of time (30 days, 45 days, etc.). Enact and automate rules to manage those inactive profiles, including removing authorities. You could also establish a wait period of an additional 30 days to confirm the profile is truly inactive before you permanently delete it.

建立定期审核，以标记一段时间内(30天，45天等)未使用过的任何配置文件。 制定和自动化规则以管理那些不活动的配置文件，包括删除权限。 您还可以另外设置30天的等待期，以在永久删除配置文件之前确认该配置文件确实无效。

Bottom line: Make sure the process you develop falls in line with your company’s culture. Follow any steps necessary to keep audit trails intact. With the proper oversight, your team can utilize IBM i’s existing solutions that satisfy your business climate without ignoring the dangers that inactive profiles can cause.

底线：确保您开发的流程符合公司的文化。 请执行所有必要的步骤，以保持审计跟踪的完整性。 在适当的监督下，您的团队可以利用IBM i现有的解决方案来满足您的业务环境，而不必忽略不活动的概要文件可能造成的危险。

定义，管理和实施常识密码安全措施 (Define, Manage, and Implement Common-Sense Password Security Measures)

IBM i has a set of password defaults (the username and the password are the same). The report found a prevalence of default passwords still in place, which makes guessing passwords incredibly intuitive and easy for users with a history and knowledge of IBM i.

IBM i有一组密码缺省值(用户名和密码相同)。 该报告发现仍然普遍存在默认密码，这使具有IBM i历史和知识的用户难以置信地猜测密码。

Establish password policies that specifically make it more difficult to compromise network security. At the very least, put measures in place to force all users to update default passwords.

建立密码策略，专门使网络安全更加困难。 至少应采取措施强制所有用户更新默认密码。

Automatic password expiration periods (90 days is a good rule of thumb) ensures that exiting users, like contractors and temp staff, do not have unlimited access after they stop working for you. The systems studied had an average password interval of 95 days, and we concur that a password expiration interval is crucial.

自动密码有效期(90天是一个很好的经验法则)可确保退出的用户(例如承包商和临时人员)在为您停止工作后不会受到无限访问。 所研究的系统的平均密码间隔为95天，我们同意密码有效期至关重要。

最小密码长度标准 (Standards for Minimum Password Length)

Best practices are 8 characters or more, but only 41 percent of those surveyed meet those standards. Nearly 60 percent of the servers in the study failed to satisfy a minimum of 7-character passwords, and 98 percent did not pose restrictions on characters.

最佳做法是8个字符或更多，但只有41％的被调查者符合这些标准。 研究中将近60％的服务器不能满足最少7个字符的密码，而98％的服务器未对字符设置任何限制。

Note that IBM i introduced QPWDRULES with V6.1. That system allows managers to designate password policy settings in a single repository. As with the other security features uncovered in the study, the system itself allows for best practices, but users are failing to utilize them.

请注意，IBM i引入了带有V6.1的QPWDRULES。 该系统允许管理员在单个存储库中指定密码策略设置。 与研究中发现的其他安全功能一样，系统本身允许最佳实践，但用户无法利用它们。

Your sys admins need to establish automated and sensible password expiration policies. The study, by way of example, revealed that of the clients they audited, 54 percent do not require a digit in passwords, resulting in common words or alpha-only (weak) passwords.

您的系统管理员需要建立自动且明智的密码过期策略。 举例来说，该研究表明，在他们审核的客户中，有54％的客户不需要密码，从而产生了普通单词或纯字母(弱)密码。

Also, put automated notifications and locks in place in the event of failed login attempts. Your company will be the most protected when a profile is disabled or locked if the maximum login attempts are exceeded. IBM i also allows for multi-factor authorization, or asking for one more credential in addition to the username and password.

另外，如果登录尝试失败，请放置自动通知和锁定。 如果配置文件被禁用或锁定(如果超过最大登录尝试次数)，则您的公司将受到最大保护。 IBM i还允许进行多重授权，或者除了用户名和密码之外，还要求另外的一个凭证。

建立适合您的文化的准则 (Build Guidelines that Suit Your Culture)

There is no one-size-fits-all solution for every business environment. IT managers may be reluctant or opposed to putting limitations on super users or admins with unrestricted access with a single authentication. The more automation that is in place, the more audit trails and documentation are cemented into your workflow, the easier it is to safeguard your customer and company data.

没有针对每种业务环境的万能解决方案。 IT经理可能不愿意或反对通过单一身份验证对具有不受限制访问权限的超级用户或管理员进行限制。 自动化程度越高，工作流程中就会包含更多的审计线索和文档，越容易保护客户和公司数据。

Most facility security policies all but guarantee that an ex-employee can’t gain access to your building or a floor using an expired key card. Your databases and client records need just as much protection as your physical facilities.

大多数设施安全政策几乎都保证前员工不能使用过期的钥匙卡访问您的建筑物或地板。 您的数据库和客户记录需要与物理设施一样多的保护。

Often, a retiring IBM i admin walks out the door with their knowledge locked inside their head. This means that team leaders are unaware of all of the daily activities of admins, and when those key employees leave the company, it’s not uncommon that their knowledge base and daily routines leave with them.

通常，一位退休的IBM i管理员将他们的知识锁定在脑海中而走出大门。 这意味着团队领导者不了解管理员的所有日常活动，而当这些关键员工离开公司时，他们的知识基础和日常工作也随之而来并不罕见。

Documentation and audits are both time-consuming and most of your staff is busy with day-to-day duties. However, waiting for an employee to announce a departure is the worst time to document that person’s workflow.

文档和审核都非常耗时，并且大多数员工都忙于日常工作。 但是，等待员工宣布离职是记录该员工工作流程的最糟糕时间。

Third-party cloud management not only ensures improved auditing, reporting, and security, it also provides continuity and redundancy. An experienced team with deep knowledge of existing legacy infrastructure and newer data management strategies ensures seamless operations for staff and customers as well as needed redundancy.

第三方云管理不仅可以确保改进的审核，报告和安全性，还可以提供连续性和冗余性。 一支经验丰富的团队对现有遗留基础架构和新的数据管理策略有深刻的了解，可确保员工和客户的无缝操作以及所需的冗余。

进一步阅读 (Further Reading)

For more about security issues with IBM i, see this article: “ Top Cloud Computing Security Issues and Challenges, and How IBM i Meets Them. “

有关IBM i的安全性问题的更多信息，请参阅本文：“ 热门的云计算安全性问题和挑战，以及IBM i如何应对它们。 “

Originally published at https://www.connectria on February 18, 2020.

最初于 2020年2月18日 发布在 https://www.connectria 。