What are the CIS Controls?
The Center for Internet Security (CIS) Controls are a set of best practices – ranked by priority – designed to guide organizations towards a stronger cybersecurity posture. The CIS controls have been designed by security experts from around the world to help organizations of all sizes and from all industries execute better cybersecurity.
What are the CIS Benchmarks?
The CIS Benchmarks are a set of configuration recommendations meant to improve your organization’s defenses from an enterprise scale all the way down to the device level. Unlike the CIS Controls, the CIS Benchmarks maintain a set of recommendations that are specific to the IBM i. In fact, CIS maintains variations of its benchmarks for different versions of the IBM i so that you can improve your security posture even if you’re not on the latest version of the platform.
Why is it important to follow the CIS Controls and Benchmarks?
The CIS Controls and Benchmarks are widely regarded as a credible and effective framework, and implementing the CIS Controls can prime your organization for compliance with more rigorous and specific regulations such as the PCI DSS, HIPAA, GDPR, and more.
The IBM i is no longer on an impenetrable island by itself. It has become increasingly integrated with enterprise technology and is much more dependent on remote access capabilities. This means the size of the IBM i’s attack surface and potential for harboring vulnerabilities has increased exponentially – which is precisely why a record-setting 79% of respondents to Fortra’s 2024 IBM i Marketplace Survey listed IBM i cybersecurity as a top concern.
The best way for IBM i organizations to turn concern into action is to make implementing security best practices – such as those set forth by the CIS – a top priority. In this article, we’ll outline how Fortra – a respected voice among the IBM i community and leading provider of IBM i security solutions – helps IBM i organizations in following through on the critical CIS controls and benchmarks.
How can I find the CIS benchmarks for IBM i?
Click “Download Benchmarks” on the CIS Benchmarks home page. You will then be prompted to fill out the accompanying form. After which, you will receive an email containing a link to the benchmarks. Select the link and then scroll down to the IBM i Operating System. From there, you can select which version of the IBM i benchmarks you would like to download.
How can Powertech help with implementing the CIS Benchmarks?
To establish ongoing CIS compliance, you must first compare your current configurations to those outlined by the CIS benchmarks. Doing so will provide you with a complete picture of what changes are needed and where you can start. This is a process that can be performed manually but would take far less time and effort with the assistance of a tool such as Powertech Policy Minder. With Powertech Policy Minder for IBM i, you can easily define your security policies and configurations based on the CIS benchmarks and automatically compare your current configurations to your security policy and pinpoint and resolve discrepancies on a continual basis.
Keeping configurations up to date is only half the battle. Proving compliance to internal and external stakeholders via manual report creation takes time away from the personnel that are supposed to be keeping your systems secure. With Powertech Compliance Monitor for IBM i, you can select, run, and view the reports you want to see from an easy-to-use web interface. Powertech Compliance Monitor can also consolidate data from multiple systems into single reports so that you can easily compare system settings on an enterprise level scale.
With Powertech SIEM Agent for IBM i, you can define what should be reported as a critical security event. Upon being triggered, you will receive a notification in real-time so that you can resolve the misconfiguration as quickly as possible.
How can Powertech help with implementing the CIS Controls?
Control 3: Data Protection
Data is no longer contained strictly within an enterprise’s border, meaning organizations have to be able to identify, classify, securely handle, retain, and dispose of data.
3.3: Configure Data Access Control Lists
Powertech Exit Point Manager for IBM i allows you to easily manage access rules for all 32 IBM i exit points. Exit Point Manager provides complete control over who can access what and by what means.
3.11: Encrypt Sensitive Data at Rest
Powertech Encryption for IBM i allows you to encrypt database fields, backups, and IFS files using strong encryption algorithms, tokenization, and integrated key management.
3.14: Log Sensitive Data Access
Powertech SIEM Agent for IBM i allows you to keep tabs on privileged users by logging profile swap activity. With it, you will know exactly when a profile swap starts and ends, the reason for the swap, or if there is an invalid swap attempt.
Control 4: Secure Configuration of Enterprise Assets and Software
4.4: Implement and Manage a Firewall on Servers
Powertech Exit Point Manager monitors and records traffic to and from your network while granting you control over what your users have access to. Powertech Policy Minder for IBM i allows you to customize your IBM i security policies and configurations and will automatically fix any settings that are out of compliance with your standards.
4.7: Manage Default Accounts on Enterprise Assets and Software
Powertech Policy Minder aids in the administration of all user profiles, including default accounts. Policy Minder makes it easy to maintain and identify users with special authorities, change ownership and authorities after a new deployment, and identify and remove inactive profiles.
Control 5: Account Management
Using valid user credentials is the easiest way to gain unauthorized access to enterprise assets or sensitive data. Weak passwords, inactive profiles, and shared accounts pose just as much of a threat to your organization as a knowledgeable cybercriminal attempting to break through your environment.
5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts
With Powertech Authority Broker for IBM i, administrators can predefine users that are allowed to use elevated levels of authority. Users “swap” into the privileged profile only for the specific window of time that they need it so that general computing activities are conducted separately from those that require elevated authority.
Control 6: Access Control Management
This control is intended to help organizations ensure that their users only have access to the assets necessary for their role. Implementing strong authentication requirements is a crucial component of achieving minimum access across all users.
6.3: Require MFA for Externally-Exposed Applications
6.5: Require MFA for Administrative Access
Powertech Multi-Factor Authentication is a robust MFA solution built for IBM i that requires users to provide two or three forms of authentication before logging in to a green screen session or connecting to IBM i through an exit point, such as FTP or Telnet. Powertech MFA’s complete audit and reporting functionality makes it easy for administrators to report on authentication attempts, user maintenance activity, and user information.
Control 7: Continuous Vulnerability Management
Attackers are always on the search for new vulnerabilities to exploit, which means organizations need to have processes in place that allow them to regularly review their environment for vulnerabilities and quickly remediate any misconfigured items.
7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
Powertech Risk Assessor for IBM i automatically scans security configurations across your enterprise, compare the results to best practices, and provide recommended next steps for resolving issues.
7.7 Remediate Detected Vulnerabilities
Working in tandem with Policy Minder at a regular cadence, Fortra’s cybersecurity remediation services can be used to resolve any misconfigured settings so that the window of opportunity for threat actors is minimized.
Control 8: Audit Log Management
Logging system and user level events is critical in detecting malicious activity as quickly as possible. Configuring, monitoring, and maintaining logging systems ensures that no activity goes unrecorded and that any out of the ordinary events are referred to administrators quickly. Not only can log management help detect malicious activity, but it can also help improve your time to resolution and provide clarity on the scale of an attack.
8.2 Collect Audit Logs
Powertech Compliance Monitor for IBM i stores audit journal data for all 74 IBM-type T events from QAUDJRN, including object changes, user profile changes, commands used, and much more.
8.9 Centralized Audit Logs
The audit journal data collected by Powertech Compliance Monitor for IBM i is stored compressed (up to 95%) on a central consolidator system. Months of audit records can be stored without using extra disk space.
8.11 Conduct Audit Log Reviews
Powertech SIEM Agent for IBM i filters raw security event data from IBM i and looks for abnormalities within network transactions, actions performed by privileged users, critical operating system messages, and more.
Control 10: Malware Defenses
The days of IBM i being immune to malware are long gone. Malware is constantly evolving to more efficiently exploit the multitude of potential vulnerabilities that could exist within an environment at any given time – and if your malware defenses are not timely, adaptable, and integrated with other critical security processes – your organization could be at a serious disadvantage in protecting your assets from malicious software.
10.1 Deploy and Maintain Anti-Malware Software
Powertech Antivirus for IBM i protects your IBM i servers from viruses, ransomware, worms, and other malware threats with the power of enterprise-level scanning, advanced heuristic analysis, and powerful detection and cleaning. IBM i includes built-in native anti-virus scanning functionality, however, the platform doesn’t contain a scan engine. As the only commercial anti-virus scan engine native to IBM i, Powertech Antivirus eliminates many of the problems that can be introduced by scan engines that don’t run natively on IBM I, such as scan failures and security issues.
10.2 Configure Automatic Anti-Malware Signature Updates
Powertech Antivirus automatically updates new signatures for signature-based detection so that you can scan for and protect against current malware threats.
10.6 Centrally Manage Anti-Malware Software
Using the Powertech Antivirus server, you can centrally manage and configure Powertech Antivirus software across your organization. You can easily find the status of every endpoint in your infrastructure and read details on any warnings or critical issues that have been reported and may require further action.
10.7 Use Behavior-Based Anti-Malware Software
Powertech Antivirus provides behavior-based ransomware detection and blocking. For example, Powertech Antivirus protects you against an increasingly common scenario in which ransomware infects non-IBM i systems, then encrypts files that are accessible through IBM i file shares.
Control 12: Network Infrastructure Management
Default configurations for network devices leave vulnerabilities that make it much easier for attackers to penetrate an organization’s defenses. Network security in particular is something that needs to be constantly monitored, re-evaluated for new vulnerabilities, and structured in a way that grants minimum privileges to users.
12.2 Establish and Maintain a Secure Network Architecture
Powertech Exit Point Manager for IBM i offers administrators tight control over users’ network access privileges – including what they have access to and through what means they’re allowed to access it. Powertech Exit Point Manager also keeps an extensive record of network transactions.
Control 13: Network Monitoring and Defense
Organizations tend to rely too heavily on network security tools to handle the burden of keeping intruders at bay. For a security strategy to be effective and well rounded, organizations need to have exceptional situational awareness in identifying intrusion attempts and future threats. This requires a knowledgeable staff, excellent security operation, and the use of security tools and solutions.
13.1 Centralize Security Event Alerting
Powertech SIEM Agent for IBM i integrates with SIEM solutions to provide real-time notifications from IBM i regarding critical events.
13.2 Deploy a Host-Based Intrusion Detection Solution
Powertech Exit Point Manager blocks intrusion attempts based on customer-defined policies while also logging all exit point transactions. Powertech Antivirus for IBM i also logs and reports on potential intrusion attempts. Powertech SIEM Agent monitors and alerts you to critical IBM i events such as those that could be triggered by the actions of an intruder.
13.5 Manage Access Control for Remote Access
Powertech Exit Point Manager for IBM i offers administrators control over remote access to enterprise resources, so that proper security policy can be enforced while also allowing employees to perform functions while away from facilities.
13.6 Collect Network Traffic Flow Logs
Powertech SIEM Agent and Powertech Exit Point Manager work in tandem to log, monitor, and alert to security events pertaining to the 33 remote access servers, 180 plus functions, and accepted and rejected transactions.
13.7 Deploy a Host-Based Intrusion Prevention Solution
Powertech Antivirus runs native to the IBM i and employs advanced anti ransomware technology in the blocking of malicious intruders.
13.9 Deploy Port-Level Access Control
Powertech Exit Point Manager can be configured to execute access control on IBM i sockets, ensuring access is restricted and monitored at the port-level.
13.11 Tune Security Event Alerting Thresholds
Powertech SIEM Agent allows administrators to assign the value of “critical” to event types of their choosing. Administrators can also customize the thresholds that would trigger such an event, making alerting processes more adaptable.
Control 14: Security Awareness and Skills Training
Believe it or not, expensive antivirus and encryption technology are not your organization’s most critical security assets. Rather, it’s the employees that are performing their jobs and interacting with your IT systems on a daily basis. And just like your IBM i’s system settings, they also need to be routinely updated on security best practices.
14.1 Establish and Maintain a Security Awareness Program
Customers of Fortra’s Managed Security Services not only receive ongoing support from our security experts, but also ongoing training. Our services team strives to help customers understand issues that are present within their systems, how to resolve them, and how to prevent them in the future.
14.5 Train Workforce Members on Causes of Unintentional Data Exposure
Our Managed Security Services offers customers training on data handling best practices, so that they’re equipped with the knowledge necessary to help them avoid unintentionally putting data at risk.
Control 18: Penetration Testing
No organization’s security posture is entirely perfect. In an environment where technology is constantly changing and attack surfaces are growing, organizations need to put their security to the test so that gaps can be identified and filled.
18.3 Remediate Penetration Test Findings
Fortra’s IBM i Penetration Testing Services relies on an experienced team of security experts and commercial-grade software tools in the assessment of your capacity to defend against a broad range of threats. Upon completing the penetration test, you will receive results pinpointing exactly where your systems are vulnerable and how you can go about remediating these vulnerabilities.
18.5 Perform Periodic Internal Penetration Tests
Customers of Fortra’s IBM i Penetration Testing can schedule tests at a cadence of their choosing so that their systems remain prepared to defend against the most current of threats.
Not sure where to begin?
Schedule a free Security Scan for your IBM i and our experts will walk you through where you systems are currently misaligned with the CIS Controls and Benchmarks and provide you with a customized roadmap for improving your security posture.