“How can we protect our IBM AIX systems from malware attacks?”

As a cyber security consultant, I come across this question more than any other when it comes to securing servers running IBM AIX. Most security breaches today are based on malware attacks, especially in banking sector. The infamous FASTCash malware has infected many banks’ ATM switches, allowing hackers to carry out illegal transactions and resulting in huge financial loss for the impacted businesses. A security breach not only results in financial loss but also impacts a brand’s reputation. So it’s extremely important to have the right security mechanisms in place to protect your organization from cyberattacks.

According to the Ponemon Institute’s Cost of Cyber Crime Study, malware and web-based attacks are the two most costly attack types. The study shows that the average cost of a malware attack on a company is around $2.4 million. It’s therefore imperative for organizations to be prepared for and mitigate malware attacks. As a general principle, you need end-to-end security covering everything from network to storage, servers, applications, people, processes and so on.

In this blog post, I want to focus on two extremely important IBM AIX in-built security features that can protect AIX systems from malware attacks. These features are Role Based Access Control (RBAC) and Trusted Execution (TE).

Role-Based Access Control (RBAC) for better access management

Malware attacks often result due to poorly implemented access control. For convenience, it’s not unusual for users to be granted more privileges than they really require. I’ve done many security assessments onsite for businesses, and it’s shocking to see the superuser account (root) being shared among many system administrators. If the root account is accessible to multiple people and there’s no accountability for their actions, this can put the business in an extremely dangerous position.

The average cost of a malware attack on a company is around $2.4 million

To avoid sharing root account access, IBM AIX clients can use the AIX RBAC feature, which helps delegate administrative tasks to regular users without the need to log in to the root account. Roles can be assigned to users based on their job requirements, and access is limited to the role definition. For example, a file system administrator may just need to run few commands to create a new file system, change file system size and so forth. This individual does not need access to the other administrative commands like shutting down the system or changing users’ passwords. With RBAC, it’s very simple to implement clearly defined role-based access. By limiting root access to the system and implementing stricter access control, you can drastically reduce the chances of malware attacks.

Trusted Execution (TE) for advanced security

The IBM AIX Trusted Execution feature is specifically designed to verify the integrity of installed files and protect systems from malware attacks.

Malware protection, in general, works in two ways:

• By blacklisting bad files—that is, not allowing bad files to execute. This is how antivirus software works.
• By whitelisting good files—allowing only good files to execute. This is how AIX Trusted Execution feature works.

With the AIX TE feature, you can completely whitelist all binaries, shell scripts, shared libraries and kernel extensions. By setting the right policies, you instruct the system to disallow running anything that is tampered with or untrusted. For maximum security, you can even lock down the policies so that even root cannot change them without requiring a reboot. This can help in cases where the root account is compromised.

AIX TE comes with a Trusted Signature Database (TSD) that has the record of all trusted files. The TSD is used to verify the integrity of trusted commands. By default, most AIX files are included in this database. You can integrate any application, database or middleware with TE by simply adding new commands to the TSD. With TE, you can do an integrity check in both offline and online mode. The offline mode allows the administrator to initiate the integrity check of all the files in the TSD. In the online mode, the system automatically verifies the integrity when the command is executed. Based on the policy, TE may disallow the execution of a command if the file is untrusted.

Such features, if configured correctly, can help companies prevent a FASTCash kind of malware attack. Both RBAC and TE are in-built security features and do not require a license. You just need to configure them and start using them—and if you need support, IBM is here to help. In addition to RBAC and TE, AIX includes many other security features that can provide strong protection against cyberattacks, such as auditing, an automated hardening tool called AIXPert, encrypted file system, IP security, packet filtering and many more.

I strongly encourage my clients to explore these features and implement them. A system is only as strong as its weakest link. It’s important to periodically assess your environment and deploy the right security settings. Cyber threats are very real, and to stay ahead of the competition, you need to build solid protection to secure your business against them.

IBM Systems Lab Services has experts on hand to helps clients to implement these IBM AIX security features. If you need more information or assistance, please contact us today.