Let’s start with definitions of each of the authorities:
- *R (Read) authority is what you’d expect. You need *R authority to be able to read the contents of a file. *R also allows you to list the contents of a directory.
- *X (Execute) authority allows you to traverse (go through) one directory to get to the next directory. For example, to reach /home/carol, I need *X authority to both root (‘/’) and /home.
- *W (Write) authority allows you update an object as well as add an object to a directory.
Mapping IBM i authorities into these authorities, we get:
- *USE = *RX data authorities, object authorities *NONE
- *CHANGE = *RWX data authorities, object authorities *NONE
- *ALL = *RWX data authorities along with object authorities *OBJMGT, *OBJEXIST, *OBJALTER, and *OBJREF
I’m very purposefully pointing out the object authorities here because, while many organizations realize they need to set data authorities, I often see them forgetting—or not realizing—they must also set the object authorities (which goes back to my point that, under the covers, IFS objects are IBM i objects, so all authorities apply to them, not just the data authorities). See Figure 10.1 for an example.
Figure 10.1: Both data authorities and object authorities need to be set for IFS objects.
The reason we need to be concerned about the authority to objects in the IFS is because of the type of data that’s often stored (transactions associated with banks or third-party service providers, images containing HIPAA or other personally identifiable information, website configuration files and images to name a few types of data). That, and the risk of that data being downloaded or not available due to malware. Malware no longer just encrypts data. Prior to encrypting the data, malware often downloads (exfiltrates) the data. Then the attackers threaten to post it if you don’t pay the ransomware.
Malware affects IBM i in two ways. One is the method that’s been around for many, many years. A file or document is infected with malware and then uploaded to the system to be stored in the IFS. This method doesn’t affect IBM i itself, but the next time that object is accessed, the user’s workstation is typically infected. However, this is not the method that most organizations are concerned about today. And to be honest, they shouldn’t be. Most of these infections are caught by a desktop or firewall antivirus solution. The next method poses a much greater risk, both from the chance of occurrence as well as the damage that can occur.
Malware, specifically ransomware, has literally destroyed some organizations, and when it didn’t cause the business to go under, it cost many organizations millions of dollars. Organizations have found that some cyber insurance providers cover their malware infection and some don’t. The threat is real, so let’s determine how you can reduce that risk of infection in the first place.