Archive for July 2011
PCI DSS File integrity monitoring – Which are the best options file integrity monitoring and what else should you know? How would you implement file integrity monitoring for Windows servers and Unix servers? How will you provide file integrity monitoring for firewall, routers, EPoS devices and servers? How does file integrity monitoring software work and what are the key features to watch out for? Should data integrity monitor be agent-based or agentless?
This is part two in the two part series listing the most notable Ten FAQs for File-Integrity Monitoring that any PCI Merchant should know.
1. For Log Files and Databases
Log files will change constantly over a busy server yet it is essential that log files are simply just changed in how expected. File integrity monitoring is employed in secure environments to safeguard important audit trails of system access and privilege usage and changes. The bottom line is just to allow log files to enhance in proportions and to alert if any changes were made to monitor for log file changes which might be an effort to remove or change audit trail information – clearing log files or changing log files is classic hacker activity and must be monitored. Naturally, event logs needs to be copied centrally over a secure log server as a mandated element the PCI DSS, PCI Requirement 10.
Similarly database files containing card data and private information should be protected with an audit trail of access and changes created. Again, database files changes constantly so the SHA1 approach aren’t going to be suitable. When using file integrity monitoring for SQL Server or file integrity monitoring for Oracle databases your best option is to log access and changes to specific tables and backup event logs centrally on your own secure PCI DSS log server.
2. For System32 Folder
Probably the most critical system files on the Windows server or EPoS till to check for file-integrity are within the WindowsSystem32 folder. All critical operating-system programs, dll files and drivers reside in this location which is therefore an ideal position for Trojans to call home. The threat is the fact that a Trojan might be implanted to the EPoS device or Card Data Handling Server (evading Anti-Virus detection because AV is just typically 70-90% effective). Personal files integrity monitor agent will gather a complete inventory of most files in the System 32 folders and then make regular comparative checks subsequently to detect any changes made. Trojans are particularly hard to come by ordinarily given that they masquerade as regular System32 program files, so that they look and appearance to behave much like the genuine program.
Similarly for Linux file integrity and Unix file integrity, all key program file systems such as /usr/sys and /bin have to be checked for integrity by using a Linux or Unix file integrity monitor.
3. For Windows Updates
Windows Updates and patches for other applications will more often than not involve updating program files, drivers and dll files. It can be rarely clear which files are going to be modified with a patch and therefore any updates may generate numerous file changes across many folders and locations. It is therefore vital that, while your file integrity monitor may track detailed changes to the one of a wide range of file attributes, also you can get good ‘at a glance’ summary specifics of whether personal files continues to be added, deleted or changed.
4. Card Data and Card Data Folder File Integrity Monitoring
Where card data or any other sensitive financial details are stored upon an EPoS device or server the very first brand of defense would be to limit access via folder and file rights and permissions. Even so, any user with Administrator rights will still be capable to observe the data and potentially copy out card numbers.
And so the best type of defense would be to implement object access auditing within the file or folder. It will generate the whole audit trail logging all use of the folder like the user account i did so so. Processing this audit trail with the intelligent, PCI event log analyzer might ensure any unexpected entry to the greeting card data will generate a stern reminder. For example, defining a rule to automatically separate normal operations e.g. local system account access rather than a named account with administrator access.
5. PCI File Monitoring and Planned Changes/Change Acknowledgment
Obviously, changes will need to be created to configuration files and system files every once in a while. You have to keep security patches up-to-date and also the PCI DSS mandates this should happen on a monthly basis.
Operating a proper Change Management process is often a important element from a IT security policy and so it is important that the file integrity monitoring solution is aware of intended, planned changes. Any file changes detected as part of a structured change needs to be verified in the QA Testing and post implementation review processes to ensure that the best changes happened to your intended files only.
Think about unplanned changes which can be either emergency changes or people who for reasons uknown bypass the modification management process? These all will be detected and alerts raised with the file integrity monitor but there then has to be an incident management process to investigate and only approve modifications or remediate them. The PCI DSS is just not prescriptive about how these processes ought to be managed so for a few organizations they normally use the whole Service desk application to document and approve changes, whereas smaller organizations might need to have a spreadsheet record of changes – use the things that work suitable for your enterprise, not what you think a QSA will expect to view!
See the beginning in this series for other important file-integrity monitoring FAQs that any Merchant the need to be PCI DSS compliant should be aware of
Cost-Effective Motion Activated Cameras or Outdoor Surveillance to Secure Your property or Business?
Probably the most innovative and cost-effective types of high security are motion activated cameras or outdoor camera surveillance. These wonderful devices can be extremely useful in protecting and securing our homes, our property and our places of business. Within a personal property setting, if you want a home and/or part of your house bounds, these useful devices will help you to discover what is transpiring as you sleep; or when you may be away. There exists another useful application for motion activated cameras or outdoor surveillance. Are there a location of your home or place of work that’s off-limits to others including children, loved ones, patrons or employees? When anyone attempts to approach a prohibited area of a business or home you should have video evidence of their transactions in the place that they’ve not been authorized to look. And as the name implies their motion will trigger you. Always keep in mind why these systems are part of you and also even if you move, the computer is yours to consider. The major cost of owning this security is through the gear only, no fees each month incurred.
Today, criminals are becoming ever more bold and brash. By way of example, every time a drug addict is craving a “fix”, to meet some addictive need, they’ll visit pretty much any length to search for the funds they have to satisfy their pounding desire. Whether or not we want to pronounce judgment on the addict, this can be the sad state on this world’s affairs. Other criminals simply appear to be dependent on the rush of making the property of others. And, worse yet, an evergrowing segment of our society all but are hooked on violence. Motion activated cameras or outdoor camera surveillance is often a safe strategy to capture on camera, can be culprits in the vicinity of the house or business.
Motion activated cameras or outdoor camera surveillance put into or on a home or business also serves to discourage potential criminals and violators from taking their desired deviant actions. We are in a troubling world where crime seems to perpetually increase as bonds of trust manage to routinely vanish. Thus, the best way to assure our families security is via mounted deterring security devices. It is our safety recommendation you investigate implementing the most effective measures for that security of the family or even the security within your bar or nightclub. In fact, “an ounce of prevention may be valued at one pound of cure.”
The other day an acquaintance mentioned to me that he’d like to begin a start up business inside computer forensics trade, and make it his new life’s work. Does that will make sense? Well, sure it will, and simply because things are stepping into the cloud, or possibly even longer it truly is predicted doesn’t necessarily imply people who are trying to hide something would dare to save stuff there. After all, it may be easily searchable by the authorities, or some NSA searching algorithm will find it.
Thus, those using computers to help them break legislation will probably keep information near to the vest on encrypted CD ROMS, harddrives, thumb drives, etc – kind of like Osama bin Laden did. Then there’s another aspect to the pc forensics business, and that is recovering lost data for businesses. Therefore, I explained to him i agree that computer forensics, and consulting are the ideal business to be in – smart idea.
In fact, I’ve a friend who had a computer consulting business, and did very well, but had challenges when he took within the wrong partner, plus they both had different applying for grants how to run the company, so they split it into two, hardware sales/computer repair and consulting/networks. You should be careful invest the on partners, was his advice. I’d say that advice definitely go for the computer forensics sector too.
And, while we’re talking about computer forensics, I sure can have used him a few years ago, when my disk drive crashed, i lost 4 eBooks I used to be focusing on, which just like a dummy I hadn’t supported. That had been terrible. And that same year I needed my MS os ruin, when I re-booted I lost plenty more, a lot of import ideas, concepts, and half completed articles I used to be thinking on. People require computer forensics, and recover file, and Corporations need to trace back how the hackers join to offer safe data security too.
I’d say there is a lot of work to get done + potential contracts with law-enforcement I’d say, at the same time. Good be quite a lucrative business I’d say? Indeed, maybe my acquaintance is quite wise as part of his need to start this kind of business, maybe it really is a smart industry to find yourself in, and also the right connections, it should be a very awesome business. Well, that’s all for the time being, something to trust on. Should you have any more questions or comments using the pc forensics industry please shoot me an e-mail.
Encryption is definitely an increasingly important set of technologies that enables customers to defend private data in computers, across public or private networks, or in other machine-readable forms.
There may be a lot more data vulnerable to being compromised than ever. This, in conjunction with the increasing valuation on an information breach, measured in “hard” dollar terms like legal settlements, and “soft” costs like decrease in customer loyalty, makes all the intelligent using encryption and other data-protection technologies increasingly required for organizations of any size.
To the small- and medium-sized market, the perfect data encryption approach could be both affordable and easily built-into a comprehensive data backup and business systems continuity solution. It would include powerful, standards-based encryption, and give a sturdy key management function.
Imagine a bank with 20,000 customers, most with multiple accounts and charge cards. Every night, the lender is really a complete tape backup of their core information servers. The tapes are then put into a storage box. Sometime during the day, a van driver through the tape storage firm drops off an older set of tapes (not needed), and sees the therapy lamp of new tapes.
Any such practice might lead to tapes being mislaid or stolen from loading docks, being accidentally dropped off on the wrong sites, or becoming lost or stolen through the delivery van, among other things. Once the tapes will be in the wrong hands unencrypted data is easily compromised.
Fortunately, encryption functionality can be built into an organization’s backup processes, protecting all data for the company’s servers and backup devices, and all sorts of data taken from site for archiving.
Keys and key management
An important is often a part of information, or parameter, that controls the whole process of a cryptography algorithm. Modern encryption algorithms typically use either symmetric or asymmetric keys. Asymmetric key encryption relies on a two of keys, called a public key and a private key, and is also most suitable for safeguarding data that has a wide audience — such as internet sites with secure access established for many users.
Symmetric key methods use the same key for both encryption and decryption. Symmetric keys are great to be used with devices and appliances where the should share keys can be quite limited. This can be an case with data backup devices, for the purpose one specifically does not have to allow many parties use of the true secret.
In the event you lose your property key, a locksmith can make the lock mechanically and enable you to regain access. Should you lock your keys in a car, there are many specialized tools which will help you open the door. But any encryption method that allowed these kinds of “alternative access” in the case of a lost key would be fatally insecure. Nowadays, most encrypted details are essentially indecipherable to thieves and completely lost to the owner in the absence of the necessary key for decryption. This puts enormous pressure within the owner not to forget about the key. It’s important to pick a “strong” key, often many, many characters long, making it harder to guess, but also harder to keep in mind. And writing the main element down brings its very own obvious security risks.
Implementation methods
Data encryption can be incorporated into your workflow in several different methods, each which consists of own benefits and drawbacks. When implementing data encryption on a network, you’ll find four basic solutions to approach the process:
File system encryption on the server. File system encryption is just about the easiest to implement. But such a encryption places very heavy CPU demand on the server, which will causes it to become impractical for any busy Exchange or SQL server because of the computing power required.
Additionally, server file system encryption doesn’t allow for centralized management – rather, it must be implemented on a per-server basis, and managed simply with respect compared to that system. Plus in a multiple-OS environment, this kind of file system-based encryption is probably not readily available for each OS used.
In-line encryption. In-line encryption is normally performed with a dedicated hardware “appliance,” which is fairly easy to implement. The applying commonly has two network connections, with plain text being released in throughout the network, and cipher (encrypted) text appearing out of these devices. Encryption appliances can protect the many data that’s in line be saved on backup media. As well as the servers and backup devices can operate at their own speed, almost like there is no encryption being performed.
But this encryption methodology is usually a poor selection for some firms. In-line devices require lightning-speed hardware to work, pushing the standard cost up. Plus in the event of the real disaster, a fresh unit need to be procured before any file or system restoration may appear.
Backup media encryption. Probably the most widely used form of encryption occurs within the backup media – either for the server driving the tape backup device (as an example, the media server inside a Veritas environment), or around the tape drive itself.
When implemented about the tape server, encryption can dramatically reduce the performance in the backup system, since a sizable area of the server’s CPU resources are diverted to carry out the encryption. Using a tape drive that delivers its very own encryption processing can help to eliminate the overall stress on the tape server. These drives cost a lot, however, and require that tape units constitute a similar model or family to achieve full encryption.
Backup device encryption. The true secret distinction between backup device encryption and backup media encryption will be the location where the encryption is performed. Encryption at the backup device level provides much more resilient overall data security. This is true as the data may be encrypted once (on the device), and remain encrypted no matter what its location at any future time.
If details are encrypted because it gets to the unit, then a data stored around the backup device for local rapid recovery can also be protected from inside attacks. This method avoids the performance degradation regarding file system encryption, plus removes the complexness of applying encryption tools across multiple systems.
Organising a successful implementation
There are six tips for implementing an encryption capability within your overall data protection and disaster recovery strategy. These represent the actual “critical success factors.” Get these six correct and you’ll have an exceptionally high likelihood of success.
1. Maintain universal data recovery. Wherever the encrypted data resides (local backup device, remote data center, offline media, or archive media), you need to have the capacity to reliably reverse the process and produce unencrypted data.
2. Opt for a single approach for all your sensitive data. Be sure to pick a method that permits you to implement encryption once, and protect your sensitive data by using a single, integrated capability.
3. Minimize resource impact. Encryption may appear at a cost. Be sure yours is acceptably small. Be certain the CPU load on the encryption process is sufficiently “lightweight” to avoid a fabric decay inside the rate from which your systems process their normal work. Save network bandwidth by compressing data before transmission, by sending only changed blocks of internet data. Opt for a simple, powerful, and intuitive interface.
4. Prevent unauthorized access to data. Data needs to be encrypted to ensure that a “clear text” copy may be reproduced only after proper authentication continues to be provided.
5. Use a key management strategy. It is best to go with a solution with powerful key management capabilities, which makes it easy to change keys frequently, recover old files which is why the initial keys might have been lost, and otherwise strike an account balance between safety and accessibility.
6. Test before hand. You have to prove that your particular solution can both encrypt (and store encrypted data in most locations) and successfully create clear text from the encrypted sources.
Historically, the purchase price and difficulty associated with implementing encryption to augment a firm’s data security was too daunting, especially for small- to medium-sized enterprises. However solutions exist that bring enterprise-class encryption technology to businesses of any size.