The Importance of Log Management

A watchtower is pointless if there’s no watchman inside.

Gary Glover, CISSP, QSA
By: Gary Glover
In the 18th and 19th centuries, military forts posted sentries on the walls to keep an eye on the surrounding area. If strange activity occurred, they would ring bells, bang gongs, or shout to the fort residents to alert them of impending danger.

log managementWe’ve come quite a way since then.

Businesses have an electronic sentry inside most their systems called log monitoring. Log monitoring systems oversee network activity, inspect system events, and store user actions (e.g., renaming a file, opening an application) that occur inside your operating system. They are your watchtower lookout and have the ability to provide the data that could alert you to a data breach. The raw log files are also known as audit records, audit trails, or event-logs.

Most systems and software generate logs including operating systems, Internet browsers, point of sale systems, workstations, anti-malware, firewalls, and intrusion detection systems (IDS). Some systems with logging capabilities do not automatically enable logging so it’s important to ensure all systems have logs turned on. Some systems generate logs but don’t provide event log management solutions. You need to be aware of your systems capabilities and potentially install 3rd party log monitoring and management software.

It’s likely every corporation in the U.S. is fielding malicious attacks on a daily basis. Whether in the tens or in the thousands, it’s crucial businesses are acutely aware of what’s happening against their system through active security log review.

Log reviews can show you suspicious system activity

The biggest problem with logs is – nobody looks at them!
Businesses must review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.

From a security point of view, the purpose of a log is to act as a red flag when something bad is happening. Reviewing logs regularly could help identify malicious attacks on your system. Given the large of amount of log data generated by systems, it is impractical to review all of these logs manually each day. Log monitoring software takes care of that task by using rules to automate the review of these logs and only point out events that might represent problems or threats.  Often this is done using real-time reporting systems that alert you via email or text when something suspicious is detected.

SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches

Not everyone’s network and system designs are exactly the same, and setting up the rules that will filter the usually vast amount of logs generated is very important and often takes some time to get just right. This part of log monitoring is the “art” phase where you modify the settings to get things just right for your environment.

Often, log monitoring software will come with some alerting templates to get you started, based on experience with PCI or HIPAA security requirements. This is just a good starting point for you to begin optimizing the monitoring and alerting functions. It is critical to take the time necessary to get this part right at the beginning in order to save you many headaches later on.

Log monitoringHere are some event types you will want to consider when setting up your log management system:
  • Password changes
  • Unauthorized logins
  • Login failures
  • New login events
  • Malware detection
  • Malware attacks seen by IDS or other evidence
  • Scans on your firewalls open and closed ports
  • Denial of service attacks
  • Errors on network devices
  • File name changes
  • File integrity changes
  • Data exported
  • New processes started or running processes stopped
  • Shared access events
  • Disconnected events
  • New service installation
  • File auditing
  • New user accounts
  • Modified registry values
  • Etc.

Take advantage of log management in 7 steps

To take advantage of log management and quickly nip attacks in the bud, take a look at your security strategy and make sure these steps are taken care of.

Subscribe to blog.securitymetrics.com
  1. Decide how and when to generate logs
  2. Secure your stored logs to make sure they aren’t maliciously altered by cybercriminals or accidentally altered by well-intentioned employees.
  3. Assign an employee you trust to review logs daily.
  4. Set up a team of people ready to review suspicious alerts.
  5. Set up your rules for alert generation (e.g., failed login attempts per minute, additions of new user accounts, modified registry values, etc.). Spend the time to get this right, don’t just rely on a template provided by a vendor.
  6. Store logs for at least 1 year, with 3 months available (this is a PCI DSS requirement).
  7. Frequently check log collection to identify adjustments that would make the process run smoother.
Being on top of logs means a quicker response time to security events and better security program effectiveness. Not only will log analysis and daily monitoring demonstrate your willingness to comply with PCI DSS and HIPAA requirements, it will also help you defend against insider and outsider threats.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Data Security Learning Center
Do You Know Where You Store Card Data?

Card data…it’s hiding on your network.

Wenlock Free, SecurityMetrics Stephen W Orfei, PCI Security Standards Council
By: Wenlock Free and Stephen W. Orfei
This article was originally featured as an Electronic Transactions Association guest blog.

How many news stories have you seen in the past 12 months about major brands in the retail, hospitality, and entertainment industries losing their payment card data? Chances are it’s more than you can count on both hands.

It’s also true that almost any company, including yours, could be in that same situation in the next 12 months. According to a PricewaterhouseCoopers study, 42.8 million cyber attacks are expected this year. Even an average hacker can find credit card data in unexpected and unprotected places.

credit card data storageResearch shows that basic security measures can protect you against hacks 99.9 percent of the time. The PCI Data Security Standard (PCI DSS) covers these basics and much more. It has been developed by industry experts and stands the test of time. Unfortunately, according to Fortinet, 1 in 5 small and medium business retailers are not PCI DSS compliant.

One key part of the standard in which many merchants fail is PCI DSS Requirement 3, “render [primary account number data] unreadable anywhere it is stored.”

Unintentional hidden credit card information

Many businesses that store encrypted card data may not be aware of just how often data is left in its unencrypted form. According to 2015 data from SecurityMetrics, 61 percent of businesses store unencrypted payment card data and 7 percent store track data. Both actions are completely against the PCI standard.
For those who don’t think they even have sensitive data on their network, it’s a big surprise to learn how payment card data leaks in a system.
SEE ALSO: Unencrypted Card Data: A Security Plague

Let’s walk through a simple checklist of the common hidden credit card data storage places in your network.
  • Error logs are one of the most common places unencrypted credit card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated—and these logs frequently contain the full credit card data in plain text.
  • Accounting departments typically have processes for balancing books, processing refunds, and charge reversals that store unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media.
  • Sales departments may have emailed or printed forms containing credit card numbers.
  • Marketing departments may have databases containing transaction data used for market research.
  • Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
  • Administrative assistants may create a spreadsheet that contains a company or executive’s credit card number for quick access when making payments.
Where is your credit card dataAfter locating stored credit cards, merchants often try deleting this data by emptying their computer’s trash icon. Unfortunately, emptying a trash icon doesn’t permanently delete its contents. To properly delete, you must erase (repeatedly overwrite) the file from your disk drive.

The sad truth is, if a merchant stores unencrypted payment cards at the time of the breach, whether knowingly or unknowingly, she or he may pay hefty fines and lose the confidence of customers.

SEE ALSO: Is Your Credit Card Data Leaking?

When people are vigilant in applying the security controls outlined in the PCI DSS to their business, it makes the life of an attacker more difficult. A secure organization has no hidden credit card information to steal. Attackers are forced to move on to much easier pickings.

Subscribe to blog.securitymetrics.com

Protect yourself against unencrypted credit card data storage

The first step to protecting card data is knowing where it is. A great starting point is mapping out a dataflow diagram showing all locations and flows of cardholder data (as required in PCI DSS Requirement 1), to easily identify which systems require protection.

Today’s technology also offers many user-friendly software tools and solutions, such as SecurityMetrics PANscan®, that can assist you in identifying where cardholder data resides on your systems. After running the software, you can take the steps necessary to become PCI DSS compliant by removing or encrypting the unencrypted payment card data on your network. Remember, if you don’t need it, don’t store it!

As always, when working with vendors to determine which tool is right for you, it’s important to keep in mind not all are created equal. Do your homework beyond reading claims that say they are PCI DSS experts. Of course at the end of the day, not even the best technology can substitute the need for vigilance when it comes to securing your business.

2014 will be remembered as the year that data breaches became a board room topic. What will 2015 hold for your company?

Wenlock Free is vice president of strategic partnerships for SecurityMetrics, combining a background in international sales and marketing with over twenty years experience in the data security and training industries.

Stephen W. Orfei is general manager for the PCI Security Standards Council. A recognized industry expert in global payment platforms, e-commerce, mobile payments, transit and cybersecurity, he has more than 20 years of experience developing and delivering complex global payment solutions.

PCI DSS Learning Center
Making HIPAA Compliance Realistic: Part 2

A prioritized approach of the Security Rule.

Brand Barney, HCISPP, CISSP
By: Brand Barney
To view this post in its original format, watch the How to Prioritize HIPAA Compliance webinar.

If you read part 1 of this series, I discuss the importance of starting a Risk Analysis as part of this 3-step prioritized approach that focuses on the Security Rule:
Now, let’s jump into the fun part: how are we going to deal with all the risks and vulnerabilities that we just found?

HIPAA compliant, HIPAA reality check

How to craft a Risk Management Plan

After you have analyzed your risk, you need to come up with a plan to become HIPAA compliant. You can do this on your own, or receive help from a security auditor (like me!) who is trained to craft the most straightforward and effective plan. A road map!

Need help crafting your Risk Management Plan? Send us a line.

In your Risk Management Plan, you need extensive documentation that shows you take sufficient security measures to reduce risks and vulnerabilities. Be sure to include the following:
  • Action items for every risk
  • Milestones established to demonstrate your progress
  • Completion dates for everything
  • Daily/weekly progress (even up to monthly, depending on the risk)
You need to implement a risk strategy for every risk you identified in your Risk Analysis.

Your risk strategy

There are many different risk strategies that you can implement.
  • Risk acceptance: you don’t necessarily need to address every risk at once. There is actually some acceptance for some risks, especially if it is a lower risk.
  • Share risk: you might consider sharing some of the risk, similar to an insurance company sharing some of your risk.
  • Remove risk: many choose to reduce most of their risk by resolving or removing it. You might even consider completely getting rid of your risks all together. For example, you can get rid of Windows XP machines, which have not been supported for more than a year now. Or Windows Server 2003, since Microsoft is ending support on July 14th 2015. Many organizations are choosing to migrate to a newer server operating system and remove that risk entirely.
You need to document milestones, specifically your goals and achievements. What were your goals and when did you want to complete them? When did you achieve your goals?

Who affects your risk?

While planning for the future, it’s important to note the parties who have and will continue to impact your risk in the future. Identifying and mitigating the risks associated with these groups will increase your security immensely.

Employees

Oftentimes, employees are not necessarily trying to be malicious (though it does occur). In many cases, employees’ actions that pose risk to your security are unintentional, well meaning, or negligent. These employees often do not know they cause a security breach.

Put controls in place so your employees aren’t allowed to hurt your data, systems, and business. For example:
  • Have screensavers, enable automatic lockouts, and require passwords after time-out to protect PHI on computers.
  • Don’t allow employees to share usernames or passwords. Instead, your employees should have HIPAA compliant passwords.
  • Establish systems to distinguish visitors apart from onsite personnel, even if you are part of a small organization.
  • Train your staff about phishing tactics.
  • Train your staff on social engineering.

Business associates

Ponemon Institute’s 2014 study shows only 30% of covered entities felt confident that their business associates were properly handling their PHI, which is a staggering statistic considering how important your business associate can be to your security. As that statistic clearly states, your business associates offer some of the greatest risks to you. They are definitely not all bad, but when you share data, you no longer have a way to control and safeguard that data.

Subscribe to blog.securitymetrics.com

According to the 2013 HIPAA Omnibus Rule, you need to have and update your Business Associate Agreements (BAA). You also should review all your vendors before contracting with them. A BAA does not relieve your liability and responsibility with HIPAA compliance.

IT staff

Your IT guy is probably great and does many things for your organization, but he might not be trained in security. IT professionals all have a different subset of skills, just as an anesthesiologist and a cardiologist have specialties.

As a result, your systems may not be properly implemented, especially your firewall and remote access system. Usually, firewalls are configured to communicate to the other devices in your program, but some are configured to allow access in and out of your system that probably shouldn’t be allowed. Remote access systems are often set up incorrectly. Make sure your remote access is set up with two-factor authentication.

I would suggest you check up with your IT staff is making sure to update your systems and applications regularly, especially the following:

Takeaways

HIPAA compliance doesn’t have to be unmanageable. Break it up into manageable pieces. Start with small changes, such as designating a privacy and security officer, beginning your risk analysis, and outlining your specific plans for data security at your organization.

If you’re still overwhelmed, talk to a company like SecurityMetrics, who can assist you in a guided HIPAA compliance process.

Remember, your security matters.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA compliance learning center
How Do Hackers Hack?

Crimes of opportunity lead the average hacker to valuable data.

Steve Snelgrove, CISSP
By: Steve Snelgrove
You might think hackers selectively pick each business they hack. While this may be true in high profile or hacktivism cases, I estimate 90% of hacking is done based on a system’s general lack of security. Hackers don’t think, “Today I’m going to hack Acme Hardware across the street.” They scan for the most vulnerable system and start digging.

To defend against attacks, it is important to understand that hackers have different motivations and capabilities.

The Opportunist Hacker

How do hackers hackA crime of opportunity

These hackers stay up-to-date on security news. Once a vulnerability is made public, it’s fairly easy to conduct a large-scale network scan for systems which exhibit symptoms of the vulnerability. After the hacker gets the list of vulnerable machines, he will do additional research on the vulnerability and attempt to enter the system. Once inside, it is often easy to pivot and reach other, less hardened machines.

A great example of opportunist hackers in action arose when news of the Heartbleed vulnerability was released in April 2014. The vulnerability was publically exposed on many news publications. Very shortly thereafter, hackers scanned the Internet for looking machines using OpenSSL, and then attempted to exploit that vulnerability and enter the system. Piece of cake.

SEE ALSO: PCI 3.1, Stop Using SSL and Early TLS Immediately

But hackers don’t necessarily require huge newsworthy vulnerabilities in order to hack. There are thousands of other publically-known vulnerabilities they could take advantage of. For example, website forms often have validation flaws. An attacker may submit potentially malicious data on a form, which then might be echoed back to the user's browser and rendered to the screen. The screen displays a mix of server content and the attacker's malicious data. This could result in unsuspecting users being redirected to another site where credentials or session information might be captured.

Does the hacker know which business or person he’s hacking? No. And he doesn’t care. He’s attacking a system because it’s vulnerable. Once the vulnerability is identified, the hacker will then attempt to profit from the exposure.

How do I defend against this attack?

The obvious defense against the public vulnerability attack is to scan your systems in an attempt to discover vulnerabilities beforehand. Keep up-to-date on security news. Partner with a company that keeps abreast of publicly disclosed vulnerabilities. Regularly maintain and update your systems.

If a vulnerability similar to Heartbleed is released, do everything in your power to close the vulnerability ASAP. Do your best to maintain updates on all other operating systems, browsers, and servers to avoid the possibility of being a victim of a zero-day attack.

The Layabout Hacker

Examples of computer hackingBrute forcing

Somewhat less effective, but still pervasive, are brute force attacks. In these attacks, attackers control an army of computers infected with malware (known as botnets or zombie computers). The attacker is able to control this network of computers, and these do the attacker’s dirty work for them.

The attacker uses botnets to access systems by guessing usernames and passwords in millions of combinations until the right combination is guessed. It’s not very effective. But, as my dad always said, “even a blind squirrel will find a nut every once and a while.”

Hackers use botnets so each hack attempt is nearly impossible to trace back to the actual hacker.

Subscribe to blog.securitymetrics.com

How do I defend against this attack?

The two best ways to avoid this attack is by monitoring your logs and regularly creating new passwords.

If a botnet tries to access your system through a brute force attack, your logs should record these actions. If your logs record 1,000’s of failed login attempts on your system, you’re probably being attacked.

The reason brute force attacks work so well is because millions of user credentials (usernames and passwords) have been dumped online in publicly available lists. Password lists are effective because the majority of people do not change their passwords, and use the same passwords on multiple sites/systems. To avoid this attack, change your personal and business passwords every 90 days, and never reuse passwords.

SEE ALSO: Vendor-Supplied Defaults Are A Serious Threat
Hackers have different motivations and capabilities. But these are their main methods.

What do hackers do after they get into a system?

Now the hacker starts prospecting. Remember, before this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system is doing commerce, which means credit cards, healthcare information, or other valuable data might be present. To find this data, he starts running keyword searches on the file systems and memory of the system.

For example, if his keyword searches discover that the system he’s hacked is a Micros system, he knows he has gained access to a business that accepts credit cards. (Micros is a point of sale software used by many restaurants and hotels.) He will probably try Micros default passwords to try to get into their server and thus expand the range of the attack.

Install malware

If the hacker is successful in breaching the point of sale system, he can possibly install malware. The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, early on in the data processing stream, and attempt to divert this sensitive information so cybercriminals can reproduce cards or sell the stolen data on the black market.

Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.

Pivot

By now, the hacker in this scenario has probably filtered through enough company data to realize who he’s hacked.

Perhaps the hacker has managed to attack and gain access to a national business with a chain of stores. If he finds remnant data on the system that includes the IP addresses of other chain locations, that chain will be in some serious trouble as these chain locations may have less security measures in place, and access to these associated networks could provide valuable information to the attacker.

Remnant data left on systems does occur in real world examples. In a forensic investigation my colleague David Ellis conducted, a point-of-sale equipment installer left a partial client list on each and every point-of-sale system he had installed during that year. Some 28 businesses were hacked because of the poor security awareness of that careless installer.

Leave no trace

At this point, it’s time for the hacker to get out of the hacked system. Most hackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, and run malware from RAM instead of the hard drive, which often goes undetected by most anti-virus software.

SEE ALSO: Hacking Trends of 2014

Hackers don’t care who you are. They just care how rich you can make them.

Read about 5 commonly overlooked security errors for tips to avoid being attacked.

Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.

Data Security Learning Center
Making HIPAA Compliance Realistic: Part 1

A prioritized approach of the Security Rule.

Brand Barney, HCISPP, CISSP
By: Brand Barney
To view this post in its original format, watch the How to Prioritize HIPAA Compliance webinar.

(Read part 2 of this series!) When I discuss HIPAA compliance, most healthcare professionals think about how stressful and expensive HIPAA compliance can be. As a result, many organizations have avoided or put off compliance.

If you’re thinking this way, consider this: there are now more breaches in the healthcare industry than ever.

HIPAA compliance was created to protect your patients’ Protected Health Information (PHI). By following HIPAA compliance, your organization will be on the way to security and avoid severe punishments by the Office of Civil Rights (OCR).

Let’s discuss how you can realistically become HIPAA compliant and develop your IT security.

HIPAA compliant reality check

Maximizing your time

You probably don’t have all the time in the world. But, it’s not always about finding time for HIPAA. It’s about maximizing the little time you have.

The question then becomes where you should focus your efforts. I would suggest the Security Rule. Not following HIPAA’s Security Rule is the reason most organizations lose PHI, especially ePHI.

To avoid heavy fines, you don’t need to tackle the entire HIPAA compliance process at once. The OCR goes easier on organizations that can show documentation of demonstrable progress towards full HIPAA compliance.
I would suggest a 3-step prioritized approach focusing on the HIPAA Security Rule:

Starting your Risk Analysis

Your organization is a living, breathing entity that collects, transmits, and maintains data. But like the human body, it has weaknesses. Your organization’s IT security can become weak over time if it does not receive adequate attention, especially due to attackers constantly trying to break into your system.

Learn more about how to start a risk analysis.

As a result, you need to start your Risk Analysis process by identifying the risks, threats, and vulnerabilities to your patient data, organization, and systems. When you find these weaknesses, you need to establish a plan and work on fixing those specific areas.


Let’s say you go into your doctor today for a general health check. Your doctor would find risks, threats, and vulnerabilities to your health. For example, if you were diabetic and your diet was primarily fast food and candy, your doctor would come up with a plan to fix the problems, such as having you change your diet and exercising.

It’s the same thing with your business, patient information, and systems. As a business, you need to make specific plans and goals to fix problems like:
  • When do you want to complete your Risk Analysis?
  • When do you want to complete your Risk Management Plan?
  • What is an acceptable risk?
  • When do you plan to train employees? What will this training focus on?
Now, I will explain ways you can start mapping out your Risk Analysis.

How to identify your HIPAA risks

Your Risk Analysis is all about discovering and considering your vulnerabilities, threats, and risks.

For your vulnerabilities, you should examine flaws in your components, procedures, design, implementation, and internal controls. For example, a vulnerability might be a flaw in building designs that might lead to PHI being stolen.

For your threats, you should figure out the potential for a person, group, or thing to trigger a vulnerability. For instance, what would happen if you had a disgruntled employee? Would he be able to get back into the system and obtain PHI after he was fired?

Lastly, you need to know your risks, which deal with the probability that a particular threat will take advantage of a specific vulnerability. For example, you need to determine the fines of noncompliance and damage to your brand in the instance of a data breach.

Document your PHI flow

You need to document and know exactly where PHI comes in, goes out, and is maintained. You should sit down with the key members of your department(s) and identify the areas of PHI flow.

In most cases, you will discover new ways and areas that staff stores PHI.

Maybe PHI is transmitted from your billing area to business associates, or your staff sends billing information through Gmail because your mail server was slow.

Maybe the front staff wrote down a patient’s question and took it back to the doctor, who placed it in an unlocked bin.

Other important areas to look for PHI include:
  • Servers
  • Workstations
  • Networked medical devices
  • Laptops
  • Computers
  • Operating systems
  • Applications
  • Software
  • Mobile phones
  • EHR/EMR systems
You may already know where the data is stored, but you need to document where this information is being stored.

Risk Analysis tools

It’s difficult to find every weakness in your organization on your own. To make sure your ePHI is fully protected and to avoid weaknesses in your IT system, implement additional services such as:
  • Internal and external vulnerability scans—a tool that scans for weaknesses inside your internal network. You should be doing these scans on a quarterly basis and any time you make a change in your network.
  • Penetration test—an ethical hacker, who looks at all of your systems weaknesses and vulnerabilities in your services.
  • Nmap scanning—a tool that identifies open ports and services. For example, you might have a database port open and available for the public.
These tools can help you fully see if your patient data is protected, and system is secure.

Stay tuned for part 2, where we’ll discuss how to craft a risk management plan!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.