Breach prevention: How to keep track of data and applications

The recent indictment of three people who hacked into Heartland Payment Systems Inc. has once again highlighted the need to keep a firm grip on where enterprise data is and what applications access it.

In the now well-known attack on the payment processing company, attackers used SQL injection to gain access to Heartland's servers. They then installed network sniffers, which captured card data used in financial transactions. The malware was able to avoid detection by different antivirus programs. It's thought that the malicious code captured card data when it was momentarily unencrypted during the transaction authorization process. The intrusion began in May 2008, shortly after the company passed as compliant with the PCI Data Security Standard (PCI DSS) requirements.

But just because a network is compliant at the time of an audit doesn't mean it will remain so. Hackers know as much, if not more, about the security methods used by enterprises and are constantly trying to find ways to defeat them. System administrators need to be just as diligent, checking and monitoring their own systems and keeping up with attack techniques and countermeasures. To that end, the job of security teams is not to simply complete a checklist or pass an audit; it's protecting network resources and data across the entire data life cycle. In this tip, let's look at a few ways to keep track of data and applications:

1. Map the network: Firstly, use a tool such as Nmap, the freely available scanner, to explore and map devices and applications running on the network. Scan results can then be compared against a known and accepted baseline. Scanning on a regular basis helps build a picture of what and who should and shouldn't be on the network. Anything that looks out of the o...

2. Monitor for anomalies: It is important to monitor what traffic is travelling in, across, and out of the network. To steal data remotely, hackers not only have to find it, but they also must be able to retrieve it. Network behavior analysis continuously monitors traffic and analyses it against a benchmark of normal traffic behavior. Again, abnormal behavior is a potential warning that something is amiss. After noticing abnormal charges linked to Heartland's payment systems, for example, it was Visa and MasterCard that alerted the company that it may have a problem. Intrusion detection systems (IDS), intrusion prevention systems (IPS) and firewall logs also need regular analysis for signs of compromise, anomalies and suspicious activity.

3. Know where data resides: Data loss prevention technology, such as Symantec Corp.'s family of DLP products and McAfee Inc.'s DLP tools, can help ensure that an organization knows where credit card numbers and other critical data are stored and how that sensitive information is used. The technology can also monitor and prevent data from being copied to removable storage devices, which is a critical function in insider attacks.

Data compromise can mar the reputation of a company and is often much more costly than good security. Heartland's stock is still down since the attack was made public, and it is facing various lawsuits and fines. Not being able to keep track of data or the applications that are running on a network makes the enterprise vulnerable to a similar breach, one that can carry on unnoticed for far too long.

As a bare minimum, network administrators should make use of a tool such as Nmap in order to construct an inventory and baseline of what is allowed on the network. Also, with the explosion in communication channels and portable drives that the network has to support, a data loss prevention product is becoming essential to keep control over data usage. If your budget can stretch to a network behavior analysis tool, which will monitor traffic and detect anomalies, so much the better. Network behavior analysis is not an instant fix, and it's a technology that's still maturing. Attacks, however, no matter how sophisticated, are abnormal activity, and this type of detection is one of the best ways of uncovering a system compromise.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   Enterprise Data Protection,   Data Loss Prevention,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model When to use open source security tools over commercial products Monitoring Network Traffic and Network Forensics Botnet masters turn to Google, social networks to avoid detection Preventing SQL injection attacks: A network admin's perspective Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing Data Loss Prevention Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Layoffs prompt insider threat fears, cybersecurity survey finds Trend Micro to address DLP after analyst report criticizes strategy How to secure USB ports on Windows machines DLP technology challenges security costs Defining DLP Analyst DLP study finds maturity, ranks top DLP vendors Data protection tips for corporate compliance leaders Trustwave acquires data loss prevention vendor Vericept RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.