Tip

Breach prevention: How to keep track of data and applications

The recent indictment of three people who hacked into Heartland Payment Systems Inc. has once again highlighted the need to keep a firm grip on where enterprise data is and what applications

    Requires Free Membership to View

access it.

In the now well-known attack on the payment processing company, attackers used SQL injection to gain access to Heartland's servers. They then installed network sniffers, which captured card data used in financial transactions. The malware was able to avoid detection by different antivirus programs. It's thought that the malicious code captured card data when it was momentarily unencrypted during the transaction authorization process. The intrusion began in May 2008, shortly after the company passed as compliant with the PCI Data Security Standard (PCI DSS) requirements.

Heartland CIO critical of First Data

First Data Corp. uses RSA software for tokenization, providing a possible threat vector for attackers, says Heartland CIO Steven Elefant.
But just because a network is compliant at the time of an audit doesn't mean it will remain so. Hackers know as much, if not more, about the security methods used by enterprises and are constantly trying to find ways to defeat them. System administrators need to be just as diligent, checking and monitoring their own systems and keeping up with attack techniques and countermeasures. To that end, the job of security teams is not to simply complete a checklist or pass an audit; it's protecting network resources and data across the entire data life cycle. In this tip, let's look at a few ways to keep track of data and applications:

1. Map the network: Firstly, use a tool such as Nmap, the freely available scanner, to explore and map devices and applications running on the network. Scan results can then be compared against a known and accepted baseline. Scanning on a regular basis helps build a picture of what and who should and shouldn't be on the network. Anything that looks out of the ordinary can then be investigated further, focusing attention on potential trouble spots.

2. Monitor for anomalies: It is important to monitor what traffic is travelling in, across, and out of the network. To steal data remotely, hackers not only have to find it, but they also must be able to retrieve it. Network behavior analysis continuously monitors traffic and analyses it against a benchmark of normal traffic behavior. Again, abnormal behavior is a potential warning that something is amiss. After noticing abnormal charges linked to Heartland's payment systems, for example, it was Visa and MasterCard that alerted the company that it may have a problem. Intrusion detection systems (IDS), intrusion prevention systems (IPS) and firewall logs also need regular analysis for signs of compromise, anomalies and suspicious activity.

3. Know where data resides: Data loss prevention technology, such as Symantec Corp.'s family of DLP products and McAfee Inc.'s DLP tools, can help ensure that an organization knows where credit card numbers and other critical data are stored and how that sensitive information is used. The technology can also monitor and prevent data from being copied to removable storage devices, which is a critical function in insider attacks.

Data compromise can mar the reputation of a company and is often much more costly than good security. Heartland's stock is still down since the attack was made public, and it is facing various lawsuits and fines. Not being able to keep track of data or the applications that are running on a network makes the enterprise vulnerable to a similar breach, one that can carry on unnoticed for far too long.

As a bare minimum, network administrators should make use of a tool such as Nmap in order to construct an inventory and baseline of what is allowed on the network. Also, with the explosion in communication channels and portable drives that the network has to support, a data loss prevention product is becoming essential to keep control over data usage. If your budget can stretch to a network behavior analysis tool, which will monitor traffic and detect anomalies, so much the better. Network behavior analysis is not an instant fix, and it's a technology that's still maturing. Attacks, however, no matter how sophisticated, are abnormal activity, and this type of detection is one of the best ways of uncovering a system compromise.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

This was first published in October 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.