Thursday, 27 May 2010

Compliance With the GCSx Code of Connection (GCSx CoCo) - What an IT Professional Needs to Know

The UK Government's initiative to prescribe a security standard to any organization accessing the Government Connect Secure Extranet is a move designed to keep government organisations one step ahead of the inexorable increase in security threats. There have been too many high profile data thefts and losses by Government organizations, highlighting both the risk to, and the importance of, ICT Security and the governance of citizens' data.

The result is the Government Connect Secure Extranet (GCSx). HM Government has mandated the way in which public authorities and government departments can securely transfer data between each other.
So, for example, how does a local authority needing Housing Benefits data access the Department for Works and Pensions (DWP) database? Via the GCSx of course!

Similarly, Job Centre Plus communications with local authorities will only accept communications via the GCSx, and likewise, communications with the Police and the NHS will only be provided through this connection.

The concept is a "community of trust" and the GCSx is one of a number of secure Government extranets, including GSx, GSi and GCJx. See our Glossary of Terms at the end for details of these other networks.
So how does a district council access the GCSx? Via a secure connection, the security of which is governed by the Code of Connection, or 'CoCo'.

The GCSx CoCo
In England and Wales it is referred to as the GCSX Code of Connection (CoCo). In Scotland it is referred to as the GSX Code of Connection (CoCo).
Through GCSx, local authorities can connect to the Government Secure Extranet (GSX) and Intranet(GSI), the National Health Service (NHS), Criminal Justice Extranet (CJX), and the Police National Network (PNN).
The Code of Connection takes into consideration how best to protect the "community of trust" taking into account all potential threats, including:
Attack from the GCSx itself
Attack from the Internet
Mobile data theft and loss
Attack from the internal user
Code of Connection (CoCo) for the Government Secure Intranet (GSI) and GCSx, Memorandum Number 22. According to CESG Infosec Memorandum Number 22, protective monitoring has traditionally been the most underrated and least effectively used security measure.

The scope of the GCSx Code of Connection can be summarised as follows
Physical Security and Access Control, restrict and control access to the GCSx, including use of Firewalls, Intrusion Protection technology and with particular focus on Mobile/Remote Worker security.
Policies and Procedures, in particular Change Management Processes, approvals and documentation.
Configuration 'hardening', to ensure that known threats and vulnerabilities are eliminated from all systems, with a zealous patch management process combined with anti-virus technology, regularly tested and verified as secure.

Strong Monitoring for security incidents and events, with all event logs being retained for 6 months
In fact, the scope of the standard is quite similar in respect of its approach and its measures to the PCI DSS (The Payment Card Industry Data Security Standard), which is another security standard all local authorities will now be familiar with. The PCI DSS is concerned with the secure governance of Payment Card data, and any 'card merchant' ie an organisation handling payment card transactions, such as a District council collecting Council Tax, must comply with the details of the security standard.

Therefore it makes sense to consider measures for CoCo compliance in the context as PCI DSS, since the same technology that helps deliver CoCo compliance should be relevant for PCI DSS.

Is there a way to automate and simplify compliance?
Configuration Change Tracking - once your firewalls, servers, switches, routers etc are all in a compliant state you need to ensure they remain so. The only way to do this is to routinely verify the configuration settings have not changed because unplanned, undocumented changes will always be made while somebody has the admin rights to do so! We will alert when any unplanned changes are detected to the firewall, and any other network device within your 'Compliant Infrastructure'

Planned Change Audit Trail - when changes do need to be made to a device then you need to ensure that changes are approved and documented - ideally, you need an automated solution that make this straightforward, reconciling all changes made with the RFC or Change Approval record
Device 'Hardening' to be enforced and audited - The best solutions available today provide automated templates for a hardened configuration for servers and desktops and network devices to show where work is needed to get compliant, thereafter tracking all planned and unplanned changes that affect the hardened status of your infrastructure. Specifically, the state of the art in compliance auditing technology covers registry keys and values, file integrity, service and process are whitelisting/blacklisting, user accounts, and installed software.
Incident Response - All event logs from all devices must be analyzed and correlated and escalated appropriately. Event log messages must be stored in a secure, integrity-assured repository for the required retention period for any governance policy.
Audit Logs - it is a mandatory requirement that Event Log messages are gathered from all devices. The best solutions available provide correlation of events with security event signature identification and powerful 'mining' and analysis capabilities. This provides a complete 'compliance safety net' to ensure, for example to name just a few, virus updates complete successfully, host intrusion protection is enabled at all times, firewall rules are not changed, user accounts, rights and permissions are not changed without permission.

Friday, 21 May 2010

The easy way to get windows event log messages sent to a syslog server - for free

If you are trying to engineer your own solution to meet requirements of a security standard like PCI DSS or GCSx Co Co (GCSx Code of Connection - required for any organisation needing access to the UK Government Secure Extranet) - then you may be scratching your head wondering how best to get event log messages from Windows and/or Unix/Linux servers? Here's how to do it for free - read on.

Well, the Unix and Linux servers may appear relatively straightforward, since you can edit the native syslogd file and specify the address of your syslog server - job done....sort of.

For instance, for PCI DSS compliance, you will need to go further than simply gathering syslog messages and provide a means of tracking file integrity, not to mention the need for gathering custom logs from your key applications and databases - more on this subject in a future blog...

Windows servers present a different challenge, being more oriented to SNMP Traps for performance monitoring than syslog forwarding for security events. NNT have been developing solutions to make the every aspect of 'compliance' simpler and less expensive than it has been in the past. If you haven't already seen our Log Tracker solution you should! This is proving useful for both organisations new to compliance and those that have been around the block with either products that are expensive to maintain in terms of license and maintenance fees, or that are too basic and under powered to cope with their environment. Log Tracker delivers the best of both options - powerful and comprehensive enough to easily cope with large scale windows and unix estates, but priced sensibly for the budget of most organisations that need it.

How does Log Tracker handle Windows Events? Simple - we have a powerful agent that deploys directly to the Windows server. If you don't have much time, just run the installer and tell it the address of the syslog server and you're done. If you want to be more selective about which logs you monitor - including custom application logs, for instance - the there are a range of filtering options.

So how do you get it for free? Just follow this link to and help yourself - let me know how you get on with it?

Tuesday, 11 May 2010

Simplify and Automate PCI DSS Compliance Webinar

Abstract - Has there ever been a more confusion-generating initiative than the PCI DSS? Even now, a good five years on from its initial introduction, a clear and definitive understanding of what your organization needs to do may still be a challenge. The importance and understanding of why File Integrity Monitoring (FIM) is a vital component for securing payment card and card holder details has come sharply into focus following the well-publicized Heartland Payment Systems and TJX security breaches.
USA - Thursday 27 May 12.15pm EST
UK - Thursday 27 May 12.15pm BST
More details on the PCI Compliance Webinar »

Monday, 10 May 2010

The HITECH Act - The Teeth and Claws of HIPAA

'The HITECH Act - The Teeth and Claws of HIPAA', a new webinar courtesy of NNT and Broadband Testing that investigates the details behind the HITECH act and the implications for anyone tasked with ensuring your organization is certified compliant .
USA - Wednesday 26 May 12:15pm EST.
More details on the HIPAA Webinar »

Complicated, Expensive and Time-Consuming - But the PCI DSS Isn't Going Away

Around $12Billion is wasted on unused gym memberships each year, confirming that good intentions can get you as far as signing up, but not necessarily to work out. So every year around the world, good intentions to exercise more regularly and to get fit once and for all still remain unfulfilled.

And even in May 2011, 6 years after the PCI DSS was introduced, the number of PCI Merchants who are only partially compliant with the PCI DSS vastly outweighs the small numbers who are.
Reasons given by PCI DSS merchants for not progressing their PCI compliance program range from -

- Duck it! "The future is too unclear to make any investment..."
- Paralysis! "We don't want to make mistakes like xyz..."
- Ignore it! "We don't need to bother - we've been OK so far and we view the risks as low..."
- Go Slow! "We have kept some updated procedural stuff back and if we drip-feed this to the Bank over the next two quarters then we are covered for the next few months..."

Aside from the threat of fines for non-compliance and increased transaction fees, the biggest motivator for getting compliant is the knowledge that cybercrime is now considered worthy as mainstream headline news. Get breached, lose your customers' card data and/or personal information and you will be publicly named and shamed before the lawsuits start arriving. Talk to the guys at TJ Maxx or Sony's PlayStation Network and they will be able to tell you that dealing with the fallout from a breach is way more expensive, embarrassing and tough than any PCI DSS program could ever be.

How much does it cost to procrastinate, delay and ignore the requirements of the PCI DSS?
Wouldn't it be a better use of resources to embrace the PCI DSS, understand its intentions and methods, then apply these to your organization? You need a security policy, so why not take the 'off the shelf' option on offer in the knowledge that this is a well-thought out, widely implemented and tested standard that works?

But be careful who you ask for advice
There is always a steady stream of 'vendor-speak' advocating '3/4/5/6 Easy Steps to PCI Compliance' and right now the promise of Point to Point Encryption and Tokenization are the latest 'Silver Bullets' being hailed as the Merchant's saviour.
However, Eduardo Perez, the Chairman of the PCI Security Council, was quick to counter any assertions about Magic or Silver Bullets for the PCI DSS, saying that there simply is no such thing in an article published in Secure Computing Magazine in April 2011.
Until then there is no alternative but to roll up your sleeves and get on with implementing the measures necessary to get your organization secure.

A reminder of the headline technological security measures needed -
- Firewall and Intrusion Protection needed (PCI Requirement 1) both at the network perimeter and internally
- Change Management (PCI Requirements 1,2,6,8,10 and 11) underpins all PCIDSS requirements, in as much as once your PCI Estate is secure, you need to ensure you keep it that way, so reducing changes and for those that are made, make sure they are planned, documented and approved. Ideally use automated continuous configuration monitoring to reconcile changes that are made with details of the intended change. Changes to files, registry keys, installed software, user accounts, security policy and audit policy settings, services and service states all need to be monitored.
- Device Hardening (PCI Requirements 2,6,8,10 and 11) a configuration and set-up process for all servers, EPoS devices, PCs and network devices, whereby the 'built-in' weaknesses and vulnerabilities present are removed or minimized. Use an ASV vulnerability scan to identify the existence of vulnerabilities and once the server or EPoS device is hardened, use a continuous configuration assessment agent to validate that vulnerabilities are not re-introduced
- Anti-Virus with automatic updating (Requirement 5)
- Centralized Event Log Management (PCI Requirement 10) gives both a pro-active security monitoring capability and a full, 'forensic' audit trail to use in the event of a breach. Use a Windows Syslog agent to forward events from servers and tills to the central server, and use the native syslog capabilities of firewalls, routers and switches to audit logon and log off activity. Event logging for the PCI DSS is best implemented using an automated log parsing system that can intelligently identify true security incidents
- File Integrity Monitoring (PCI Requirement 11.5) essentially, this requires the PCI Merchant to keep tabs on any changes made to the configuration of firewalls, switches and routers in the network, and use the file integrity monitor to ensure that windows operating system files and program files on EPoS devices and servers don't change. FIM for the PCI DSS is also used to track any access to Card Data files.

Friday, 7 May 2010

GCSx Code of Connection – Compliance in 2010 Made Easy

Now that the deadlines (and even the extensions to the deadlines) have passed, the majority of UK councils will be operating networks that are certified ‘Co Co Compliant’. However, recent studies have shown that many council IT teams are finding that measures put in place to meet CoCo Compliance are either inadequate, under specified or not much better than a gesture towards the security standard. In other words many are just ‘making do’! If this sounds familiar – don’t worry – you are certainly not alone.
UK - Tuesday 25 May 12:15pm BST and 4:15pm BST
Read more about the GCSx Co Co Webinar »

Tuesday, 4 May 2010

The Top Ten of File-Integrity Monitoring

The PCI DSS (Payment Card Industry Data Security Standard) specifies the following
"Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)"
File or host integrity monitoring software can serve a significant and distinct role in your security policy. Host integrity monitoring software serves as another hurdle for an attacker to defeat and can provide the first indication of a break-in or compromised host. When properly configured and deployed, this type of software is a powerful addition to the layers that defend your infrastructure in depth.

File integrity monitoring is vitally important from a security standpoint for the following reasons
1. File-integrity monitoring must always be combined with other practices such as event log analysis, anti virus, firewalling and intrusion detection/protection systems, remote logging, and keeping your hosts up to date with security patches.
2. Host-based monitoring tools such as anti-virus and host intrusion protection systems (HIPS) providing firewall and intrusion protection give granularity that makes attacks visible on the host on which they are installed. However, no one system or application by itself can be trusted with the task of providing assurance of host integrity. For instance, Zero Day Attacks ie newly introduced security vulnerabilities which are either systemic (eg part of the host OS or application) or from malware, mean your AV and HIPS systems cannot always provide protection
3. Whitelisting of processes is an approach which restricts the Host to only run a pre-approved list of processes. Similar to AV and HIPS systems, this is an effective measure to protect your host systems but is not infallible. Whitelists need to be maintained for all versions of all applications which provides a management overhead. In-house developed applications provide a separate challenge.
4. Host systems running secure application environments as required for a PCI DSS estate need to be 'locked down'. File-Integrity Monitoring means that any new files being introduced to, or removed from, the host are detected and alerted. This provides protection from any malware being introduced (eg a Trojan) or any other modification to the host set-up which could introduce a vulnerability.
5. File-Integrity monitoring provides protection not just from malware being introduced to the system, and not just from a hacker attack, where an application has been modified and a vulnerability unwittingly introduced, but also from an internal threat where a trusted employee with administrator rights can bypass your AV and HIPS systems to either introduce a backdoor to your system, or packet sniffing software, or sql injection or cross-site scripting attack. Don't think this could ever happen to you? Read about Heartland Systems about Albert Gonzalez here
6. File-integrity monitoring can be used for desktops and servers although in a PCI DSS scenario, the technology is typically aimed at servers handling cardholder data. As a minimum, the System32 folder should be governed as well as key application program folders.
7. It is important to verify all adds, changes and deletions of files as any change may be significant in compromising the security of a host. Changes to monitor for should be any attributes changes and the size of the file.
8. The hash for files should also be verified as a unique indentifier. A Secure Hash Algorithm, such as SHA1, is analogous to a DNA Fingerprint of the file. This is important as an application can be changed programmatically while maintaining the filesize. SHA1 produces a unique, 160 bit hash based on the contents of the file.
9. What is the file-integrity baseline? Any file-integrity monitoring system works by comparing file attributes, filesizes and SHA1 hash signatures from one time to another. The assumption therefore is that the initial baseline is for a vulnerability-free, completely uncompromised host and application.
10. Zero Tolerance to unplanned changes is required, so any file-integrity change must be investigated and authorised as a matter of urgency. However, files will need to changed on a regular basis - windows updates appear to arrive at a rate of ten per week, every week, and anti-virus signatures can easily require daily updates. Therefore tightly managed Release Management and Change Management processes need to be in place which is why these processes are also a key dimension of the PCI DSS, section 6.4

"Follow change control procedures for all changes to system components. The procedures must include the following: Documentation of impact, Management sign-off by appropriate parties, Testing of operational functionality, Back-out procedures"
The ITIL Change Management process is an ideal framework to adopt.