Friday, 23 July 2010

The Top Ten of Server Change and Configuration Management

The concept of a Server Change and Configuration Management Policy is simple - define what 'good' IT service looks like, then maintain your Server estate in this state.
It is vitally important to keep in check all relevant servers configuration settings, performance metrics and application response times that together govern the quality and consistency of delivered IT service levels to the business.

However, while it is obvious that governing the performance and health of your servers is important, the need to ensure your servers are compliant with security and external corporate governance legislations is now equally necessary.

Corporate Governance policies such as Sarbanes Oxley (SOX), GLBA, NERC, PCI DSS, HIPAA, MiFID, SAS 70, and Basel II have all been introduced to ensure minimum levels of security and integrity are maintained for company financial information and any stored personal details of customers.
Your Servicedesk or Helpdesk system has a role to play, typically playing an integral role in any ITIL Change and Configuration Management Process, providing reconciliation data for any planned changes to any configuration item, including servers.

The Top Ten of Server Configuration Management
1. Server Performance Management - Measure and control all parameters affecting IT Service Delivery, including configuration settings, server health and user experience
2. Server Compliance Audits - Take steps to automate the audit of your server estate in order to provide auditors with accurate details of all security and access controls for compliance with all Corporate Governance legislations, such as PCI DSS, SOX, GLBA, NERC, HIPAA, MiFID, SAS 70, Basel II
3. Virtualization - when virtualising servers in order to facilitate datacentre moves, service continuity provision and to reduce running costs, remember that you are also introducing another layer of configuration management at the VM Host level that must equally be audited to ensure it is compliant with corporate governance policies
4. Compare 'one server to many' and pinpoint all differences between a 'policy compliant' (i.e. 'working') server and those that aren't -all key changes and deviations will be instantly identified and reported
5. Software Inventory Management - A Configuration Management solution should cover Server inventory management, server asset management, server performance management and server configuration management
6. Server Security Management - Best practise is to limit the User Accounts to the minimum and restrict access to Administrator accounts with Admin privileges but you also need to regularly check that Server User Accounts have not been modified, added or changed
7. Server File system Management - a key aspect of PCI DSS and other corporate governance policies is that core filesystem attributes have their integrity maintained, for instance, the Win32 folder should not be changed or modified and it is vital to regularly check this
8. Registry Settings - as the core repository of Server Configuration Settings, any Registry changes must be logged and analysed
9. Running Processes and Services/Service States - build a whitelist and blacklist of authorised/unauthorized process and services, together with any mandatory 'must run' or illegal 'never run' processes and services
10. Server Application Configuration Management - Together with the Windows Server Operating System, key server applications such as SQL Server, IIS, Exchange, Active Directory and Oracle all have numerous and complex configuration settings which also need to be audited for compliance with your configuration management policy

All the above change and configuration management tasks can be automated using change and configuration management software solutions, the best of which will cover servers together with change and configuration management of your desktop PCs and all network devices such as firewalls, switches and routers.

Wednesday, 14 July 2010

Tripwire alternative? Tripwire no longer the only solution for automated PCI compliance...

Hot on the heels of Secure Computing Magazine awarding Change Tracker their 5 star product accolade, the applause just keeps rolling in! This one was for a large ecommerce retailer requiring PCI DSS Compliance:

In terms for a quote or recommendation for your website please use the following:

“Having looked for a Tripwire alternative product I stumbled across NNT via Google. I was pleasantly surprised by their quotation compared to Tripwire. NNT delivered a solution exactly the way they promised and their professional approach has made this project really easy to implement. I will recommend NNT to any company that needs a quick, reliable and professional service to go with their excellent products”

For more information regarding NNT Automated Compliance Management solutions click here for whitepapers and to request a trial or overview.

NNT Compliance Management Suite comprises:

  • NNT Change Tracker for Device hardening Audits for PCI DSS, file-integrity monitoring to secure all key OS and Program Files, configuration change tracking for all devices, planned change operation provides full audit trail of changes
  • NNT Log Tracker – centralized log server for all audit log and events from windows and unix hosts, all common and bespoke application logs, all native syslog devices such as firewalls and IPS systems

Check it out and see what all the fuss is about!

Tuesday, 13 July 2010

The Top Ten of Audit and Event Log Monitoring

Event Log, Audit Log and Syslog messages have always been a good source of troubleshooting and diagnostic information, but the need to back up audit trail files to a centralized log server is now a mandatory component of many governance standards. Contemporary, SIEM solutions need to be
• flexible enough to cater for all devices, operating systems, platforms, databases and application
• sufficiently scalable to cope with thousands of devices generating millions of events
• intelligent, correlating events and identifying true security incidents only so resources can focus on genuine threats and attacks.

This is an introductory 'Top Ten of Audit Trail and Event Log Monitoring.
1. Security Standards and Corporate Governance Compliance Policies such as PCI DSS and GCSx CoCo require logging mechanisms and the ability to track user activities as they are critical in preventing, detecting, or minimizing the impact of a data compromise. Other policies such as FISMA, Sarbanes Oxley, NERC CIP, ISO 27000 and HIPAA all benefit from a means of centralizing audit log events to identify security incidents.
2. The state of the art in Audit Log Correlation technology provides automated configuration assessment, proactively testing and assessing a server environment against preconfigured, out-of-the-box policies, helping to enable a minimal deployment window. The best solutions leverage industry standards, specifically benchmarks from the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), and the Defense Information Systems Agency (DISA). These benchmarks include thousands of configuration assessments enabling automatic sustainable policy compliance testing for FISMA.
3. Security standards such as PCI DSS and GCSx CoCo mandate the need to track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs. A central event log analyzer is the best option to use.
4. It is vital that your system for centralizing audit log trails is robust and comprehensive. PCI DSS requires your audit trail history is retained for at least one year with at least 3 months history available for immediate access. The best audit-log tracking software solutions provide real-time indexing of logs with instant keyword search and correlation facilities.
5. While Unix and Linux hosts can forward audit trail and system events using syslog, Windows servers do not have an in-built mechanism for forwarding Windows Events and it is necessary to use an agent to convert Windows Event Logs to syslog. The Windows Events can then be collected centrally using your audit log server. Similarly, applications using Oracle or SQL Server or bespoke or non-standard applications do not use syslog to forward events and it is necessary to use an agent to forward events from these applications. Finally, if you are using an IBM z/OS mainframe or AS/400 system you will need further agent technology to centralize event and audit log messages.
6. Audit trail history must be securely stored in order to prevent retrospective editing or any tampering. The PCI DSS requires that audit trails are promptly backed up to a centralized log server or media that is difficult to alter. The best centralized log server solutions employ file-integrity monitoring for the log backup files so that any modifications can be detected and alerted.
7. Firewalls (Checkpoint, McAfee Sidewinder, Juniper, Netscreen, Cisco ASA, Nokia, Intrusion Protection System (IPS), Intrusion Detection Systems (IDS), routers and RADIUS accounting and authorization services, vulnerability scanning solutions such as Retine eEye, Nessus and other Pen Testing solutions, wireless routers, switches all natively generate syslog messages to report a range of events from the low-level informational logs through to critical events.
8. Syslog messages are defined in RFC 3164 and is officially known as the BSD Syslog Protocol. Syslog messages are sent using UDP on port 514 by default although different ports can be used. Syslog messages use a range of Facility Codes and Severity Codes. The Facility Codes range from 0 to 23 and determine the message type. The Severity Codes range from 0 to 7 as follows:
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
9. The Security Information and Event Management or SIEM market as defined by Gartner covers the advanced generation of solutions that not only harvest audit logs and provide centralized log server functions but parse event log messages and analyze event logs as they are stored. This allows event logs to be correlated to identify hacker activity and attack patterns and notify IT security teams. The best SIEM systems employ a range of artificial intelligence capabilities to recognize threat signatures by cross-referencing events from IPS, IDS and RADIUS systems, Anti-Virus, Host Integrity Monitoring systems, File Integrity Monitoring software, Firewalls, Active Directory and watching for classic hacker activity such as deletion of log files and "brute force" hacks where repeated/sequential logon failures or bad password events will be generated.
10. The goal for any SIEM solution is to provide comprehensive log harvesting, automatically filter out all 'information only' or 'normal operation' events while placing a spotlight on a manageable list of genuine, serious attack patterns or security incidents. Even a medium sized enterprise can have thousands or hundreds of thousands of events generated by devices in their infrastructure so a properly implemented SIEM system is invaluable.