Reduce Your Breach Risk: File IntegrityMonitoring for PCI Compliance andData SecurityA key capability of any information s...
This document could include technical inaccuracies or typographical errors. Changes are periodicallymade to the informatio...
Table of Contents Introduction ..............................................................................................
IntroductionIf there were ever an era in which the saying “you can’t be too careful” rings true, it’s this one. Despitegro...
Malware Means Multimillion-Dollar LossesSeveral of the most financially significant security breaches of the past decade h...
Figure 1: Timeline of a Typical Data BreachStopping Malware in Its TracksThe speed, with which systems and files are compr...
“Deploy file-integrity monitoring software to alert personnel to unauthorized modification        of critical system files...
make intelligent decisions, limit the risk of corporate data loss, and maximize the return on your existingsecurity invest...
ConclusionBecause of its ability to rapidly detect unauthorized access to critical systems, FIM is critical in thepreventi...
About NetIQNetIQ is an enterprise software company with relentless focus on customer success. Customers andpartners choose...
Upcoming SlideShare
Loading in...5
×

Top Solutions and Tools to Prevent Devastating Malware White Paper

538

Published on

Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
538
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Top Solutions and Tools to Prevent Devastating Malware White Paper

  1. 1. Reduce Your Breach Risk: File IntegrityMonitoring for PCI Compliance andData SecurityA key capability of any information security program is the ability to rapidlydetect and help correct data breaches. Yet every day, sensitive corporate datais accessed without detection. Whether the breach is a result of a targetedmalware attack perpetrated by cybercriminals or an inadvertent error causedby a privileged user, the impact is significant. When the breach remainsundetected for a long period of time, the impact can increase significantly.This paper discusses the importance of file integrity monitoring (FIM), whichfacilitates the detection of malware as well as insider threats in identifying databreaches. It also discusses file integrity monitoring as a critical component ofPayment Card Industry Data Security Standard (PCI DSS) compliance, andshows how NetIQ addresses both security and compliance challenges throughthe NetIQ® Change Guardian™ family of products.
  2. 2. This document could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein. These changes may be incorporated in new editions of this document.NetIQ Corporation may make improvements in or changes to the software described in this document atany time.Copyright © 2010 NetIQ Corporation. All rights reserved.ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design,Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator,File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts,NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, SecurityAdministration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQCorporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identificationpurposes and may be trademarks or registered trademarks of their respective companies. WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security
  3. 3. Table of Contents Introduction ................................................................................................................................................... 1 File Integrity Monitoring: A Critical Piece in the Security Puzzle .................................................................. 1  Malware Means Multimillion-Dollar Losses ............................................................................................... 2  Inside a Malware Attack ............................................................................................................................ 2  Stopping Malware in Its Tracks ................................................................................................................. 3 A Case for Corporate Compliance: PCI DSS................................................................................................ 3 Managing FIM for Security and Compliance: NetIQ Change Guardian ........................................................ 4  Working Together: NetIQ Change Guardian and NetIQ Security and Compliance Solutions .................. 5 Conclusion .................................................................................................................................................... 6 About NetIQ .................................................................................................................................................. 7  WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security
  4. 4. IntroductionIf there were ever an era in which the saying “you can’t be too careful” rings true, it’s this one. Despitegrowing awareness and implementation of protective security measures, data breaches continue todominate the headlines. The numbers are huge: 285 million records were compromised in 2008. 1 Evenmore alarming is the fact that these breaches happened right under the noses of information securityteams, as evidenced by cases such as Heartland Payment Systems, where a breach of approximately100 million credit card accounts went undetected for 18 months. 2File Integrity Monitoring: A Critical Piece in the SecurityPuzzleFIM has become a critical piece of the security picture, especially as data breaches using custommalware have increased. According to a 2009 Data Breach Investigations Report by Verizon Business 3 ,the most successful data breaches have been those in which attackers exploited common mistakescommitted by the targeted organization, hacked into the network, and installed malware on a system tocollect data. The use of custom malware in these attacks, which was used in the Heartland breach as wellas other major credit card breaches, more than doubled in 2008.Because custom malware successfully bypasses standard anti-malware controls, it frequently goesundetected. According to Forrester Research 4 , the best way to reduce the risk of breach from this type ofattack is to deploy file integrity monitoring tools to provide immediate alerts if unauthorized software, suchas custom malware, is being installed or if critical files are changed.The deployment of FIM software not only serves as a safeguard against security breaches, but is also arequirement of the Payment Card Industry Data Security Standard (PCI DSS.) Specifically, the standardcalls for the deployment of FIM software in order to alert personnel to unauthorized modification of criticalsystem files, configuration files, or content files. It is not surprising that this mandate is starting to beenforced: According to Verizon Business, over 80 percent of data breach victims surveyed in its 2009Data Breach Investigations Report were not compliant with PCI DSS.By detecting unmanaged access and changes to system files, FIM reduces the risk of: • Data breaches – from insiders, privileged users, and attacks using malware • System instability – caused by unplanned or unauthorized changes to system configuration • Poor performance – often caused by changes outside of managed change control processes • Compliance failure – resulting from an inability to demonstrate due care and a lack of capability to monitor access to sensitive dataFIM is an important component of any effective integrated information security program.1 Verizon Business RISK Team, “2009 Data Breach Investigations Report,” Verizon Business, April 2009, http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf.2 John Kindervag, “PCI X-Ray: File Integrity Monitoring,” Forrester Research, Inc., October 26, 2009, http://www.forrester.com/rb/research.3 Verizon Business RISK Team, “2009 Data Breach Investigations Report.”4 John Kindervag, “PCI X-Ray: File Integrity Monitoring.”WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security | 1
  5. 5. Malware Means Multimillion-Dollar LossesSeveral of the most financially significant security breaches of the past decade have been the result oftargeted, custom malware attacks perpetrated by hackers. The breach of Heartland Payment Systemsstands as the most infamous example of such an attack. A breach of immense magnitude, securityexperts estimate that 100 million credit cards issued by 650 financial services companies may have beencompromised. With a $300 million loss in market capitalization and over $30 million in direct losses, thefinancial impact has been earth-shattering. 5 But those statistics alone are not what have the informationsecurity world rocked. It’s the fact that the breach went undetected for 18 months. Even then, it was notdiscovered by Heartland’s internal security team, but by third parties.So the question is: How did this happen? How can a hacker gain access to millions of records and still goundetected? The answer, in this case, is malware.In the case of Heartland, according to the Department of Justice indictment of hacker Albert Gonzalez: “Itwas further part of the conspiracy that once GONZALEZ, HACKER 1, and HACKER 2 hacked into theCorporate Victims’ networks, they would install “sniffer” programs that would capture credit and debit cardnumbers, corresponding Card Data, and other information on a real-time basis as the information movedthrough the Corporate Victims’ credit and debit card processing networks, and then periodically transmitthat information to the coconspirators." 6Inside a Malware AttackData-stealing malware can take a variety of forms and use multiple attack vectors. However, a typicalonline fraud attack will exhibit several shared steps and characteristics. In its 2009 Data BreachInvestigations Report, Verizon Business found that in just under half of their cases in 2009, there was atleast some indication of pre-attack reconnaissance, most often in the form of system footprinting,scanning, and enumeration. Once the perimeter of the victim organization was breached, almost 50percent of hackers were able to compromise the system in a matter of minutes or hours.For example, in the case of a credit card processor, a hacker exploits a vulnerable server on theorganization’s cardholder data network (CHDN) and installs a data sniffer, which may remain dormant inthe system for weeks or months before the actual attack takes place. It is not detected by an anti-malwaresolution because it has been custom designed with a unique signature that is not recognized by thesecurity software, which operates using the signatures of known viruses, worms, and Trojans.Once the hacker is ready to move, the sniffer is fired up. The store sends credit card information forprocessing to the credit card switch, which then transfers credit card information to the processor. At thispoint, the malware sniffs traffic destined for the encryption appliance and the hacker is then able toretrieve packet captures from the malware and retrieve the credit card information.According to the Verizon report, in about 75 percent of cases, it took organizations weeks and evenmonths to discover the breaches. If the breach is detected at all, it is usually through back-end monitoringby credit card companies through a technique known as Common Point of Purchase (CPP), which istypically used to triangulate fraud. 5 John Kindervag, “PCI X-Ray: File Integrity Monitoring.” 6 United States of America v. Albert Gonzalez, a/k/a “segvec,” a/k/a “soupnazi,” a/k/a “j4guar17,” Hacker 1, and Hacker 2, Grand Jury Indictment, pg. 8 (United States District Court, District of New Jersey, 2009), http://www.justice.gov/usao/nj/press/press/files/pdffiles/GonzIndictment.pdf (accessed March 29, 2010.)WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security | 2
  6. 6. Figure 1: Timeline of a Typical Data BreachStopping Malware in Its TracksThe speed, with which systems and files are compromised, once the perimeter is breached, underscoresthe importance of a solid FIM solution. FIM allows enterprises to track deviations from their approvedsoftware builds and file system structures. In the case of system files on business-critical systems orsensitive data files, real-time alerts for changes can be set, enabling the immediate recognition of aproblem that can then be analyzed and responded to.By using FIM, the modification of files caused by the custom malware installation would immediatelytrigger an alert. This change could then be investigated and the malicious software removed immediately,rather than remaining in the system while the hacker prepares for his attack. If the malware weredeployed immediately, the real-time alert to file changes would enable a security team to significantly cutthe response time and contain any damages incurred.A Case for Corporate Compliance: PCI DSSIn addition to helping reduce the risk of data breach, compliance is another reason for file integritymonitoring. The Payment Card Industry Data Security Standard is a contractual requirement forbusinesses that handle cardholder information for Visa, MasterCard, Discover, American Express, andDiner’s Club. 7The PCI DSS specifies FIM primarily in Requirement 11.5:7 PCI Security Standards Council, LLC, “About the PCI Data Security Standard (PCI DSS),” https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml (accessed March 29, 2010).WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security | 3
  7. 7. “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”The intent of PCI Requirement 11.5 is to give companies a solid defense against the exploitation ofcritical resources, especially servers, within the CHDN. For companies to ensure the protection of criticalsystems, they must know about and be able to document changes to files and file systems, including: • Who made the change • What exactly was changed: files, registry, or configuration settings • When it was changed • What the value was before the change • What the value was after the change • If this change was authorized as part of the change management processPCI Requirement 10 also encompasses FIM, mandating inclusion of FIM alerts into policy. PCI DSSRequirement 10 mandates file integrity monitoring or change-detection software on logs to ensure thatexisting log data cannot be changed without generating alerts. It also requires that companies review logsfor all system components at least daily in order to demonstrate knowledge of what is occurring within thesystem and to discover any anomalous activity.Managing FIM for Security and Compliance: NetIQ ChangeGuardianThe threat landscape that security professionals face today is complex. Whether the concern is acrippling malware attack or unauthorized access to sensitive data by an insider, the risk to critical dataand infrastructure can be significantly reduced through the real-time detection of access and changes tosensitive files and systems that is provided by a FIM solution.In addition to taking vital steps to protect their sensitive data, corporations that implement FIM alsoensure that they meet the requirements of compliance mandates which specifically call out file integritymonitoring solutions – thus avoiding costly fines and other negative effects of non-compliance.The NetIQ® Change Guardian™ family of products encompasses a real-time file integrity monitoringapproach that: • Provides real-time detection of changes to critical systems and files. • Enables alerting even if the content was simply viewed and not changed. • Integrates that alerting into leading SIEM solutions such as NetIQ® Security ManagerTM. • Ensures the alerting process provides rich information, such as when the change was made, who made the change, what was changed, and what the state was before the change. • Helps achieve compliance by demonstrating the capability to monitor access to sensitive data. • Detects changes on your most important platforms: Microsoft Windows, Active Directory (including Group Policy objects), UNIX and Linux.The NetIQ Change Guardian family of products provides real-time detection of unmanaged changes tocritical files, system configurations, and Active Directory (including Group Policy objects), to ensure yoursecurity teams can proactively protect sensitive corporate information and customer data both frommalicious attacks and accidental damage. These solutions provide the information necessary to rapidlyWHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security | 4
  8. 8. make intelligent decisions, limit the risk of corporate data loss, and maximize the return on your existingsecurity investments.Working Together: NetIQ Change Guardian and NetIQ Security and ComplianceSolutionsUnmanaged change to the configuration of critical systems and infrastructure represents a significant andgrowing risk to the security of organizational data, customer information, and system stability. NetIQChange Guardian enhances your ability to detect any unmanaged changes and respond efficiently tovastly reduce the risk of malicious activity and to support comprehensive data protection.Beyond simple file integrity monitoring lies the much broader problem of system integrity monitoring.While it is essential to identify unmanaged changes to files, such monitoring must be part of a broadersecurity and compliance management program.NetIQ provides an integrated solution that enables security teams to build a more complete security andcompliance infrastructure that is scalable and reduces workload. NetIQ Change Guardian works inconjunction with NetIQ® Aegis® for security workflow automation and with NetIQ® Secure ConfigurationManagerTM for configuration compliance and user entitlement reporting, to form a powerful, integrated,automated solution for security and compliance management. NetIQ Change Guardian also integratestightly with security information and event management (SIEM) solutions such as the award-winningNetIQ Security Manager in order to present correlated, rich, and relevant information to security andcompliance teams. Together, these products help companies not only protect their data, but also complywith important regulatory mandates such as those in PCI DSS.As a result of this tight integration, security teams can identify immediately when a system containingcritical data is altered in order to stop a custom malware attack. They can then correlate these events withchanges to Active Directory or Group Policy that might indicate if a privileged user is the source of aninsider attack.WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security | 5
  9. 9. ConclusionBecause of its ability to rapidly detect unauthorized access to critical systems, FIM is critical in theprevention of data breaches that occur through custom malware attacks. FIM is also an importantcomponent of PCI compliance, a fact that is sometimes overlooked. In order to effectively maintain bothsecurity and compliance, FIM software should also be integrated with SIEM solutions, in order to providecorrelation with other security events and ensure that critical data and systems stay secure.The NetIQ Change Guardian family of products provides you with real-time detection and alerting forchanges to files and system configurations for critical hosts. In addition to reducing the risk of databreaches and insider attacks, it provides the “who, what, when and how” for changes to othercomponents within your infrastructure, such as Active Directory and Group Policy objects.Leveraged in conjunction with traditional SIEM solutions, this family of products provides a powerful andeffective way to reduce time spent gathering information, accelerate decision making, and reduce the riskof breaches.For more information on how to address your requirements for file integrity monitoring, and how to extendyour monitoring to include full system integrity monitoring, visit www.netiq.com or call your local NetIQrepresentative or partner.WHITE PAPER: Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security | 6
  10. 10. About NetIQNetIQ is an enterprise software company with relentless focus on customer success. Customers andpartners choose NetIQ to cost-effectively tackle information protection challenges and IT operationscomplexities. Our portfolio of scalable, automated management solutions for Security & Compliance,Identity & Access, and Performance & Availability and our practical, focused approach to solving ITchallenges help customers realize greater strategic value, demonstrable business improvement and costsavings over alternative approaches.For more information, visit NetIQ.com.

×