The following information is a part of our free cybersecurity and compliance Academy course.
Security Tools Overview
There’s no one silver bullet when it comes to preventing data breaches, but working to protect data and fix your network vulnerabilities is an important job—so, having the right tools can mean the difference between a data breach and “business as usual.”
You’ve probably heard of firewalls and anti-virus software, but those are just the beginning. In this section, we will cover basic cybersecurity tools and how they can help you.
Log management systems,
And in-person audits,
can play a key role in showing you the big picture of your network security.
Security tools vary widely in terms of cost and time, but each plays a role in keeping your data safe. Some tools are used to find and fix vulnerabilities, some can watch for suspicious activity, and some help you respond to security events when they happen.
Read on to learn about which tools you need and when to use them.
Network firewalls are vital for your security. A firewall’s purpose is to filter potentially harmful Internet traffic to protect valuable sensitive data. Simply installing a firewall on your organization’s network perimeter doesn’t make you secure.
A hardware firewall (or perimeter firewall) is typically installed at the perimeter of an organization’s network to protect internal systems from the Internet. Hardware firewalls are also often used inside an environment to create isolated network segments. Higher security internal network segments would be created to limit access to sensitive data from networks that don’t need that access.
Basically, a hardware firewall protects environments from the outside world and can create higher security zones inside your network. For example, if an attacker tries to access your systems from the outside, your hardware firewall would act as the first line of defense and should block them.
You also need a firewall between systems that store sensitive data and other systems on your network. Typically this is a second hardware firewall installed inside your corporate network to create a secure zone to further protect sensitive data.
HARDWARE FIREWALL BENEFITS
They’re the most robust security option
They protect an entire network
And they can segment internal parts of a network
HARDWARE FIREWALL COSTS
Firewall rules need to be carefully documented
They can be difficult to configure properly
And they need to be maintained and reviewed regularly
Many personal computers come with pre-installed software firewalls. This feature should be enabled and configured for any laptop computers that commonly connect to sensitive data networks. For example, if a receptionist accidentally clicks on a phishing email scam, their computer’s software firewall should stop the malware from propagating through the corporate network.
SOFTWARE FIREWALL ADVANTAGES
They help protect mobile workers when outside the corporate network
They’re often inexpensive
And they’re typically maintained by corporate IT and can’t be changed by user
SOFTWARE FIREWALL DRAWBACKS
They don’t protect an entire network
They generally have fewer security options
And they should not be used in place of hardware firewalls for network segmentation
WEB APPLICATION FIREWALLS
Web application firewalls (WAF) should be implemented in front of public-facing web applications to monitor, detect, and prevent web-based attacks. Even though these solutions can’t perform the many functions of an all-purpose network firewall, they specialize in one specific area: monitoring and blocking web-based traffic.
A web application firewall can protect web applications that are visible or accessible from the Internet. Your web application firewall must be up to date, generate audit logs, and either block cyberattacks or generate a cybersecurity alert if it detects attack patterns.
WEB APPLICATION FIREWALL BENEFITS
They can have an immediate blocking behavior to protect web applications
They provide protection for third-party modules used in web applications
And they can be deployed as reverse proxies
WEB APPLICATION FIREWALL DRAWBACKS
They may require lots of effort to set up and train
They possibly break critical business functions (if not careful)
And they may require some network re-configurations
FIVE BASIC FIREWALL CONFIGURATION BEST PRACTICES
- Create firewall configuration standard: Before implementing firewall settings and rules on the hardware carefully document settings and procedures, such as hardware security settings, port/service rules needed for business, justify need for rules, consider both inbound and outbound traffic, etc.)
Trust but verify: After implementing firewall rules/settings, test the firewall appropriately externally and internally to confirm settings are correct (pen test, scans, etc.)
Limit Outbound Traffic: Often we worry too much about blocking inbound ports/services and forget that outbound traffic from inside the network should be limited to just what is needed, this limits hackers’ paths for exfiltrating data
Personal firewalls: Configure personal firewalls on mobile computing platforms to limit attack surfaces and minimize propagation of malware when on unsecured networks.
Management: Only manage the firewall itself from within your network, disable external management services unless it’s part of a secure managed firewall infrastructure.
- White Paper: How to Implement and Maintain PCI Compliant Firewalls
- White Paper: How to Implement and Maintain HIPAA Compliant Firewalls
- Article: Firewalls 101: 5 Things You Should Know
- Article: Getting Compliant with PCI Requirement 1: The Basics in Managing Your Firewall
- Article: HIPAA: Why You Need Both a Hardware and Software Firewall
- SecurityMetrics Solution: Managed Firewall
REGULARLY UPDATE YOUR ANTI-VIRUS
Anti-virus software offers an additional layer of security to any system within a network.
Anti-virus software needs to be installed on all systems commonly affected by malware (i.e., software that consists of files that are copied to a target computer) regardless of its location. Linux servers are often considered systems that aren’t commonly affected by malware. However, if a Linux server is Internet facing, it’s highly recommended that anti-virus be installed on a Linux server in this situation. This is because malicious coders target Linux systems with malware as well as Windows, though the risk is lower it is still too great not to run anti-virus on web-facing Linux systems.
Make sure anti-virus or anti-malware programs are updated on a regular basis to detect known malware. Maintaining an up-to-date anti-malware program will prevent known malware from infecting systems.
It’s up to you to ensure regular scanning is conducted. You should regularly confirm that your anti-virus software is getting these updates and that active scans are taking place and being logged. These anti-virus signatures are carefully maintained by the vendors and are based on outside sources such as the United States Computer Emergency Readiness Team (US-CERT), SANS Institute, and vendor and anti-virus threat feeds.
File Integrity Monitoring (FIM) software is a great companion for your malware prevention controls. New malware comes out so frequently you can’t just rely on anti-virus software to protect your systems. It often takes many months for a signature of newly detected malware to make it into the malware signature files allowing it to be detected by anti-virus software.
Configure FIM software to watch critical file directories for changes. FIM software is typically configured to monitor areas of a computer’s file system where critical files are located. The FIM tool will generate an alert that can be monitored when a file is changed.
Even if your AV software cannot recognize the malware files signatures, FIM software will detect that files have been written to your computer and will alert you to check and make sure you know what those files are. If the change was known (like a system update), then you are OK. If not, chances are you have new malware added that could not be detected and can now be dealt with.
FIM can also be set up to check if web application code or files are modified by an attacker.
Here are examples of some places where FIM should be set up to monitor
OS critical directories
Critical installed application directories
Web server and/or web application directories
User areas (if an employee facing computer)
Vigilant vulnerability management is the most effective way for you to proactively reduce the window of compromise, greatly narrowing the opportunity for hackers to successfully attack your systems and steal valuable data. Active monitoring of the AV and FIM system output and actions allows you to detect any attempt to install malware quickly and mitigate that risk.
- Article: What Anti-virus Should I Use?
Logging and Log Monitoring
LOGS AND ALERTING
You should collect and regularly analyze system event, application, and access logs. These logs are recorded tidbits of information about the actions taken on computer systems like servers, firewalls, office computers, networking hardware, and printers. This log information can help you detect current attacks or problems as well as helping you figure out what happened after a compromise has occurred and what data may have been accessed.
Most systems and software generate logs including computer operating systems, installed applications, Internet browsers, networking gear, anti-malware, firewalls, and IDS.
However, there are some systems with logging capabilities that may not automatically enable logging, so it’s important to ensure all systems have the logging functions turned on. Many systems generate logs but don’t provide built-in event log collection and management solutions. Be aware of your system capabilities and install third-party log monitoring and management software as needed.
Logs are only useful if they are regularly reviewed.
What is the use of a log generated by critical hardware or software if the logs are not be actively reviewed and acted upon?
Businesses should develop processes to review their logs daily to search for errors, anomalies, or suspicious activities that deviate from the norm.
From a security perspective, the purpose of a log alert is to act as a red flag when something bad is happening. Reviewing logs regularly helps identify malicious attacks on your system.
Given the large of amount of log data generated by systems, it’s impractical to manually review all logs each day. Log monitoring software takes care of this task by using rules to automate log review and only alert on events that might reveal problems.
Log monitoring systems such as Security Information and Event Management or SIEM tools oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems. They’re your watchtower lookouts, providing warning data that could alert you about a data breach.
Many times, log monitoring software comes with default alerting templates to begin with and allow you to monitor and alert on events immediately. Over time you work to optimize these reports to remove or add extra information to maximize the effectiveness of the reports generated.
Remember, not everyone’s network and system designs are the same, and it’s critical to take time to correctly configure your alerting rules at the beginning.
LOG MANAGEMENT BEST PRACTICES
To take advantage of log management, look at your security strategy and make sure these steps are taken care of:
Decide how and when to generate logs.
Secure your stored logs so they aren’t maliciously altered by cybercriminals or accidentally altered by employees. Set up a centralized log repository to copy all system logs to. This provides a protected copy separate than those stored on local systems. Be sure to alert if log files are deleted or if they ever decrease in size.
Assign an employee you trust to review log alert summaries daily.
Set up a team to review suspicious alerts.
Spend time to create rules for alert generation, don’t just rely on a template.
Store logs for at least one year, with three months readily available.
Frequently check log collection to identify necessary adjustments.
Regular log monitoring means a quicker response time to security events and better security program effectiveness. Not only will log analysis and daily monitoring demonstrate your willingness to comply with many compliance mandate requirements, it’ll also helps you defend against insider and outsider threats.
Organizations should review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.
- Article: PCI Requirement 10: Logging and Log Monitoring
- Article: What Are HIPAA Compliant System Logs?
- Article: The Importance of Log Management
Data Breach Prevention Tools
INTRUSION DETECTION AND PREVENTION SYSTEMS
One of the reasons data breaches are so prevalent is a lack of proactive, comprehensive security dedicated to monitoring system irregularities, such as intrusion detection systems aka IDS and intrusion prevention systems aka IPS.
Using these systems can help identify a suspected attack and help you locate security holes in your network that attackers used. Without the knowledge derived from IDS logs, it can be very difficult to find system vulnerabilities and determine if cardholder data was accessed or stolen.
By setting up alerts on an IDS, you can be warned as soon as suspicious activity is identified and be able to significantly minimize compromise risk within your organization. You may even stop a breach in its tracks.
An IDS could help you detect a security breach as it’s happening in real time.
From a legal standpoint, an organization could also use information stored by their IDS in a breach court case to show that they did as much as possible to contain the breach.
Also, forensic investigators (like the SecurityMetrics PFI team) can use information gleaned from client IDS tools, as well as all system audit logs, to investigate breaches.
Keep in mind that an IDS isn’t preventative. Similar to a private investigator, an intrusion detection system doesn’t interfere with what it observes. It simply follows the action, takes pictures, records conversations, and alerts their client.
For more preventative measures you might consider an intrusion prevention system (IPS) which also monitors networks for malicious activities, logs this information, and reports it; but it can prevent and block many intrusions that are detected. Intrusion prevention systems can drop malicious packets, block traffic from the malicious source address, and reset connections.
DATA LOSS PREVENTION SOFTWARE
In addition to these, you should have data loss prevention (DLP) software in place. DLP software watches outgoing data streams for sensitive or critical data formats that should not be sent through a firewall, and it blocks this data from leaving your system.
Make sure to properly implement it, so that your DLP knows where data is allowed to go, since if it’s too restrictive, it might block critical transmissions to third party organizations.
FIND YOUR NETWORK VULNERABILITIES
Not only should you use security tools to monitor your systems in real time, you need to know your network environment and find weaknesses through tools like external and internal vulnerability scans.
Vulnerability scans assess computers, systems, and networks for exposed security weaknesses, also known as vulnerabilities. These scans are typically automated and give an introduction into what could possibly be exploited.
Vulnerability scans are a passive approach to vulnerability management because they don’t go beyond reporting vulnerabilities that are detected. It’s up to your organization’s risk or IT staff to patch discovered weaknesses on a prioritized basis or confirm that a discovered vulnerability is a false positive, then re-run the scan until it passes.
Vulnerability scanning is considered by almost every security expert one of the best ways to find potential vulnerabilities.
VULNERABILITY SCANNING BEST PRACTICES
Because cybercriminals discover new ways to hack organizations daily, organizations are encouraged to regularly scan their systems. External vulnerability scans should be ongoing or at least completed quarterly to help locate vulnerabilities. You should also ensure an external vulnerability scan occurs when your external facing systems or software is changed or updated in any way.
Scan your internal systems to help prevent an attacker from moving around inside your network, in the event they get past your external defenses. Regular vulnerability scans conducted from the perspective of someone already on your network will reveal weaknesses within internally exposed computers or applications. Most current data compromises also involve the criminals moving around behind your main firewall exploiting weaknesses in your internal systems allowing them to find sensitive data. These internal vulnerability scans are a critical layer of preventative defense allowing you to close security holes before they are exploited.
After scan completion, a report will typically generate an extensive list of vulnerabilities found and give references for further research on the vulnerability. Some even offer directions on how to fix the problem.
Remember, vulnerability scanning isn’t just about locating and reporting vulnerabilities. It’s also about establishing a repeatable and reliable process for fixing problems, based on risk and effort required.
Failing scan results that aren’t remediated render security precautions worthless. So make sure that you fix any required changes needed for your system.
VULNERABILITY SCANNING PROS
They provide a quick, high-level look at possible vulnerabilities
They’re very affordable compared to other testing like penetration testing
And they can be run automatically
VULNERABILITY SCANNING CONS
They often contain false positives
Businesses must manually check each vulnerability before testing again
And they don’t confirm if a vulnerability is possible to exploit
TOP 5 VULNERABILITIES OF SECURITYMETRICS CUSTOMERS’ FAILED VULNERABILITY SCANS
TLS Version 1.0 Protocol Detection: Exists if the remote service accepts connections using TLS 1.0 encryption
SSL Medium Strength Cipher Suites Supported: Occurs when a remote host supports the use of SSL ciphers that offer medium strength encryption
SSL 64-bit Block Size Cipher Suites Supported (Sweet32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
SSL Certificate with Wrong Hostname: Happens when a SSL certificate for the tested service is for a different host
SSL Self-Signed Certificate: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
- White Paper: Vulnerability Scanning 101
- Article: Vulnerability Scanners 101: What, Why, and How to Comply
- Article: Picking Your Vulnerability Scanner: The Questions You Should Ask
- Article: Pentesting vs Vulnerability Scanning: What’s the Difference?
- SecurityMetrics Solution: Perimeter Scan
- SecurityMetrics Solution: SecurityMetrics Vision
PENETRATION TESTING BASICS
In addition to performing vulnerability scans, it’s strongly recommended that you perform penetration testing to identify vulnerabilities and possible exploits. Penetration testing is not an automated process but one that is conducted actively by real people.
Penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors) just like a hacker would. In simple terms, penetration testers ethically attempt to break into your company’s network to find security holes.
Specifically, penetration testers will first run automated scans and then manually test these vulnerabilities. They also can test your employees, website, or other Internet-facing networks and applications to see if there’s a way into your systems using common hacking tools or social engineering tactics. If found, the testers report these vulnerabilities to you with recommendations on how to better secure your systems and sensitive data.
Penetration testing is particularly helpful for organizations developing their own applications, since it’s important to have code and system functions tested by an objective third party and because it helps find vulnerabilities missed by developers.
Depending on your security needs, you may need to do both an internal and external penetration test. Similar to an internal VA scan, an internal penetration test examines your systems within your organizational network, offering the perspective of someone inside your network after they have broken through the external protective layers. An external penetration test looks at your network from an outside perspective, providing the view of a hacker attacking from the Internet.
A penetration test is an extensive, live examination designed to exploit weaknesses in your system.
Typically, professional penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation. Make sure to take adequate time to address the report’s advice and fix the located vulnerabilities on a prioritized basis.
Perform external and internal penetration tests at least yearly and after major network changes or exposed application changes.
PENETRATION TESTING PROS
Live, manual tests mean more accurate and thorough results.
And it rules out false positives.
PENETRATION TESTING CONS
It can take some time to complete. Often, anywhere from 1 day to 3 weeks.
And it’s cost, which will likely be around $5,000 to $20,000+
VULNERABILITY SCANNING VS. PENETRATION TESTING
Some mistakenly believe vulnerability scanning or anti-virus scans are the same as a professional penetration test.
Here are the two biggest differences:
A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network.
A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify the root cause of the vulnerability that allows access to secure systems or stored sensitive data.
Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans offer great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough way to examine it.
- Webinar: PCI DSS 3.2 Penetration Testing Updates
- Webinar: Network Penetration Testing 101
- Webinar: Web Application Penetration Testing 101
- Article: How Much Does a Pentest Cost?
- Article: Different Types of Penetration Tests for Your Business Needs
- Article: Types of Penetration Testing: The What, The Why, and The How
- Article: Pentesting vs Vulnerability Scanning: What’s the Difference?
- SecurityMetrics Solution: Penetration Testing
Conducting internal security audits within your organization can help you confirm your security posture and find resolvable problems before criminals do. If you are required to validate your compliance to an industry security mandate–like HIPAA, GDPR, or PCI DSS, an internal audit cycle before external assessors stop by helps you avoid non-compliance findings. It’s best to do these audits at least annually or after significant changes to find new issues that may appear.
Remember, some organizations may be required to prove to a regulatory authority that they’re compliant with specific data security guidelines. This may be because your business has a critical flow of sensitive data or the volume of data you process represents a high risk if lost. If so, you may have to provide a passing compliance report where data security controls are validated in person by a third party.
Many of these compliance programs are extensive and have guidelines or requirements that are hard to interpret and implement. Unless you’re an expert in data security and compliance mandates, you may want to consult with an expert. They can provide guidance as you prepare for your onsite assessment of security and privacy controls.
When selecting either a consultant or an audit company to partner with, be sure to confirm their compliance experience and that they’ll perform a thorough, comprehensive assessment. These third party resources will often be able to offer your organization a fresh external point of view and better help you know how cybercriminals are looking at your organization.
- White Paper: How to Prepare for a PCI DSS Audit
- Webinar: Using Your QSA as a Resource Year Round
- Article: How to Prepare for a PCI DSS Audit
- Article: Make Your Auditor Happy: Follow This PCI Audit Checklist
- Article: Top 10 Network Security Audit Fails
- Article: The Pros and Cons of Onsite HIPAA Audits
- SecurityMetrics Solution: PCI DSS Audit
- SecurityMetrics Solution: PA-DSS Audit
- SecurityMetrics Solution: P2PE Audit
- SecurityMetrics Solution: HIPAA Audit
- SecurityMetrics Solution: GDPR Audit
- SecurityMetrics Solution: Consulting
Security Tool Quiz
You should review stored system logs… (Choose only ONE best answer.)
What can a hardware firewall do? (Choose ALL answers that apply.)
Protect your environments from the outside world
Create higher security zones inside your network
Prevent your computer from catching fire
To follow best security practices, how often should an organization conduct vulnerability scans? (Choose ALL answers that apply.)
Every other year
Vulnerability scans should be ongoing or at least completed quarterly to help locate vulnerabilities.
TRUE OR FALSE: Conducting internal security audits within your organization can help you confirm your security posture and find resolvable problems before criminals do. (Choose ALL answers that apply.)
Answer Code: Q1: 3, Q2: 1 and 2, Q3: 3, Q4: 1