Read to learn about which security tools you need and when to use them.
The following information is a part of our free cybersecurity and compliance Academy course.
There’s no one silver bullet when it comes to preventing data breaches, but working to protect data and fix your network vulnerabilities is an important job—so, having the right tools can mean the difference between a data breach and “business as usual.”
You’ve probably heard of firewalls and anti-virus software, but those are just the beginning. In this section, we will cover basic cybersecurity tools and how they can help you.
Tools like:
can play a key role in showing you the big picture of your network security.
Security tools vary widely in terms of cost and time, but each plays a role in keeping your data safe. Some tools are used to find and fix vulnerabilities, some can watch for suspicious activity, and some help you respond to security events when they happen.
Read on to learn about which tools you need and when to use them.
See also: White Paper: How to Implement and Maintain PCI Compliant Firewalls
Network firewalls are vital for your security. A firewall’s purpose is to filter potentially harmful Internet traffic to protect valuable sensitive data. Simply installing a firewall on your organization’s network perimeter doesn’t make you secure.
A hardware firewall (or perimeter firewall) is typically installed at the perimeter of an organization’s network to protect internal systems from the Internet. Hardware firewalls are also often used inside an environment to create isolated network segments. Higher security internal network segments would be created to limit access to sensitive data from networks that don’t need that access.
Basically, a hardware firewall protects environments from the outside world and can create higher security zones inside your network. For example, if an attacker tries to access your systems from the outside, your hardware firewall would act as the first line of defense and should block them.
You also need a firewall between systems that store sensitive data and other systems on your network. Typically this is a second hardware firewall installed inside your corporate network to create a secure zone to further protect sensitive data.
Many personal computers come with pre-installed software firewalls. This feature should be enabled and configured for any laptop computers that commonly connect to sensitive data networks. For example, if a receptionist accidentally clicks on a phishing email scam, their computer’s software firewall should stop the malware from propagating through the corporate network.
Web application firewalls (WAF) should be implemented in front of public-facing web applications to monitor, detect, and prevent web-based attacks. Even though these solutions can’t perform the many functions of an all-purpose network firewall, they specialize in one specific area: monitoring and blocking web-based traffic.
A web application firewall can protect web applications that are visible or accessible from the Internet. Your web application firewall must be up to date, generate audit logs, and either block cyberattacks or generate a cybersecurity alert if it detects attack patterns.
ADDITIONAL RESOURCES:
Find out: How Much Does a PCI or HIPAA Audit Cost?
Anti-virus software offers an additional layer of security to any system within a network.
Anti-virus software needs to be installed on all systems commonly affected by malware (i.e., software that consists of files that are copied to a target computer) regardless of its location. Linux servers are often considered systems that aren’t commonly affected by malware. However, if a Linux server is Internet facing, it’s highly recommended that anti-virus be installed on a Linux server in this situation. This is because malicious coders target Linux systems with malware as well as Windows, though the risk is lower it is still too great not to run anti-virus on web-facing Linux systems.
Make sure anti-virus or anti-malware programs are updated on a regular basis to detect known malware. Maintaining an up-to-date anti-malware program will prevent known malware from infecting systems.
It’s up to you to ensure regular scanning is conducted. You should regularly confirm that your anti-virus software is getting these updates and that active scans are taking place and being logged. These anti-virus signatures are carefully maintained by the vendors and are based on outside sources such as the United States Computer Emergency Readiness Team (US-CERT), SANS Institute, and vendor and anti-virus threat feeds.
File Integrity Monitoring (FIM) software is a great companion for your malware prevention controls. New malware comes out so frequently you can’t just rely on anti-virus software to protect your systems. It often takes many months for a signature of newly detected malware to make it into the malware signature files allowing it to be detected by anti-virus software.
Configure FIM software to watch critical file directories for changes. FIM software is typically configured to monitor areas of a computer’s file system where critical files are located. The FIM tool will generate an alert that can be monitored when a file is changed.
Even if your AV software cannot recognize the malware files signatures, FIM software will detect that files have been written to your computer and will alert you to check and make sure you know what those files are. If the change was known (like a system update), then you are OK. If not, chances are you have new malware added that could not be detected and can now be dealt with.
FIM can also be set up to check if web application code or files are modified by an attacker.
Here are examples of some places where FIM should be set up to monitor
Vigilant vulnerability management is the most effective way for you to proactively reduce the window of compromise, greatly narrowing the opportunity for hackers to successfully attack your systems and steal valuable data. Active monitoring of the AV and FIM system output and actions allows you to detect any attempt to install malware quickly and mitigate that risk.
ADDITIONAL RESOURCES:
You should collect and regularly analyze system event, application, and access logs. These logs are recorded tidbits of information about the actions taken on computer systems like servers, firewalls, office computers, networking hardware, and printers. This log information can help you detect current attacks or problems as well as helping you figure out what happened after a compromise has occurred and what data may have been accessed.
Most systems and software generate logs including computer operating systems, installed applications, Internet browsers, networking gear, anti-malware, firewalls, and IDS.
However, there are some systems with logging capabilities that may not automatically enable logging, so it’s important to ensure all systems have the logging functions turned on. Many systems generate logs but don’t provide built-in event log collection and management solutions. Be aware of your system capabilities and install third-party log monitoring and management software as needed.
Logs are only useful if they are regularly reviewed.
What is the use of a log generated by critical hardware or software if the logs are not be actively reviewed and acted upon?
Businesses should develop processes to review their logs daily to search for errors, anomalies, or suspicious activities that deviate from the norm.
From a security perspective, the purpose of a log alert is to act as a red flag when something bad is happening. Reviewing logs regularly helps identify malicious attacks on your system.
Given the large of amount of log data generated by systems, it’s impractical to manually review all logs each day. Log monitoring software takes care of this task by using rules to automate log review and only alert on events that might reveal problems.
Log monitoring systems such as Security Information and Event Management or SIEM tools oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems. They’re your watchtower lookouts, providing warning data that could alert you about a data breach.
Many times, log monitoring software comes with default alerting templates to begin with and allow you to monitor and alert on events immediately. Over time you work to optimize these reports to remove or add extra information to maximize the effectiveness of the reports generated.
Remember, not everyone’s network and system designs are the same, and it’s critical to take time to correctly configure your alerting rules at the beginning.
To take advantage of log management, look at your security strategy and make sure these steps are taken care of:
Regular log monitoring means a quicker response time to security events and better security program effectiveness. Not only will log analysis and daily monitoring demonstrate your willingness to comply with many compliance mandate requirements, it’ll also helps you defend against insider and outsider threats.
Organizations should review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.
ADDITIONAL RESOURCES:
One of the reasons data breaches are so prevalent is a lack of proactive, comprehensive security dedicated to monitoring system irregularities, such as intrusion detection systems aka IDS and intrusion prevention systems aka IPS.
Using these systems can help identify a suspected attack and help you locate security holes in your network that attackers used. Without the knowledge derived from IDS logs, it can be very difficult to find system vulnerabilities and determine if cardholder data was accessed or stolen.
By setting up alerts on an IDS, you can be warned as soon as suspicious activity is identified and be able to significantly minimize compromise risk within your organization. You may even stop a breach in its tracks.
An IDS could help you detect a security breach as it’s happening in real time.
From a legal standpoint, an organization could also use information stored by their IDS in a breach court case to show that they did as much as possible to contain the breach.
Also, forensic investigators (like the SecurityMetrics PFI team) can use information gleaned from client IDS tools, as well as all system audit logs, to investigate breaches.
Keep in mind that an IDS isn’t preventative. Similar to a private investigator, an intrusion detection system doesn’t interfere with what it observes. It simply follows the action, takes pictures, records conversations, and alerts their client.
For more preventative measures you might consider an intrusion prevention system (IPS) which also monitors networks for malicious activities, logs this information, and reports it; but it can prevent and block many intrusions that are detected. Intrusion prevention systems can drop malicious packets, block traffic from the malicious source address, and reset connections.
In addition to these, you should have data loss prevention (DLP) software in place. DLP software watches outgoing data streams for sensitive or critical data formats that should not be sent through a firewall, and it blocks this data from leaving your system.
Make sure to properly implement it, so that your DLP knows where data is allowed to go, since if it’s too restrictive, it might block critical transmissions to third party organizations.
ADDITIONAL RESOURCES:
Not only should you use security tools to monitor your systems in real time, you need to know your network environment and find weaknesses through tools like external and internal vulnerability scans.
Vulnerability scans assess computers, systems, and networks for exposed security weaknesses, also known as vulnerabilities. These scans are typically automated and give an introduction into what could possibly be exploited.
Vulnerability scans are a passive approach to vulnerability management because they don’t go beyond reporting vulnerabilities that are detected. It’s up to your organization’s risk or IT staff to patch discovered weaknesses on a prioritized basis or confirm that a discovered vulnerability is a false positive, then re-run the scan until it passes.
Vulnerability scanning is considered by almost every security expert one of the best ways to find potential vulnerabilities.
Because cybercriminals discover new ways to hack organizations daily, organizations are encouraged to regularly scan their systems. External vulnerability scans should be ongoing or at least completed quarterly to help locate vulnerabilities. You should also ensure an external vulnerability scan occurs when your external facing systems or software is changed or updated in any way.
Scan your internal systems to help prevent an attacker from moving around inside your network, in the event they get past your external defenses. Regular vulnerability scans conducted from the perspective of someone already on your network will reveal weaknesses within internally exposed computers or applications. Most current data compromises also involve the criminals moving around behind your main firewall exploiting weaknesses in your internal systems allowing them to find sensitive data. These internal vulnerability scans are a critical layer of preventative defense allowing you to close security holes before they are exploited.
After scan completion, a report will typically generate an extensive list of vulnerabilities found and give references for further research on the vulnerability. Some even offer directions on how to fix the problem.
Remember, vulnerability scanning isn’t just about locating and reporting vulnerabilities. It’s also about establishing a repeatable and reliable process for fixing problems, based on risk and effort required.
Failing scan results that aren’t remediated render security precautions worthless. So make sure that you fix any required changes needed for your system.
ADDITIONAL RESOURCES:
In addition to performing vulnerability scans, it’s strongly recommended that you perform penetration testing to identify vulnerabilities and possible exploits. Penetration testing is not an automated process but one that is conducted actively by real people.
Penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors) just like a hacker would. In simple terms, penetration testers ethically attempt to break into your company’s network to find security holes.
Specifically, penetration testers will first run automated scans and then manually test these vulnerabilities. They also can test your employees, website, or other Internet-facing networks and applications to see if there’s a way into your systems using common hacking tools or social engineering tactics. If found, the testers report these vulnerabilities to you with recommendations on how to better secure your systems and sensitive data.
Penetration testing is particularly helpful for organizations developing their own applications, since it’s important to have code and system functions tested by an objective third party and because it helps find vulnerabilities missed by developers.
Depending on your security needs, you may need to do both an internal and external penetration test. Similar to an internal VA scan, an internal penetration test examines your systems within your organizational network, offering the perspective of someone inside your network after they have broken through the external protective layers. An external penetration test looks at your network from an outside perspective, providing the view of a hacker attacking from the Internet.
A penetration test is an extensive, live examination designed to exploit weaknesses in your system.
Typically, professional penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation. Make sure to take adequate time to address the report’s advice and fix the located vulnerabilities on a prioritized basis.
Perform external and internal penetration tests at least yearly and after major network changes or exposed application changes.
Some mistakenly believe vulnerability scanning or anti-virus scans are the same as a professional penetration test.
Here are the two biggest differences:
Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans offer great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough way to examine it.
ADDITIONAL RESOURCES:
Conducting internal security audits within your organization can help you confirm your security posture and find resolvable problems before criminals do. If you are required to validate your compliance to an industry security mandate–like HIPAA, GDPR, or PCI DSS, an internal audit cycle before external assessors stop by helps you avoid non-compliance findings. It’s best to do these audits at least annually or after significant changes to find new issues that may appear.
Remember, some organizations may be required to prove to a regulatory authority that they’re compliant with specific data security guidelines. This may be because your business has a critical flow of sensitive data or the volume of data you process represents a high risk if lost. If so, you may have to provide a passing compliance report where data security controls are validated in person by a third party.
Many of these compliance programs are extensive and have guidelines or requirements that are hard to interpret and implement. Unless you’re an expert in data security and compliance mandates, you may want to consult with an expert. They can provide guidance as you prepare for your onsite assessment of security and privacy controls.
When selecting either a consultant or an audit company to partner with, be sure to confirm their compliance experience and that they’ll perform a thorough, comprehensive assessment. These third party resources will often be able to offer your organization a fresh external point of view and better help you know how cybercriminals are looking at your organization.
ADDITIONAL RESOURCES:
Question 1:
You should review stored system logs… (Choose only ONE best answer.)
Question 2:
What can a hardware firewall do? (Choose ALL answers that apply.)
Question 3:
To follow best security practices, how often should an organization conduct vulnerability scans? (Choose ALL answers that apply.)
Question 4:
TRUE OR FALSE: Conducting internal security audits within your organization can help you confirm your security posture and find resolvable problems before criminals do. (Choose ALL answers that apply.)
Free Data Security Education: Sign Up for Academy
.svg)
