Posts Tagged ‘activity monitoring’
Real time credit card number leak detection and prevention in SSH
It has been a while since I wrote a blog on anything, but never the less there are couple of new and interesting topics that are worth blogging about. At least I hope.
In this blog post I would like to introduce my favorite new feature of the latest Shell Control Box release.
No matter how much time has passed, credit-card fraud or data leakage are still a hot topic. Detecting or better preventing any leak of such information is something PCI DSS requires. Protecting credit-card data is the key requirements of PCI. However realizing that in real life is not always that simple. One could easily find many solutions to monitor web, e-mail, IM, FTP traffic and although these might cover a large portion of user activities some painful covert-channels still remain.
Many organization decides to create a special DMZ or a separated network for their “PCI effected” infrastructure, this way limiting the scope of PCI compliance. The key issue with such infrastructures is how the perimeter could be protected. How could they make sure that no credit-card data leaves the PCI network? Most organization utilizes network separation with firewalls, strong authentication, DLP sensors, encryption, tokenization as a protection mechanism and for the most cases they do their job well.
Though, even in case of a properly sealed network administrative access for troubleshooting and maintenance work need to be available! Of course one can argue that it is only for a very limited number of people so it is less of a headache, but we should not forget that administrators or developers could be a potential risk in such situation. (Just recall the 2008 Lichtenstein bank account leak.) Privileged users have the access right, the knowledge to access and possibly steal or leak data. An SSH access to the database server by-passes most typical protections, like any built-in security in the applications, firewalls, or even network DLP sensors.
There are solutions like the Shell Control Box to control and record the activity of such privileged users while accessing the PCI servers. It is possible to control who and when can access the servers and in case of SSH it is possible to deny SCP or SFTP file-transfers or port-forwards which are usually not required for most maintenance work and would only act as a covert channel. Of course it is also possible to record and latter analyze what the users were doing, but such a control is only “post mortem”. (Never the less it is better to know at least about a leak than having it go unnoticed.)
Let’s see what could be done to mitigate the situation!
In the latest release of Shell Control Box 3 F4 we added the functionality of monitoring the SSH terminal traffic in real-time. The monitoring could be used – amongst other useful things – to detect credit card numbers as they appear on the screen of the user. Why is this important? With a careful configuration it is possible to lock down all access to servers, databases to just SSH terminal access. This way we only need to focus on this to spot possible attacks. (Remember, users are not able to copy files, or utilize any tunnel!) The real-time monitoring functionality could be used to close this last gap in the data protection mechanism.
This latest development of SCB makes it possible to look at the SSH terminal traffic and using a built-in terminal emulator track all data that appears on the user’s screen. (The terminal emulator is mandatory as looking at just the raw traffic, the terminal escape sequences would render the data-flow impossible to analyze.) As the actual terminal screen content is available through out the connection it is possible to look for any data that would be interesting from a monitoring perspective, like credit card numbers. Luckily credit card numbers have a well defined syntax, so distinguish between a random sequence of numbers and a valid credit card number is doable. SCB has a built-in detection engine that matches valid credit card numbers and counts all occurrences of unique numbers in a given session.
Checking the terminal screen is also very useful as this is exactly what the user is looking at. Even if the user jumps to other servers or logs into the SQL database the screen is always the same. It is possible to run detection no matter what application or what server is accessed as the terminal screen is checked always.
Different actions could be triggered when the number of matches reach a configured limit, like sending email and SNMP notifications or logging the event to a SIEM system for further correlation or reporting. (Of course the built-in reporting of SCB could also utilize that information as well!)
This detection is very useful, but would it be possible to prevent data leakage?
Of course detection is more than nothing, but prevention is the real deal. (It is always better to stop a robbery than just having a nice CCTV recording of the events!) Thanks to the architecture of SCB prevention is just as easy as monitoring. As the Shell Control Box is always in-line of the actual traffic the screen updates sent from the server is first checked and analyzed before forwarding the data to the client application for displaying it. This makes it possible to actively act (and not just passively react) in case a data leakage is detected. Besides notifications like triggers it is possible to terminate the connection before the actual data is forwarded to the client, therefore no sensitive data reaches the user and no leak occurs.
Obviously Shell Control Box provides a fine-grained configuration interface to tailor the policy on how to handle detected sensitive data and what actions should be taken. One can define different policies based on user groups, computer groups, time policies etc.
Credit card matching is just one example, but technically any other sensitive data could be detected and prevented from leaking. Right now only SSH terminal traffic could be monitored, but we are working on extending coverage to other protocols and other traffic types. Stay tuned!
Overall, I believe that this real-time monitoring and prevention functionality is a major step forward both for the Shell Control Box, but also how user activity could be tracked and controlled. Instead of just gathering gigabytes of recording and tons of logs, users activity could be tracked as it is happening. In many cases it is simply not enough to record activity and run latter forensics analysis, but information and notification is required instantly. Prevention on the other hand takes privileged account monitoring to a new level, similar how IDS systems evolved into IPS and into next generation firewalls latter.
Learning SCB: the fun way
Learning a new and complex software, like SCB, is difficult, even if it has a fantastic documentation. I started learning SCB this way, reading the docs from page one. Then I learned, that we have just finished preparing a brand new e-learning based training material, which also includes webex consultations and an exam at the end (commercial, available for customers and partners, register here). And instead of using rdesktop from my laptop, I got a chance to use a real thin client to access servers through SCB: a small PC which fits in a hand.
Of course, course using the e-learning training does not mean, that one does not need to read documentation. But it means, that not all documentation needs to be read. Each chapter gives a good overview of an important aspect of SCB and at the end there are pointers to further reading in the administrators guide. One can find there additional details if necessary.
There are also some screen casts of SCB, so one can see how to use the software even without starting it. And as setting up a good test environment is often difficult, these examples are more life like than a simple test environment with one or two connections.
While learning SCB I met with a friend who is specialized in miniaturized computers. When he found, what I’m doing, he pulled out something looking like a power supply out from his pocket, just a little smaller. Looking at it more closely, it turned out, that it’s a complete computer, which can be used for many things, but used primarily as a thin client.
SCB was running as a virtual machine on my laptop, and I could also simply use rdesktop or ssh from it to create connections through SCB. But using a separate machine as client has some advantages other than being fun. I could do four eyes authentication while watching what happens on the client side. Or follow in real time what is happening on the screen of the thin client using the Audit Player.
It’s still difficult for me to believe the size of the machine. Even my ARM systems are larger in size, but it’s an x86. The machine is using a Vortex86 system on chip, which is somewhere between i486 and i586. This of course means, that not all Linux distributions run on it, but I have seen XP on it and used Debian to build a thin client.
The machine is powered using a standard USB cable, has Ethernet, video, audio, three USB pots and an SD card slot. It boots from USB or an SD card, which is emulated as an IDE HDD. There are no moving parts inside, so it’s completely silent. It has VESA mounting holes, so it can easily be attached to the back of modern LCD monitors. This way it is not visible at all, or takes any precious desk space.
If you are interested in, how your thin client infrastructure could be secured and audited, please read our SCB thin client white paper.
BalaBit IT Security – Lieberman Software Partnership Controls and Records Access to Privileged Accounts
Joint Solution Controls Privileged User Activity with Movie-Like Playback and Free-Text Searches of Audit Trail Content
New York/Los Angeles – November 29, 2011 – BalaBit IT Security, one of the global leaders in privileged activity monitoring, trusted logging and proxy-based gateway technologies, and Lieberman Software Corporation, developers of the first fully automated privileged identity management solution, today announced a strategic alliance that integrates BalaBit’s Shell Control Box (SCB) with Lieberman Software’s Enterprise Random Password Manager™ (ERPM). The integration provides fine-grained control of user activity during privileged access.
“Controlling who can access powerful privileged accounts and tracking the actions taken by users with privileged access are both crucial elements of a secure and compliant enterprise,” said Philip Lieberman, president and CEO of Lieberman Software. “The partnership between Lieberman Software and BalaBit allows our mutual customers to answer the question of ‘who did what and when’ in the IT infrastructure with details that can be provided to regulatory compliance auditors.”
“BalaBit created a new product category when it announced the very first activity monitoring solution in 2006, and today we are one of the technology leaders in this niche market,” said Zoltán Györkő, Business Development Director at BalaBit IT Security. “Our latest Shell Control Box 3 F2, together with Lieberman Software’s industry-leading Enterprise Random Password Management, provides best-of-breed technologies in both product categories, without compromising on either. With this joint solution companies can meet regulatory compliance requirements more easily than with any other monitoring and control solution.”
SCB is an activity monitoring appliance that controls access to remote servers, virtual desktops and networking devices, and records the activities of the users accessing those systems. It can produce indexed movie-like records and audit trails of actions performed with privileged access for fast and cost-effective IT forensics.
ERPM automatically locates every privileged account in the enterprise, frequently changes each account’s password to a unique and complex value, and deploys the password changes wherever they are used in the data center. It provides the accountability of showing precisely who on the IT staff had access to sensitive data, at what time and for what stated purpose.
The ERPM-SCB integration protects the confidentiality of privileged account passwords by preventing their sharing and reuse. When integrated, these products provide centralized, automatic management of privileged account passwords, fine-grained access control of privileged accounts, and independent monitoring of each privileged access with customizable reporting capabilities.
ERPM and SCB work together without changing server and client resources and without limiting the way that IT staff normally performs daily tasks. Users are authenticated by SCB and credentials for accessing systems are retrieved transparently through ERPM.
Key benefits of the Lieberman Software – BalaBit IT Security integration:
• Simplified password management and improved access control on remote servers
• Sharing of privileged user passwords for server administration is eliminated
• More secure access without changing how users perform their everyday work
• Users can utilize special capabilities (like file-transfer, remote printing, etc.) of remote access protocols such as RDP, SSH and others if authorized
• Central automatic management of passwords, fine-grained access control and independent audit-proof access monitoring with customizable reports
Supporting Resources
• Figure: Secure authentication with BalaBit’s SCB and Lieberman’s ERPM
• More information about Shell Control Box and Enterprise Random Password Management integration
• What is BalaBit’s Shell Control Box good for? – video
• About BalaBit’s Shell Control Box 3 F2 Administrator Guide
• About Lieberman’s Enterprise Password Management
About Lieberman Software Corporation
Lieberman Software provides privileged identity management and security management solutions to more than 1000 customers worldwide, including 40 percent of the Fortune 50. By automatically discovering and managing privileged accounts everywhere on the network, Lieberman Software helps secure access to sensitive systems and data, thereby reducing internal and external security vulnerabilities, improving IT productivity and helping ensure regulatory compliance. The company developed the first solution for the privileged identity management space, and its products continue to lead this market in features and functionality. Lieberman Software is headquartered in Los Angeles, CA with an office in Austin, TX and channel partners throughout the world. For more information, visit www.liebsoft.com.
About BalaBit
BalaBit IT Security is an innovative information security company, one of the global leaders in developing privileged activity monitoring, trusted logging and proxy-based gateway technologies to help customers be protected against insider and outsider threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments.
BalaBit is also known as “the syslog-ng company”, based on the company’s flagship product, the open source log server application, which is used by more than 650 000 companies worldwide and became the globally acknowledged de-facto industry standard.
BalaBit, the second fastest-growing IT Security company in the Central European region concerning Deloitte Technology Fast 50 list (2010), has local offices in France, Germany, Italy, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe.
For more information, visit www.balabit.com.
###
Product and company names herein may be trademarks of their registered owners.
For more information, please contact:
Andrea Ipolyi
PR manager
BalaBit IT Security
phone: +36 20 390 4139
e-mail: andrea.ipolyi@balabit.com
blog: http://andrea.blogs.balabit.com
Kevin Franks
Marketing Communications Manager
Lieberman Software Corporation
512-583-9762
www.liebsoft.com
www.identityweek.com
www.twitter.com/liebsoft
kfranks@liebsoft.com
Walter Caon
BalaBit USA
410 Park Avenue 15th Floor Suite 1500
New York, 10022
phone: +1 917 546 6715
e-mail: walterc@us.balabit.com
RECENT POST
Last week I was at Linuxwochen in ... [Read More]
In February, we visited the RSA Conference ... [Read More]
As you know I like syslog-ng but also my hobby ... [Read More]
Twitter
LinkedIn
