Snare’s Commitment to Security 

Snare’s Commitment to Security

 

In light of recent malicious activities by foreign actors, we seek to ensure our Snare customers, partners, and prospects that we are are committed to providing the most secure platform we can based on the primary pillars of cybersecurity:

 

C. Confidentiality.

I. Integrity.

A. Availability.

 

Our customers must authenticate to get their software and license downloads – we do not issue software. The software is downloaded over encrypted channels after the customer has authenticated to the customer portal.

 

We harden the software stack for the Snare Agents and Snare Central software so they do what they need to and nothing else.

 

We do not use third party software such as .Net or Java in the agent software to minimize its footprint to potential vulnerabilities.

 

We contain our own micro web server in the agents that only does what it needs to do, as they don’t need a full stack web server.

 

We use separation of duties – The Security admin can control the agent and Snare Central policy, not the SysAdmin, to ensure that policies are set and logs are collected.

 

We watch the watcher – Snare Agents audit and log local user changes and activity to customers’ systems and the Snare software itself.

 

We have independent third party verification being Veracode Verified status for our Snare Windows Agent and Snare Agent Manager.

 

We mask sensitive data via the Snare reflector and our Snare Database Activity Monitoring (DAM) solutions to ensure that the logging system is not storing sensitive data when there are regional PII related compliance needs.

 

We provide over the wire encryption using TLS for web access, for sending logs, and mutual authentication options when both ends need to be validated to ensure that the log data is kept private on the network.

 

We provide destination failover using options like DNS updates to change the destination logs are being sent to.

 

We are committed to providing you the most secure platform possible. Share with us your ideas.

 

 

/by

Digital Transformation of Retail and the Increased Risk of Cyber Attacks

Big Retail = A Honey Pot of Data

The retail industry is a high value target for cyber attacks, simply due to the transactional nature of the business. The large numbers of financial transactions means that there is a honey pot of data and countless opportunities for cyber criminals to steal sensitive customer information.

Online transactions, Point of Sale (POS) systems, and retail environments where there are transient workforces and high staff turnover simply equals increased risk. And far too often, POS systems run on old systems with no Malware protection and sometimes unpatched operating systems. Big retailers with operations that include a large numbers of stores, hundreds of POS systems, fragmented procurement, and multiple distribution centers are attractive environments for a cyber criminal or criminals planning an attack.

To further the risk of an attack or breach, many retailers also outsource their IT or cyber security capabilities to third parties – which means retail organizations need to (seriously) consider supply chain security as well.

Review our other blog on this topic here.

Preventing eCommerce Cyber Attacks – It’s all about the Benjamins

The threats of cyber attacks for retail companies are very clear and unfortunately abundant, from the introduction of Malware to steal financial data, unauthorized insiders gaining access to private systems and databases, to the creation of fraudulent transactions and routing money to other destinations. It’s all about the Benjamins baby.

A high profile example of the risks in retail comes from Forever 21 in 2017. A large number of the company’s POS systems were infected with Malware for nearly seven months, enabling cyber criminals to steal credit card data that had been stored in the logs of completed transactions. Forever 21 reported that the Malware obtained the shoppers’ card number, expiration date, internal verification code – and in some cases also cardholders’ names.

Another well known name that has fallen foul of cyber attack(s) is Macy’s. An investigation into the 2019 breach of Macys.com found that the attack was linked to a website that stole customer payment data on the “Checkout” and “My Wallet” pages. Macy’s was also attacked in 2018. That breach allowed criminals access to sensitive credit and debit card information, names, and birthdays of “a small number” of Macys.com and Bloomingdales.com customers.

Right now, as business across the globe becomes increasingly more digital and as eCommerce continues to expand – particularly as COVID-19 has kept consumers at home and driven them to shop almost exclusively online – the reality is that digital retailers simply cannot operate without prioritizing cyber security.

Protecting Credit Card Transactions

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for any company that handles credit card payments.

Among the requirements for achieving PCI compliance is the ability to monitor access to systems and any activity on the network, ensuring that encryption and perimeter security is active, restricting access to data and systems, and requiring the use of strong passwords. Monitoring and reporting are key requirements for PCI DSS.

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. 

Examples of system components include, but are not limited to the following:

  • Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.
  • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
  • Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
  • Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
  • Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
  • Any other component or device located within or connected to the CDE.

Reference Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 May 2018

Log Management & Cyber Security

Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.

Effective log collection & management will allow you to:

  • Implement audit trails to link all access to system components to each individual user.
  • Implement automated audit trails for all system components for reconstructing these events: all individual user accesses to cardholder data; all actions taken by any individual with root or administrative privileges; access to all audit trails; invalid logical access attempts; use of and changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions, deletions to accounts with root or administrative privileges; initialization, stopping or pausing of the audit logs; creation and deletion of system-level objects.
  • Record audit trail entries for all system components for each event, including at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource.
  • Use time synchronization technology, synchronize all critical system clocks and times, and implement controls for acquiring, distributing, and storing time.
  • Secure audit trails so they cannot be altered.
  • Review logs and security events for all system components to identify anomalies or suspicious activity. Perform critical log reviews at least daily.
  • Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis

One of the key requirements is not just collecting log data on these activities but also having the ability to review it daily as required by the regulation. Snare makes this easy by providing out-of-the-box capability to generate the appropriate reports needed to be compliance for PCI DSS.

Further to this capability Snare can also provide Database Activity Monitoring (DAM) to ensure that application level controls are not bypassed and direct database access is used instead, and both File Integrity Monitoring (FIM) and Registry Integrity Monitoring (RIM) to ensure that changes made to key files or suspicious registry activity (including the installation of malicious applications) is detected.

Make sure you also check out our best practices white paper for PCI DSS here.

Need to get your log management solution in place?

Reach out to our team. We work with over 4,000 customers across the world to help manage logs and prevent the types of costly and damaging cyber security breaches referenced in this article.

/by

Payroll Fraud – How Snare helps you find the crooked insider using Database Activity Monitoring

The Cost of Payroll Fraud (in the billions)

As payroll has increasingly become a dedicated function in the finance and accounting arena, and as regulation in the payroll segment increasingly means that payroll processing has become an IT function, additional risks have been introduced into this high dollar risk arena.

Risks in payroll include out of date payroll systems, non-compliance, and fraud – particularly from insiders with access to back-end databases.

One of the key risks is the lack of visibility into those who have access to the databases and what changes they have made. Usually, this is a very specific area and IT generally and IT Security specifically may not have a good way to see what’s happened inside of the database.

The Australian Payroll Association, in an August 23, 2020 article says the Federal Bureau of Investigations (FBI) reported that between 1 January and 30 June 2019, payroll diversion increased by 815 per cent and that in the past three years, fraud has exceeded $26 (US) billion dollar in losses. The majority of payroll fraud falls into one of three perpetrator categories – employer, employee or third party.

Detecting Payroll Fraud

PwC’s 2020 Global Economic Crime and Fraud Survey revealed 37% of fraud was internal, including 34% by middle managers, 31% by operations staff, and 26% by senior management.

Fraud might also be executed through the creation of “ghost” employees, fake timesheets or maintaining ex-employee records to funnel salary payments into fraudulent accounts. Perpetrators may create false suppliers, and reimbursements for authorised contractors to provide services at inflated rates.

Australia’s most famous payroll fraud case is probably the Clive Peeters case, where the company payroll manager reportedly stole over AUD$19M from her employer over a two-year period.

The solution?

A Database Activity Monitoring (DAM) solution like Snare MSSQL Agent can track sensitive data access, mask sensitive data from anyone inspecting log data (so they cant see the actual data in the database), and provide separation of duties between DBA’s, Sysadmins and forensic investigators.

Our own Snare CISO, Steve Challans says:

“There are many areas of a database that users can interact with. Good applications tend to have their own role based access controls in place to control what a user does and prevent them from doing anything malicious to the database and its contents. 

However, there is another class of users that have direct ODBC access and/or DBA/Sysadmin privileges that can override technical controls and make changes to the databases and its data. Activities such as ‘create table, drop table, and adding columns’, are structural and schema-related, while ‘insert, update, delete, and select’ are data-related. Having someone perform unauthorised data changes affects the integrity of the data, so the business can make bad or wrong decisions with the misleading data now being used. Copying data and data exfiltration is another problem with leaking sensitive personal or financial information or company secrets. There have been many instances of a bad employee making database changes to change the payroll or HR system for nefarious needs. In other cases, there has been a breach of some sort and the hackers have gained access to the DBA accounts to access or exfiltrate data from the customer’s database systems –  causing great damage to the business.”

Database Activity Monitoring


Gartner defines Database Activity Monitoring (DAM) as a suite of tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behaviour, with minimal impact on user operations and productivity.

Monitoring databases is critical when manipulation of data in those databases can result in financial loss. DAM can contain data from network-based monitoring, as well as native audit information to provide a comprehensive picture of database activity. This data can be used to report on database activity, support breach investigations, and alert on anomalies.

DAM helps businesses address regulatory compliance mandates like the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), U.S. government regulations such as NIST 800-53, and EU regulations.

Monitor Activity with Snare’s Microsoft SQL Agent

Snare’s specialised Microsoft SQL agent allows the customer to be very granular with the monitoring of the SQL activity within a single database or an entire instance that covers multiple databases.

Individual users or classes of users such as the DBAs that have the SYSADMIN role can be monitored. Specific settings can be used to collect information on specific database, tables with sensitive data, or specific commands run in the database. This reduces the noise of general monitoring of all user activity on the SQL environment.

The Snare agent works on all current versions of SQL server, on windows platforms, and is cluster-aware to cover off the more complex, highly available needs.

Some other tools can generate enormous amounts of log data which can overwhelm some systems. The Snare agent can be tuned to collect the specific user activity and filter out the rest of the noise.

If you would like to learn more about Snare’s Database Activity Monitoring solutions or about our suite of log collection and management solutions, including Snare Central and Snare Agents, reach out to us. Our team has helped over 4,000 companies around the world protect their logs and prevent cases of payroll fraud.

/by

Do you trust your cyber security supply chain?

Creating a Secure Cyber Security Supply Chain

We all know the importance of maintaining a solid cyber security capability and maintaining a secure cyber posture. We all know the stats about malware, ransomware, cyber IP Theft, data breach fines, and compliance mandates. I don’t think there’s anyone left that does not understand that they need to be cyber secure.

One of the big questions that remains is simply this: “Who do I trust?” And this extends into the supply chain for your service providers and vendors of both software and hardware.

“All organisations should consider cyber supply chain risk management”. – The Australian Cyber Security Centre (ACSC)

The National Cyber Security Centre in the UK (NCSC) documents the type of attacks that could occur through a third party software provider, including compromise of industrial control systems on critical infrastructure.

In the US, the Federal Government has introduced the Cyber Security Maturity Model (CMMC) to mandate minimum security posture for all suppliers to government to assess and enhance the cybersecurity posture of the Defense Industrial base. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Outside of government, there are still very few companies that set business standards for their suppliers or truly understand the security implications of the vendors that they might choose – especially if they are choosing  based on price. Choosing an open source product written by unknown contractors in Eastern Europe or Asia may not be the best answer.

It’s a topic to take seriously and to consider in great detail when choosing who to trust to assist your organisation maintain a secure environment.

So how do I choose?

Obviously, a reasonable start is some form of certification. This could mean an ISO27001 certification, certification of compliance with the CMMC (when that becomes more available) as well as certification of the actual product.

The team at Prophecy are deep into an ISO27001 project that will see us certified to this international standard as well as preparing for CMMC certification to enable us to continue to supply the Defense sector in the United States. We have also had our software verified by a third party company that specialises in vulnerability assessment. We have used Veracode and have had both Snare Enterprise Agent and our Agent Manager attain “Verified“ level. (Read here for more information on Prophecy’s Verified status)

Linked to this is risk from open source software – particularly in relation to the tracking use of open source components as new versions become available and older components might have vulnerabilities that remain unpatched. You only need to look to the Equifax breach to see how this can be a significant challenge to manage and one that can have massive consequences. Other issues include projects that might have value now but decrease as active involvement decreases and/or a lack of visibility into who is contributing to open source projects and where they might be coming from.

Why is sovereign capability important?

In a global market with players from almost every country, it is critically important to look at capability from home as well as from those countries that have a level of integration and acceptance when it comes to cyber maturity, cooperation around defense and intelligence, as well as protections for IP and trademarks. Obviously, local companies usually have created the IP that you will be deploying in your environment and have local support in your time zone and in your language an understand the local regulatory and legal environment in which you operate. They will be there is you need them and in your legal jurisdiction if something really goes wrong.

In addition to this, sovereign capability will drive the growth of jobs and the economy – which is very important after the disruptions to the global economy due to COVID)and potentially also drive exports. Snare software, for instance, is developed in Australia with Australian resources and we generate nearly 80% of our revenue outside Australia.

To expand this our slightly further you could then also look to those geographies that have formal alliances. Like the Five Eyes countries as an example.

The Five Eyes

The Five Eyes is an intelligence sharing alliance comprising Australia, Canada, New Zealand, The UK and the US.  This is a formal agreement on intelligence sharing at an intergovernmental level and is a factor that could be considered in choosing a vendor if they are based in one of these geographies and are used by government or defense agencies in those countries.

This also shows the importance of secure supply chains as any supplier to these agencies could potentially introduce vulnerabilities that could possibly allow access into other agencies in other geographies.

If you are a trusted supplier to any of these agencies then that’s a good recommendation for the commercial world too.

Snare was developed by defense personnel for defense purposes and we have many military and defense agencies and defense suppliers using our software around the globe as Snare has been trusted for Centralised Log Management for decades.

So what do you do if you aren’t sure where your providers are headquartered or need to take steps to ensure your supply chain is trustworthy?

There’s a lot to take in here but in essence its all about trust.

Start by asking if your suppliers have the following:

  • Speak my language, reside in my time zone, have developers I know and a legal framework I can work with and use?
  • Are they trusted by government in my country or in countries that have a level of engagement and cooperation with my own?
  • If they are an international company do they have a team in my country that is bound by our laws?
  • Is the IP protected by law and do I have protections in the license to use the software?
  • Can I be comfortable that I am not introducing risk by choosing a vendor when I am trying to reduce risk?

If you have questions about your supply chain or want to speak with our expert team about implementing Snare’s suite of services as a part of your trusted supply chain, reach out. We are trusted by over 4,000 companies across the globe for log management and can help you create a stronger cyber security infrastructure during a time when it is more important than ever to trust your vendors and your partners.

/by