Monitoring And Tracking Access To Data At Your Business
Monitoring and tracking all access to cardholder data and network resources is critical at all businesses.
In fact, it is a PCI DSS requirement, and it is imperative because it ensures your business has full clarity of all data and network access. This will ensure that suspicious behaviour can be picked up on with greater ease and traced to discover the source of the problem.
This is one of the many steps involved when it comes to protecting data. First, you need to master the basics, such as how to use VPN software and developing strong security practices amongst employees. After that, network segregation and tracking tools are vital.
What does PCI expect when it comes to monitoring & tracking access to cardholder data & network resources?
Audit trails must be implemented so that all access to system components is linked to each individual user. Step one is essential because it ensures that audit logs are in place, which will then give you the ability to trace any suspicious activity to determine who’s acting maliciously.
Automated audit trails need to be executed for all system elements so that certain events can be reconstructed. These events are as follows –
a) All individual user access to cardholder data – By keeping a record of this, you can identify if any accounts have been misused or compromised.
b) All actions taken by someone with administrative privileges or root privileges – If these accounts are compromised, the damage can be monumental. Effective auditing ensures you can pick up on any misuse before it is too late.
c) Access to all audit trails – One of the ways hackers hide their actions is through changing audit logs, which is why this step is essential.
d) Invalid logical access attempts – If there are multiple invalid login attempts, this could mean that a malicious individual is trying to gain access to your system.
e) The use of any authentication and identification mechanisms, as well as any alterations to them – This step has been put in place because if you cannot identify the accounts that have been used you will not know who was logged in when an incident occurred.
f) The pausing, stopping or initialising of the audit logs – Hackers who wish to avoid detection will often pause or turn audit logs before they conduct their activities. Therefore, you need to keep track of whenever this occurs.
g) The creation and deletion of system-level objects – This auditing step is required because system-level objects will often be created or replaced by malware.
To achieve step three, you need to record and number audit trail entries for all system components. At a minimum, you must record the following entries –
a) User identification
b) Event type
c) Time and date
d) Failure of success indication
e) Event origin
f) Name or identity of affected data, resource, or system components.
This step is required to achieve compliance because by recording the six details mentioned you will find it much easier to identify a potential compromise.
Synchronise all critical system clocks and times using time-synchronisation technology. You also need to implement the following for acquiring, storing and distributing time:
a) Correct and consistent times must be implemented for all critical systems.
b) Protect time data.
c) You must receive time settings from sources that are industry-accepted.
This step has been established by PCI DSS because you will find it extremely difficult, and often impossible, to compare log files from different systems if clocks are not synchronised properly, and so you will not be able to establish an exact event sequence.
This step involves securing audit trails so they cannot be changed. To achieve this, you need to follow these steps –
a) Those with a job-related need should only be allowed to view audit trails.
b) Audit trail files must be protected from any modifications that have not been authorised.
c) Audit trail files must be backed up to a centralised log server.
d) Logs for technologies that are external-facing must be written onto an internal log server that is centralised and secure.
e) To make sure that existing log data cannot be altered without alerts being generated, you need to use change-detection software or file-integrity monitoring software.
This step has been designed to combat the problem of cybercriminals editing audit logs to cover their tracks. Let’s take a look at how you should fulfil some of these points in further detail –
- Those with a job-related need should only be allowed to view audit trails – Strong access controls will limit access to audit trails, which will reduce the chance of them being compromised. Only allow authorised users access to audit trails.
- Audit trail files must be backed up to a centralised log server – This ensures that logs are protected, even if the system is compromised. You can achieve this requirement by storing audit trail files securely on a separate server.
- Logs for external-facing technologies must be written onto an internal log server that is centralised and secure – This step must be taken to reduce the risk of logs being altered or lost. Only authorised users should be able to access audit trails.
- Use change-detection software or file-integrity monitoring software – These systems will look for any alterations to critical files, and if a change occurs, they will notify you. Recording each entry in the audit log with a signed checksum can prevent tampering.
Step six is designed to help you identify any suspicious activity and anomalies, and to do this you must review security events and logs for all system components. To achieve this, you must:
a) On a daily basis, you need to review security events, logs of all system components and servers that perform security functions, logs of all critical system components, and logs of all system components that transmit, process or store cardholder data, or that could have an impact on the security of such data.
b) All other system component logs must be review periodically.
c) During the review process, you must identify any follow-up anomalies and exceptions.
To understand this requirement, let’s look at each of the three steps separately –
a) Daily review commitments – This is an exceptionally important part of PCI compliance because a lot of breaches can go a considerable period of time before they are detected. With regular reviews, you can pick up on any unauthorised access quickly so that you are able to react.
b) Review all other system components periodically – This step is required so that you can pick up on any hackers using less-sensitive systems to gain access to your sensitive systems.
c) Identify any follow-up anomalies and exceptions – If you fail to do this, malicious activity could be occurring within your network and you may be none the wiser.
Audit trail history must be retained for a minimum of one year. You must also keep a minimum of three months immediately available for analysis.
As touched upon, a breach can often go undetected for months, and this step allows for this fact and gives you the potential to investigate effectively.
Document all operational procedures and security policies for monitoring all access to cardholder data and network resources.
If you are to continue to comply with section 10 of PCI DSS, all personnel must be on-board, and so they need to be aware of all security policies and operational procedures concerning this requirement.