SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Similar documents
Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Hyper-V Installation Guide for Snare Server

System Security Guide for Snare Server v7.0

User Guide to the Snare Agent Management Console in Snare Server v7.0

Using Snare Agents for File Integrity Monitoring (FIM)

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Snare for Firefox Snare Agent for the Firefox Browser

Installation Guide to the Snare Server Installation Guide to the Snare Server

Side-by-side Migration Guide for Snare Server v7

Windows ADM Templates and Group Policy

PCI DSS Reporting WHITEPAPER

USM IT Security Council Guide for Security Event Logging. Version 1.1

Network Security Policy

Over-the-top Upgrade Guide for Snare Server v7

Alert Logic Log Manager

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Guideline on Auditing and Log Management

UBC Incident Response Plan

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

05.0 Application Development

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Secret Server Qualys Integration Guide

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Standard: Event Monitoring

ITIL A guide to event management

Streamlining Web and Security

Managing UNIX Generic and Service Accounts with Active Directory

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

Network & Information Security Policy

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Global Partner Management Notice

Compliance Guide: PCI DSS

Log Management Best Practices: The Benefits of Automated Log Management

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

SysPatrol - Server Security Monitor

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Workflow Templates Library

Snare Server v6 VMware Logging Guide Using the Snare Server to collect VMware ESXi Logs

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

SUPPLIER SECURITY STANDARD

Mitigating Risks and Monitoring Activity for Database Security

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

The Snare Agents Commercial or Open Source? - White Paper -

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

TIBCO LogLogic. HIPAA Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

How To Secure An Rsa Authentication Agent

The potential legal consequences of a personal data breach

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Potential Targets - Field Devices

AN OVERVIEW OF VULNERABILITY SCANNERS

Application Firewall Overview. Published: February 2007 For the latest information, please see

An Oracle White Paper June Security and the Oracle Database Cloud Service

CA Performance Center

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

ITIL A guide to Event Management

CA Nimsoft Monitor. Probe Guide for E2E Application Response Monitoring. e2e_appmon v2.2 series

Designing a CA Single Sign-On Architecture for Enhanced Security

The Business Case for Security Information Management

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

OWASP Logging Project - Roadmap

GFI White Paper PCI-DSS compliance and GFI Software products

How to Secure a Groove Manager Web Site

SNARE Server Release Notes - Release 4.0

Automation Suite for. 201 CMR Compliance

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

GUIDE TO MANAGING DATA BREACHES

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

White Paper BMC Remedy Action Request System Security

How To Fix A Snare Server On A Linux Server On An Ubuntu (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Achieving PCI-Compliance through Cyberoam

FISMA / NIST REVISION 3 COMPLIANCE

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

A Systems Approach to HVAC Contractor Security

Web Application Penetration Testing

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

Name. Description. Rationale

INCIDENT RESPONSE CHECKLIST

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

CA Technologies Solutions for Criminal Justice Information Security Compliance

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Snare System Version Release Notes

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

CompTIA Security+ (Exam SY0-410)

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Web App Security Audit Services

Transcription:

California State Senate Bill 1386 / Assembly Bill 1298 InterSect Alliance International Pty Ltd Page 1 of 8

Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. InterSect Alliance International Pty Ltd Page 2 of 8

About this document California State Senate Bill 1386 requires that an organisation provides notification to any resident of California, when their unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Assembly Bill 1298 further extends the definition of private information defined in the original bill. This document discusses the role of audit log data in meeting SB 1386 and AB 1298 requirements. Table of Contents: Legislation Overview Audit Collection & Reporting Network Devices General Workstations and Servers Browsers / Proxies Web Servers Servers used to host or process private information Audit Reporting Administrative Actions and Account Management Login Activity File or Resource Access Network Devices Browser and Proxy Server Logs Custom Applications Health Checker InterSect Alliance International Pty Ltd Page 3 of 8

Legislation Overview California Senate Bill 1386 (SB 1386), was signed into law in September 2002. The bill requires all institutions and organizations that collect personal information to notify affected parties of any security breach that affects the security, confidentiality or integrity of the collected data. Personal information is defined by Section 2(e) of the bill, and includes any persons first name or first initial and last name in combination with any of the following: Social security numbers Drivers license or California Identification card numbers Bank account or credit card numbers in combination with access code or associated authentication information. California Assembly Bill 1298 (AB 1298) also extended the definition of personal information to include medical and health insurance information. When either component is encrypted, the data does not meet the definition of personal information under SB 1386/AB 1298 - unless the breach involves disclosure of the associated encryption keys, or a breach of the underlying encryption algorithm. Neither SB 1386 nor AB 1298 identify specific proactive security controls that can be used to either protect the personal information, or identify potential breaches; however it would be reasonable to expect that audit and eventlog data would form a cornerstone of your asset protection, and breach detection strategy. Audit Collection & Reporting The following recommendations highlight some generic strategies relating to event collection on systems that process private information covered by SB 1386/AB 1298. It is strongly recommend that any recommendations below be considered in the light of an agency's risk assessment and security policy. Network Devices All management and security events, and failed connections. The management events should include events such as general reconfiguration, reboots and password changes. Usually, events produced by these devices are sent out via SYSLOG but may also come from a Radius authentication server. Although not directly related to the protection of private information, successful attacks against network infrastructure can lead to organisational information leakage or enable further attacks against other infrastructure. General Workstations and Servers All management and security events, logins and logouts both failed and successful, accounts created and deleted, should be logged from workstations and servers that do not directly host private information. The Snare Agents used for collection of such events should be configured to collect only those events to support this requirement in order to reduce the flood of information that would otherwise be sent back to a central collection server for analysis and processing. InterSect Alliance International Pty Ltd Page 4 of 8

Process monitoring or file access auditing on these servers and workstations is considered less critical, and the general audit strategy is to attempt to collect event log data that may indicate that these systems are used as a jumping-off-point to access other systems that host private information. In situations where general workstations are used as a transitory storage location for private information (for example, spreadsheets), file auditing on the directories containing sensitive information that is used for transitory storage may be required. Browsers / Proxies If the primary interface to your private information store is via a web browser, browser and proxy log data may provide information on attacks against your user base. Monitoring proxy log data for web sites that are accessed concurrently with your internal content, searching for known external problem sites that have poor reputation, or scanning logs for cross site scripting signatures, may provide useful information towards attempts to breach your private information. Snare Epilog agents for the ISA and Squid proxy servers, potentially coupled with plugin agents for Chrome, Firefox and Internet Explorer, can facilitate access and monitoring of such information. Web Servers If the primary interface to your private information store is via a web browser, log data from the web server that hosts the user interface, may provide valuable information on attacks or attempts to scan the server for vulnerabilities. Monitoring the log data for URL access attempts outside a known authorised subset, can highlight attacks against the server itself. Scanning the logs for unexpected data content within GET requests, may alert administrators to fuzzing attacks against the web-based application itself and areas that are being targeted for SQL Injection, Command Injection, buffer overflows or Cross Site Scripting attacks. Servers used to host or process private information All management and security events, logins and logouts both failed and successful, accounts created and deleted. File event monitoring should be considered on those directories that store private or sensitive information. Care should be taken in employing file auditing, since it generally results in a large number of system events being generated. File auditing should therefore be configured to monitor only those directories or files that store private information. In situations where private information is stored within a database, or managed exclusively by a custom application, database and/or application logs may be used to either supplement or supplant file related audit data, assuming: Appropriate file level access controls are in place. Membership of groups that provide unrestricted access to the underlying data used by the database or application are monitored, and The organisational risk assessment deems the risk acceptable. Applications, in general, write audit log data to either An operating system log facility (eg: Windows Application log) An append-only, rotating, text-format log. A local or remote syslog server. InterSect Alliance International Pty Ltd Page 5 of 8

Snare agents are available to monitor each of these destinations. Audit Reporting The following recommendations highlight some specific objectives on the Snare Server that may assist in meeting SB 1386/AB 1298 requirements. It is strongly recommend that any recommendations below be considered in the light of an agency's risk assessment and security policy. The settings are the initial recommended settings, and should be fine-tuned once the Snare Server has been in operation for some time. Administrative Actions and Account Management In most organisations, group permissions and/or logical system access, are used to control access to sensitive data. These are also known as role based access controls or RBAC. The Snare Server can be used to scan for modifications to groups that control access to personal information, or additions and alterations to system accounts on servers that host personal information. It is recommended that reports related to the groups in question, be delegated to and reviewed by, the organisational users who are responsible for controlling the data. Monitor account-related activity for Windows, Unix, and Mainframe systems. The objectives should be checked at least once per week to ensure that only authorized staff have been creating, deleting or otherwise changing accounts. Monitor objectives related to group modifications for those groups that are used to control access to private data. Monitor group snapshot objectives for unauthorised additions to sensitive groups that are used to control access to private data. Login Activity Unusual login activity can be a potential sign that an internal user is attempting to escalate their privileges, or an external attacker is trying to gain access to information that they are not authorised to view. It is recommended that failed login activity, and successful login activity outside of normal work hours, be monitored for abnormalities on systems that control access to, or host personal information. Scan for failed logins to your systems, InterSect Alliance International Pty Ltd Page 6 of 8

network devices, and web-based application servers: Over a threshold value For example, 10 failed logins within a 1 hour period. To Locked Accounts (in the case of Windows accounts). Scan for successful or failed logins after normal working hours. Scan for logins to high privilege accounts (eg: Domain administrator, root or other power users), or attempts to increase privilege for administrative activity (eg: Run as Administrator, sudo, /bin/su) File or Resource Access For systems that store personal information, file auditing may be an important addition to the organisational monitoring plan. Enabling file auditing on most operating systems, can result in very large volumes of data, and can adversely affect CPU resources to a degree, so care should be taken to restrict the paths to monitor to only those of critical value. Network Devices A range of network and firewall events can be monitored via the objectives in this category. It is recommended that failed connections be monitored for patterns that may indicate attempts to compromise internally protected resources. Where supported by the source firewall, router or switch, management events should be checked for anomalies also. Browser and Proxy Server Logs Modern web browsers are complex tools that hold significant quantities of identifying information, or are used as a gateway to resources that are valued by attackers such as bank account details, information that can be sold to marketing firms, and information that can be used for identity theft. As such, the browser is a significant potential attack vector for your personal information data store; particularly if the attackers know the configuration of the internal web-based application that hosts your personal data, or if you are using an off-the-shelf system that InterSect Alliance International Pty Ltd Page 7 of 8

has known attack vectors or consistent URL paths to the data store. To provide a level of audit information relating to browser based attack vectors, logs can be retrieved either directly from the browser in question, or from a proxy server or firewall, in order to attempt to detect cross site scripting attacks, or related browser probes. Custom Applications The Snare Server is capable of receiving log data from a wide variety of sources, including arbitrary applications that generate text-based log files. If the organisation uses a custom application to store and process personal information, the log data generated by this application can be forwarded to the Snare Server for analysis and reporting. The Snare Server will capture log data from custom sources, and include the information within a category known as Generic Log. Snare s powerful substring matching functionality provides the ability to pull embedded data out into useful fields, and use those fields as a basis for data searches, and graphing. Health Checker The Snare Server health checker provides you with information relating to the health of your Snare Server collection, analysis and reporting environment. It is recommended that this facility be monitored daily. InterSect Alliance International Pty Ltd Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information