14 min read
Packet capture files - files that record network traffic—are invaluable resources for network administrators, help desk staff, and IT security experts. Filled with application data and protocols, timestamps, and error codes, these files provide IT engineers with a detailed view of what took place on a network during a specific period of time. Enterprise IT teams rely on capture files for network troubleshooting, application performance monitoring, and security threat remediation.
Enterprises use capture files every day, but they rarely organize them. In most organizations, capture files are scattered across the network. They’re found on the laptops of network administrators and field technicians who generate capture files for troubleshooting. They’re found on network devices such as switches and routers that generate capture files automatically for logging. They’re found on the desktop systems of help desk personnel, who generate capture files to diagnose problems for end users. And they’re found in network forensics appliances, which monitor network traffic over hours or days for monitoring and trouble-shooting mission-critical services.
IT organizations manage to get by with this haphazard approach to capture files, letting engineers store them wherever they wish. But this laissez-faire attitude is risky. Capture files can include confidential data that’s en route to users or servers. Some of that data—such as customer records, financial statements, and patient-specific medical information—is subject to strict security regulations in industries such as financial services and healthcare. This data is likely also subject to data privacy laws in states such as California, Massachusetts, and Nevada. Disclosure of this data through any means—even through accidentally misplacing a capture file—can lead to regulatory fines, embarrassing data-breach disclosures, and lost business.
Improving the management of capture files not only closes the door on potentially costly data breaches—it also creates an opportunity to make IT operations faster and more efficient. A capture-file management solution that protects captures while making them easier to share securely with authorized users would be a win-win for IT organizations. The result would be not only tighter security but also improved IT efficiency.
A good first step in evaluating the potential benefits of capture-file management is to recognize all the types of confidential data that capture files commonly contain. This is the confidential data that’s at risk in any data breach of capture files.
A great deal of confidential data crosses enterprise networks every day. This data includes:
Any of this data can end up in capture files. A spreadsheet emailed by the CFO? Yes. A VoIP phone call between the company president and the company’s legal counsel? Yes. Confidential design plans for a daring new product? Yes, again.
Even if some of this content is jumbled as part of TCP transmissions, IT engineers and knowledgeable users can reassemble intercepted files and restore them to their original states. Many network forensics tools automatically reconstruct hundreds of types of files, including PDFs, Excel spreadsheets, Word documents, and Web graphic files. Even without these advanced forensics tools, though, technically astute users can reconstruct files using simple utilities such as tcpdump.
Encrypting network traffic can help, but it doesn’t address all the security vulnerabilities that can result from a capture file falling into the wrong hands. First, applications might not encrypt all the network data that an administrator assumes is encrypted; even a Web page delivered over HTTPS, for example, might invoke a JavaScript call that invokes HTTP, rather than HTTPS. Second, data that’s never encrypted in capture files—such as network addresses, port IDs, and some low-level OS protocol data—still provides hackers with valuable information about network infrastructure. Hackers can use this information to plan an attack using known exploits about specific versions of applications and operating systems.
Two sobering conclusions, then: first, if confidential data ends up in a capture file, it’s accessible to whoever has access to the capture file, and second, the capture files almost always reveal network details that are useful to hackers planning attacks.
Any capture file that contains confidential data is subject to the same industry regulations and laws that apply to other confidential data in the enterprise. These regulations and laws include:
GLBA requires financial services companies to keep customer data confidential. The GLBA Safeguards Rule requires financial institutions to develop, monitor, and continually test their systems for protecting the personal non-public information of past and present customers.
HIPAA requires healthcare organizations (HCOs) and their business partners to protect patient-specific healthcare data. HIPAA applies to all HCOs (including hospitals, local clinics, insurance companies, etc.) and their business partners (all organizations, even account firms and Web design firms, doing business with an HCO). Any individual in an HCO or the business partner of an HCO who discloses patient health information is subject to fines up to $50,000 and jail time of up to 1 year.
The relevant parts of HIPAA to packet capture security include sections on workstation use and security, device and media controls (including rules for backup and storage), access controls to electronic resources, and a section that addresses transmission security, which requires encryption of those record during transmission. This puts packet capture in a unique place - since they contain all of the transmitted data, they could be considered to be both the electronic records themselves, and representative of the transmission of those records.
The Payment Card Industry is an industry consortium of major payment card vendors, such as VISA, Master Charge, and American Express. To protect customer data, the PCI developed its own Data Security Standard, which covers security technologies, network administration, and best practices. PCI DSS security measures include restricting access to customer data and encrypting customer data traveling across public networks. All merchants who use PCI cards for business transactions are required to comply with PCI DSS.
An interesting development involving PCI DSS is the state of Nevada’s adoption of this security standard in its data privacy law, which covers all business entities storing customer records of Nevada residents. Rather than develop its own security guidelines, the state government simply adopted PCI DSS, even though this standard is controlled by a private consortium, not a government agency.
SOX says that public companies must put internal security measures in place to control and manage financial reporting. It doesn’t mandate specific security technologies per se, but many organizations implement access controls, encryption, and other technology to ensure that financially material information (everything from earnings reports to sales projections) doesn’t fall into the wrong hands and abet fraud. Though it officially applies only to public organizations, many private companies choose to adhere to SOX guidelines in preparation for someday going public.
Nearly all states have now passed data breach notification laws, requiring businesses to notify the public if confidential customer records have been accidentally disclosed. Failure to notify the public promptly can lead to civil or criminal penalties. In addition to data breach notification laws, several states have passed data security laws that require businesses to use encryption and other technologies to protect customer records. Washington and Massachusetts, for example, both mandate the use of encryption for protecting customer data. As news stories about data breaches continue, we can expect more state legislatures to respond to public pressure and enact legislation that requires organizations to rigorously protect customer records at rest and in transit.
In many industries, regulators are growing increasingly strict about compliance with security regulations. Between 2003 and 2008, the federal government evaluated over 8,000 cases of HIPAA violations and settled them all without imposing any significant fines. But in 2009, regulators discovered that employees of CVS Caremark had abandoned paper copies of patients’ prescription information in public trash containers. The Federal Trade Commission fined CVS Caremark $2.25 million (CVS Caremark denied any wrongdoing but settled the case). This penalty marked a turning point in HIPAA enforcement. Since then both the FTC and the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) have been much more vigilant about ferreting out and penalizing HIPAA violations; for example, in February 2011, the OCR fined Cignet Health $4.3 million, of which $3 million for a penalty for failing to cooperate with the OCR’s investigation in a timely manner. The OCR has a built-in incentive for being vigilant: the Health Insurance Technology for Economic and Clinical Health (HITECH) ACT included in the American Recovery and Reinvestment Act (ARRA) of 2009 puts the OCR in charge of enforcing HIPAA security mandates and arranges for financial penalties to be paid directly into the OCR’s operating budget.
It’s clear that capture files often contain confidential data, and that this data is often subject to regulatory control.
How can IT organizations improve the security of capture files without impeding the work of help desk staff, network administrators, and other IT professionals who need ready access to capture files in order to do their jobs?
Security need not conflict with efficiency. By following the best practices outlined below, enterprise IT organizations can improve capture-file security while helping IT engineers work more quickly and efficiently.
For groups building web applications or with other use cases for analyzing encrypted data, managing RSA keys for debugging and troubleshooting is another great security risk. While tools like Wireshark allow you to use keys to decrypt data, a copy of that key is now available on every user’s system that does the analysis. Obviously, stolen RSA keys are a huge security breach – allowing a malicious attacker to read encrypted data.
To avoid data breaches through leaked or misplaced capture files, IT organizations should follow these best practices:
To improve IT efficiency in the areas of troubleshooting and network analysis, IT organizations should follow these best practices:
CloudShark is the industry’s first secure platform for storing and sharing capture files. CloudShark Enterprise provides a central, password-protected repository for all capture files in the enterprise, including capture files created during ad-hoc troubleshooting activities, as well as capture files automatically generated by network devices and applications.
Once in the CloudShark repository, files can be assigned to specific users and groups. By limiting access to capture files, CloudShark minimizes the risk of unauthorized users reading or distributing capture files as part of a data breach.
Security isn’t the only benefit of CloudShark. It also improves IT efficiency by making it easier for authorized users to access, annotate, and share capture files. CloudShark enables users to view, search, and annotate capture files though a Web browser. Browser access makes capture files accessible on mobile devices, such as smartphones and tablets. Using this browser-based access, remote subject-matter experts can collaborate with on-premise staff without requiring access to computers configured with special applications. CloudShark also enables users to tag capture files and share them through URLs, making it easy to integrate capture-file security into bug-tracking and trouble-ticket systems.
Further, CloudShark provides the ability to search across multiple captures using standard Wireshark filters – returning those captures that have the data you’re looking for.
Using CloudShark, enterprises can minimize the risk of capture files contributing to a data breach or regulatory violation.
CloudShark offers enterprise IT teams these benefits:
CloudShark Enterprise includes the following features:
If recent changes to HIPAA rules are any indication, regulatory scrutiny of data security practices is only going to increase. Data breaches will be punished with costlier fines. Public disclosures of data breaches will be required for breaches of all sizes. Enterprises with lax IT security will face stiff penalties, bad publicity, and lost business.
Given this mounting regulatory pressure, it behooves IT managers to recognize that packet capture files often contain confidential data that’s subject to industry regulations and data-security laws. Enterprises should follow the best practices described in this paper to protect capture file data, while making capture files themselves easier to manage and to use.
CloudShark gives enterprise IT organizations a secure, flexible capture-file management platform for collecting, storing, and sharing capture files. CloudShark reduces the risk of capture-file data breaches, while making it easier for IT engineers to collaborate on important tasks such as network troubleshooting, application performance management, and security threat remediation.
Want articles like this delivered right to your inbox?
No spam, just good networking.