How Malware Could Wreck Sarbanes-Oxley ComplianceRigorous Logging, Asset Management and Segmentation Are Key
Databases never lie, right? That is, unless they're infected with malware.
See Also: Autonomous Response: Threat Report
FireEye recently released its M-Trend reports, which looks at data breaches investigated by its Mandiant forensics arm. The report finds that breach investigations are increasingly prompting audits intended to ensure publicly traded companies are still compliant with Sarbanes-Oxley.
The law, passed in the U.S. in 2002, sought to bring more corporate transparency for investors and stronger penalties for misreporting financial data. It fundamentally changed risk management and assessment, holding top executives accountable for presenting accurate financial statements.
When the law was enacted, the state of information security was arguably a great deal less hostile than it is today. But SOX-related systems are increasingly impacted by intrusions, which could pose compliance and legal difficulties for companies.
"Sometimes we see tampering with systems that relate to financial compliance and financial record keeping," says Bryce Boland, FireEye's CTO for Asia Pacific. "I think this is an area that most organizations haven't been thinking about. When they think about threats, they usually think about things like loss of intellectual property or customer information."
Keeping A Trail
Changing a few numbers in a database could be easy to accomplish but a lot tougher to figure out retrospectively without forensic evidence, Boland says.
"Sometimes we see tampering with systems that relate to financial compliance and financial record keeping."
—Bryce Boland, FireEye CTO, Asia Pacific
Often there are processes built around SOX-related financial systems, such as having "four eyes" - or approval from two C-level executives - on changes. But if those controls are bypassed, there may be no record of the changes that have been made, Boland says.
"It's really important to have access to those logs, to have access to that forensic information because it's not going to be possible to reconstruct what changes took place," Boland says. "That's going to make it much difficult for the business leaders to be able to say to the market 'Here's what's happened, here's what the impact was'."
What can aid an investigation is rigorous logging, not just of a particular application but also the network communication between components. Logs can be tampered with as well, so the defense of the server collecting those reports is also critical. Mandiant recommends storing the logs in a SIEM and regularly backing it up.
Another recommendation is to establish a segregated SOX network. Access to the SOX network should be minimized, with jump hosts used to restrict access to the financial information it stores.
"Implemented correctly, strict asset and account management and network segmentation, including the use of jump servers, could significantly improve security and reduce audit complexity," Mandiant writes in its report.
Sealing off avenues of attack first require knowledge of what's on the network. The usual advice should be followed: Create an inventory of assets that process financial information or control it. That includes all applications, operating systems, host names, IP addresses and physical locations.
Also critical is knowledge of what accounts have access and the permission levels of those accounts, whether they're for databases, domains, applications or other systems.
Having lists of assets and accounts should make it faster to isolate what, if anything went wrong, during an audit of a SOX system.
Technology Changes But Law Doesn't
Since Sarbanes-Oxley came into effect 16 years ago, the world of software has radically changed. Organizations have embraced cloud services, mobile and hybrid offerings, Boland says.
It's important "that you can demonstrate the effectiveness of the controls over time and in case of any kind of incident," he says.