Packet Capture Files: Valuable but Vulnerable
Packet capture files - files that record network traffic—are invaluable resources for network administrators, help desk staff, and IT security experts. Filled with application data and protocols, timestamps, and error codes, these files provide IT engineers with a detailed view of what took place on a network during a specific period of time. Enterprise IT teams rely on capture files for network troubleshooting, application performance monitoring, and security threat remediation.
Enterprises use capture files every day, but they rarely organize them. In most organizations, capture files are scattered across the network. They’re found on the laptops of network administrators and field technicians who generate capture files for troubleshooting. They’re found on network devices such as switches and routers that generate capture files automatically for logging. They’re found on the desktop systems of help desk personnel, who generate capture files to diagnose problems for end users. And they’re found in network forensics appliances, which monitor network traffic over hours or days for monitoring and trouble-shooting mission-critical services.
IT organizations manage to get by with this haphazard approach to capture files, letting engineers store them wherever they wish. But this laissez-faire attitude is risky. Capture files can include confidential data that’s en route to users or servers. Some of that data—such as customer records, financial statements, and patient-specific medical information—is subject to strict security regulations in industries such as financial services and healthcare. This data is likely also subject to data privacy laws in states such as California, Massachusetts, and Nevada. Disclosure of this data through any means—even through accidentally misplacing a capture file—can lead to regulatory fines, embarrassing data-breach disclosures, and lost business.
Improving the management of capture files not only closes the door on potentially costly data breaches—it also creates an opportunity to make IT operations faster and more efficient. A capture-file management solution that protects captures while making them easier to share securely with authorized users would be a win-win for IT organizations. The result would be not only tighter security but also improved IT efficiency.
A good first step in evaluating the potential benefits of capture-file management is to recognize all the types of confidential data that capture files commonly contain. This is the confidential data that’s at risk in any data breach of capture files.
Security and Compliance Risks with Capture Files
Confidential Data in Capture Files
A great deal of confidential data crosses enterprise networks every day. This data includes:
- customer records
- financial transaction data, including credit card numbers
- financial documents and spreadsheets
- sales forecasts
- organization charts
- HR documents, including offer letters, employee reviews, and salary information
- login credentials
- product plans
- patent and trademark documents
- research materials
- bug reports
- email messages
- IM conversations
- VoIP conversations
Any of this data can end up in capture files. A spreadsheet emailed by the CFO? Yes. A VoIP phone call between the company president and the company’s legal counsel? Yes. Confidential design plans for a daring new product? Yes, again.
Even if some of this content is jumbled as part of TCP transmissions, IT engineers and knowledgeable users can reassemble intercepted files and restore them to their original states. Many network forensics tools automatically reconstruct hundreds of types of files, including PDFs, Excel spreadsheets, Word documents, and Web graphic files. Even without these advanced forensics tools, though, technically astute users can reconstruct files using simple utilities such as tcpdump.
Two sobering conclusions, then: first, if confidential data ends up in a capture file, it’s accessible to whoever has access to the capture file, and second, the capture files almost always reveal network details that are useful to hackers planning attacks.
Industry Regulations and State Laws Protecting Confidential Data
Any capture file that contains confidential data is subject to the same industry regulations and laws that apply to other confidential data in the enterprise. These regulations and laws include:
GLBA requires financial services companies to keep customer data confidential. The GLBA Safeguards Rule requires financial institutions to develop, monitor, and continually test their systems for protecting the personal non-public information of past and present customers.
HIPAA requires healthcare organizations (HCOs) and their business partners to protect patient-specific healthcare data. HIPAA applies to all HCOs (including hospitals, local clinics, insurance companies, etc.) and their business partners (all organizations, even account firms and Web design firms, doing business with an HCO). Any individual in an HCO or the business partner of an HCO who discloses patient health information is subject to fines up to $50,000 and jail time of up to 1 year.
The relevant parts of HIPAA to packet capture security include sections on workstation use and security, device and media controls (including rules for backup and storage), access controls to electronic resources, and a section that addresses transmission security, which requires encryption of those record during transmission. This puts packet capture in a unique place - since they contain all of the transmitted data, they could be considered to be both the electronic records themselves, and representative of the transmission of those records.
The Payment Card Industry is an industry consortium of major payment card vendors, such as VISA, Master Charge, and American Express. To protect customer data, the PCI developed its own Data Security Standard, which covers security technologies, network administration, and best practices. PCI DSS security measures include restricting access to customer data and encrypting customer data traveling across public networks. All merchants who use PCI cards for business transactions are required to comply with PCI DSS.
An interesting development involving PCI DSS is the state of Nevada’s adoption of this security standard in its data privacy law, which covers all business entities storing customer records of Nevada residents. Rather than develop its own security guidelines, the state government simply adopted PCI DSS, even though this standard is controlled by a private consortium, not a government agency.
SOX says that public companies must put internal security measures in place to control and manage financial reporting. It doesn’t mandate specific security technologies per se, but many organizations implement access controls, encryption, and other technology to ensure that financially material information (everything from earnings reports to sales projections) doesn’t fall into the wrong hands and abet fraud. Though it officially applies only to public organizations, many private companies choose to adhere to SOX guidelines in preparation for someday going public.
- State privacy and data breach notification laws
Nearly all states have now passed data breach notification laws, requiring businesses to notify the public if confidential customer records have been accidentally disclosed. Failure to notify the public promptly can lead to civil or criminal penalties. In addition to data breach notification laws, several states have passed data security laws that require businesses to use encryption and other technologies to protect customer records. Washington and Massachusetts, for example, both mandate the use of encryption for protecting customer data. As news stories about data breaches continue, we can expect more state legislatures to respond to public pressure and enact legislation that requires organizations to rigorously protect customer records at rest and in transit.
- Increasingly Strict Enforcement
In many industries, regulators are growing increasingly strict about compliance with security regulations. Between 2003 and 2008, the federal government evaluated over 8,000 cases of HIPAA violations and settled them all without imposing any significant fines. But in 2009, regulators discovered that employees of CVS Caremark had abandoned paper copies of patients’ prescription information in public trash containers. The Federal Trade Commission fined CVS Caremark $2.25 million (CVS Caremark denied any wrongdoing but settled the case). This penalty marked a turning point in HIPAA enforcement. Since then both the FTC and the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) have been much more vigilant about ferreting out and penalizing HIPAA violations; for example, in February 2011, the OCR fined Cignet Health $4.3 million, of which $3 million for a penalty for failing to cooperate with the OCR’s investigation in a timely manner. The OCR has a built-in incentive for being vigilant: the Health Insurance Technology for Economic and Clinical Health (HITECH) ACT included in the American Recovery and Reinvestment Act (ARRA) of 2009 puts the OCR in charge of enforcing HIPAA security mandates and arranges for financial penalties to be paid directly into the OCR’s operating budget.
Security Regulations and Capture Files
It’s clear that capture files often contain confidential data, and that this data is often subject to regulatory control.
How can IT organizations improve the security of capture files without impeding the work of help desk staff, network administrators, and other IT professionals who need ready access to capture files in order to do their jobs?
Security need not conflict with efficiency. By following the best practices outlined below, enterprise IT organizations can improve capture-file security while helping IT engineers work more quickly and efficiently.
Analyzing Encrypted Data
For groups building web applications or with other use cases for analyzing encrypted data, managing RSA keys for debugging and troubleshooting is another great security risk. While tools like Wireshark allow you to use keys to decrypt data, a copy of that key is now available on every user’s system that does the analysis. Obviously, stolen RSA keys are a huge security breach – allowing a malicious attacker to read encrypted data.
Best Practices for Securing Capture Files
To avoid data breaches through leaked or misplaced capture files, IT organizations should follow these best practices:
Deploy a secure, central repository for capture files.
Ensure that access to capture files is limited to authorized personnel, such as network administrators and help desk staff.
Encourage IT users of capture files to delete local copies of files once they are done working on them.
Within the repository, assign user and group permissions to limit access to files to just the appropriate users. In multi-tenant service environments, ensure that subscribers do not gain access to one another’s files.
Monitor access to the capture-file repository.
Minimize the use of email and FTP for exchanging capture files. Clean up old files that have been left sitting on FTP servers.
Provide a method to securely store RSA keys in a single location so they can be reused for analyzing encrypted data.
If network devices such as switches or other pieces of IT infrastructure automatically generate local copies of capture files, ensure that those devices are secure. Don’t allow unauthorized users to gain access to files or to packet-capture services.
Best Practices for Managing Capture Files
To improve IT efficiency in the areas of troubleshooting and network analysis, IT organizations should follow these best practices:
Make the secure repository accessible to all authorized users of capture files. This includes not only network administrators, but also help desk staff, field technicians, QA testers, and other appropriate users. By making the capture-file repository available to all capture-file users, you minimize the odds that users will create work-around systems for storing and sharing capture files.
When possible, integrate the capture-file repository with test-reporting and bug-tracking services, so that authorized stakeholders have ready access to files relevant to their work. For example, if the repository assigns a unique URL to each capture-file, help desk staff can include URLs in trouble tickets to give other authorized users ready access to relevant capture files.
To facilitate collaboration and accelerate troubleshooting, deploy services that make capture files available to authorized users on mobile devices. Web access to files eliminates the need for email and FTP, while giving remote users, such as administrators working at home, prompt access to critical data about the network.
Using tagging and descriptions to make searching the capture-file repository fast and efficient.
Securing and Managing Capture Files with CloudShark
CloudShark is the industry’s first secure platform for storing and sharing capture files. CloudShark Enterprise provides a central, password-protected repository for all capture files in the enterprise, including capture files created during ad-hoc troubleshooting activities, as well as capture files automatically generated by network devices and applications.
Once in the CloudShark repository, files can be assigned to specific users and groups. By limiting access to capture files, CloudShark minimizes the risk of unauthorized users reading or distributing capture files as part of a data breach.
Security isn’t the only benefit of CloudShark. It also improves IT efficiency by making it easier for authorized users to access, annotate, and share capture files. CloudShark enables users to view, search, and annotate capture files though a Web browser. Browser access makes capture files accessible on mobile devices, such as smartphones and tablets. Using this browser-based access, remote subject-matter experts can collaborate with on-premise staff without requiring access to computers configured with special applications. CloudShark also enables users to tag capture files and share them through URLs, making it easy to integrate capture-file security into bug-tracking and trouble-ticket systems.
Further, CloudShark provides the ability to search across multiple captures using standard Wireshark filters – returning those captures that have the data you’re looking for.
Using CloudShark, enterprises can minimize the risk of capture files contributing to a data breach or regulatory violation.
Summary of Benefits
CloudShark offers enterprise IT teams these benefits:
- Protects confidential data in capture files from unauthorized access, reducing the risk of capture files leading to a data breach that violates data-privacy laws or industry regulations such as GLBA, HIPAA, PCI DSS, and SOX
- Accelerates troubleshooting and reduces MTTR by enabling engineers, field technicians, and developers across an organization to share files and collaborate securely
- Enables network engineers, field technicians, and other IT experts to view and analyze capture files from mobile devices such as iPads and smartphones; makes it easier for engineers working at home or in remote locations to respond to a crisis
- Helps NOC engineers and QA teams build and catalog a searchable library of capture files for base-lining and trend analysis
Supports both private cloud and public cloud deployments, enabling organizations to choose the cloud architecture that works best for them.
CloudShark Enterprise includes the following features:
- Enforces user- and group-based access controls for capture files
- Accepts capture files uploaded through FTP, HTTP, or HTTPS
- Automatically uploads capture files from specified folders
- Robust API to integrate with existing tools
- Lets users view files in a Wireshark-like Web browser interface
- Supports viewing on all browser-based devices, including tablets and smartphones
- Lets users tag files to make them easier to find; tags can identify protocols, trouble tickets, bug numbers, or any other relevant data
- Search across multiple captures using standard Wireshark filters
- Manage and store RSA keys to allow analysis of encrypted data without sharing the keys with individuals
- Lets users annotate entire files or individual packets with helpful comments or questions
- Lets users share files through HTML links rather than emailing or FTP’ing large files
- Integrates with trouble-ticket systems, linking capture files to trouble tickets
- Makes capture files available for downloading to industry standard analysis tools such as Wireshark, AirMagnet, and OmniPeek
If recent changes to HIPAA rules are any indication, regulatory scrutiny of data security practices is only going to increase. Data breaches will be punished with costlier fines. Public disclosures of data breaches will be required for breaches of all sizes. Enterprises with lax IT security will face stiff penalties, bad publicity, and lost business.
Given this mounting regulatory pressure, it behooves IT managers to recognize that packet capture files often contain confidential data that’s subject to industry regulations and data-security laws. Enterprises should follow the best practices described in this paper to protect capture file data, while making capture files themselves easier to manage and to use.
CloudShark gives enterprise IT organizations a secure, flexible capture-file management platform for collecting, storing, and sharing capture files. CloudShark reduces the risk of capture-file data breaches, while making it easier for IT engineers to collaborate on important tasks such as network troubleshooting, application performance management, and security threat remediation.