12 Chapter 1: The Problems: Malicious Code, Hackers, and Legal Requirements comply without assuming any additional immediate workload. This provides companies with a sufficient timeframe needed to effectively test patches and other updates before implementing them in production environments. • Section 10: IDS Devices and Software—Implement host-based IDS on critical systems. The CSA provides Day Zero intrusion protection as a core function of the product. • Section 10: Inspection of Critical Files and Directories—Review directories and files for unexpected and unauthorized changes no less than twice per 24-hour period. The CSA product provides real-time access control security and reporting for specified directories and files on protected systems. Sarbanes-Oxley Sarbanes-Oxley, which is often referred to as SOX, was introduced by the U.S. Congress because of the corporate financial scandals that occurred over the past several years. This legislation requires that corporate executives place strict controls over financial reporting and auditing mechanisms. If found not to be in compliance with the legislation, the corporate executives could face fines and prison terms. There are additional sections to the SOX legislation that specifically refer to the types of audits that could impact the financial records and stability of a company. Because of this, the CSA is a beneficial piece of the corporate security controls. The CSA provides monitoring, reporting, and control capabilities to many financial systems and to the many workstations that have direct user interaction. SB-1386 Senate Bill 1386 of the California Senate (SB-1386) was designed to protect California residents’ personal information from being left unprotected by companies and organizations that have collected and stored it over the years. This legislation is enforceable on any organization that has employees or customers who reside in California. Protecting private personal information is not an easy task and requires that security controls be in place to protect the data. The CSA provides the end-point protection for the systems that protect and access this data and for the auditing capabilities required to control and report on access attempts. Summary 13 NOTE Although SB-1386 requires only notification of California residents when a breach of privacy has occurred, it is highly unlikely that a company would inform only those individuals whose security was breached, because other nonCalifornia residents would protest. As a result, many companies follow SB-1386 regardless of the customer location. VISA PCI Visa PCI, Protected Cardholder Information, is a standard driven by the Visa credit card organization. This standard provides a strict set of rules that must be followed by any company that accepts Visa credit card transactions and transmits or stores the information electronically. Visa PCI was specifically put into place by Visa to protect the millions of cardholders that trust that the companies that accept Visa every day will protect their personal identity and private information, such as name, address, social security number, and credit score. If a credit card vendor is found in violation of the policies, it will be fined, subject to restrictions, and possibly permanently suspended from the ability to accept the Visa card as payment. The CSA can provide many protective mechanisms required to limit or nullify exposure of personal information by providing secure systems and applications. Summary There are many reasons to secure systems; some are related to human threats, others are related to automated code-based threats, and others are related to legislative requirements. Although protecting transactions and resting data is a daunting task, it can be successfully implemented with the use of several products installed throughout the infrastructure. A critical component of that solution is end-point protection, such as CSA, that provides the actual controls over the resting data and any exploits that might attempt to gain unauthorized access to that data. The CSA is an effective solution that provides the necessary end-point controls required for countering today’s threats, concerns, and requirements. [...]... 64-bit 12/ 02 edition or later (corresponds to kernel Generic_108 528 -18 or higher), with SUNWlibCx libraries, and UltraSPARC single, dual, and quad processor systems • Microsoft Windows NT 4.0 (Service Pack 6a only—earlier service pack versions no longer have support) • • Microsoft Windows 20 00 (Server, Advanced Server) with Service Pack 0, 1, 2, 3, or 4 • RedHat Enterprise Linux (RHEL) 3.0 Advanced. .. release notes for the version of CSA that you have to ensure compatibility with any internationalized versions of Microsoft Windows With CSA 4.5 and later, certain internationalized versions of Windows are supported and internationalization (translation) of the base CSA user interface messages, events, and the help system As of the CSA 4.5 release notes, this included running CSA on internationalized versions... deploying CSA into a server environment, you need to gather several pieces of data for use in the later phases of your project and pilot planning Start with the operating systems in your environment and what operating systems CSA currently supports Reading the CSA 4.5.1 documentation, you see that CSA currently supports the following server operating systems for the end agents: • Sun Solaris 8 (2. 8) 64-bit... view of the Operating System—Base Protection— Windows policy configuration Figure 2- 2 Policy Configuration View Policies as a grouping mechanism within CSA contain various rule modules that are related to accomplish a certain task or group of security tasks For example, the desktop policy that is contained within the base CSA MC installation includes several rule modules that in turn contain several rules... • You are interested in the Cisco Network Admission Control (NAC) and having CSA work with the other pieces of software to help your environment adhere to your security and access policies • Preventing attacks by using an intrusion prevention product, such as CSA, is more important than just detecting attacks by using an intrusion detection product • You need additional visibility into your environment’s... you with all these attacks both in detection and prevention (depending on the configuration of the policies) and allow you to have a measure of control over the activities that might cause damage to your environment Desktop/Laptop Operating System Support The CSA 4.5.1 documentation outlines current support for CSA use by Cisco on the following desktop operating systems: • • • Microsoft Windows 20 00... processes Policy Implementation 23 Rule Modules and Policy Hierarchy Rule modules are collections of various types of rules grouped together to perform a collective task By grouping rules this way, you can easily deploy the security protection or policy controls they enforce as a single component tied to another layer of grouping called a policy Figure 2- 2 displays a CSA MC view of the Operating System—Base... else can CSA offer you? The following list outlines just a few of the less obvious areas in which CSA can assist you: • Application tracking CSA 4.5 and later provides application tracking Some of this is useful in gauging compliance with software standards such as the following: — Is anyone not running Office 20 03 Service Pack 1? — Is anyone still running a vulnerable version of Firefox? Figure 3-1 shows... the CSA issues be? The CSA issues would be typical of any other software package and could be categorized as follows: regular bandwidth usage (in the case of CSA, sending events to the server and receiving notifications from the server) and other bandwidth usage (full policy updates, deployment of the initial agent software package, and software updates to the agent itself) There are ways to work within.. .22 Chapter 2: Cisco Security Agent: The Solution • NT Event Log—Allows specific Windows event log events to be reported to the CSA MC • • Registry Access Control—Allows or denies access of the registry by application • Sniffer and Protocol Detection—Detects and prevents . policy. Figure 2- 2 displays a CSA MC view of the Operating System—Base Protection— Windows policy configuration. Figure 2- 2 Policy Configuration View Policies as a grouping mechanism within CSA contain. maintenance and event reporting. Figure 2- 1 CSA MC Graphical User Interface (GUI) CSA Hosts and Groups 19 Configuration and Event Database The CSA MC ships with the capability to install a Microsoft. CSA can play several roles within your network, such as personal firewall, host intrusion prevention, application control, security policy enforcement, and so on. The implementation of the CSA