GPG-13 – Requirements

Provide a means of providing accurate time in logs and synchronization between system components with a view to facilitating collation of events between those components. This can be achieved by any or all of the following means:

• Providing a master clock system component which is synchronized to an atomic clock;
• Updating device clocks from the master clock using the Network Time Protocol (NTP);
• Record time in logs in a consistent format (Universal Co-ordinated Time (UTC) is recommended);
• As a fallback, checking and updating device clocks on a regular basis (for example, weekly).
• Projects should define the error margin for time accuracy according to business requirements.
• The following issues also need to be considered:
• Some devices may not support clock synchronization and need to be manually maintained;
• Although recording time in UTC, the human interface should also support local time;
• Clocks drift on mobile devices (for example, Portable Electronic Devices (PEDs)) may require correction upon attachment.

1. Each and every event record should include a simple time-stamp.
2. Alert messages may reference related events and should also be time-stamped.
3. Log file extracts should include an accurate time-stamp that is digitally signed.
4. Transactions with a high integrity requirement should have a hash of the transaction time stamped, digitally signed and a copy of the transaction record retained.

• GPG-13: Time Sync Error

• GPG-13: Time Sync Errors
• GPG-13: High Integrity Transaction Report

The objective of this control is to provide reports, monitoring, recording and analysis of business traffic crossing a boundary with a view to ensuring traffic exchanges are authorized, conform to security policy, transport of malicious content is prevented and alerted, and that other forms of attack by manipulation of business traffic are detected or prevented.

The main requirement is to provide an accountable record of imports and exports executed by internal users and to track cross-boundary information exchange operations and the utilization of any externally visible interfaces. This includes checking of all cross-boundary movement of information, content checking and quarantining services.

Application based checks can be applied to business traffic to accept legitimate transactions and reject alert malformed exchanges.

1. Malware detection at the boundary.
2. Every change in status of the boundary anti-malware signatures.
3. Blocked web browsing activities.
4. Blocked file import attempts across the boundary.
5. Blocked file export attempts across the boundary.
6. Enhancement to Events 4. and 5. records to include file content.
7. Enhancement to Events 4. and 5. records, where processed by a guard processor.
8. Allowed web browsing activities across the boundary.
9. File import across the boundary that are allowed.
10. Allowed file export across the boundary.
11. Enhancement to Events 9. and 10. records to include file content.
12. Enhancement to Events 9. and 10. records, where processed by a guard processor.
13. Files entered into a transfer cache.
14. Access of files entered into a transfer cache.

• GPG-13: Malware Detected at Boundary
• GPG-13: Blocked Web Browsing Activity
• GPG-13: Blocked File Import/Export Attempt
• GPG-13: Boundary Anti-Malware Policy Change

• GPG-13: Successful/Failed Malware Detected at Boundary
• GPG-13: Completed File Import/Export
• GPG-13: Access to File Transfer Cache Folder
• GPG-13: Boundary Anti-Malware Policy Change
• GPG-13: Blocked Web Browsing
• GPG-13: Blocked File Import/Export Attempt
• GPG-13: Allowed Web Browsing Activity

The objective of this control is to provide reports, monitoring, recording and analysis of network activity at the boundary with a view to detecting suspect activity that would be indicative of the actions of an attacker attempting to breach the system boundary or other deviation from normal business behavior.

The main requirement is to receive information from firewalls and other network devices for traffic and traffic trend analysis. This will enable detection of common attacks such as port scanning, malformed packets and illicit protocol behaviors.

An intrusion detection service is a recommended defense at the boundary with any untrusted network (for example, the Internet). It may also be a mandated requirement in codes of connection for membership of community of interest networks (such as GSI). Whenever it is implemented then it is recommended it includes a Recordable Report profile of at least B.

1. Packets being dropped by boundary firewalls.
2. All boundary monitoring system console messages at Critical status and above.
3. User authentication failures on boundary devices and systems.
4. The detection of all suspected attacks at the boundary.
5. All boundary monitoring system console messages at Error status.
6. User sessions on boundary devices and consoles of boundary management systems.
7. All changes to boundary firewall and other relevant device rule-bases.
8. All actions invoked by users in response to an external attack notification.
9. Every change in status of the external attack recognition software (Security Information and Event Management systems (SIEM), Network Behavior Analysis (NBA), IDS or IPS) signature base.
10. All boundary monitoring system console messages at Warning status and below.
11. All commands issued to boundary devices and consoles of boundary monitoring systems.
12. Packets being passed by boundary firewalls.
13. Enhancement to Event 1. records to include full packet capture.
14. All automated responses at the boundary (by an IPS).
15. Enhancement to Event 10. records to include full packet capture.

• GPG-13: IPS Command and Response
• GPG-13: Boundary Monitor Device Critical
• GPG-13: Auth Failure on Boundary Device
• GPG-13: Attack Detected at Boundary
• GPG-13: Bndry Mon Dvce Config/Policy Chg
• GPG-13: Attck Recog Software Policy Change

• GPG-13: Packet Dropped at Security Boundary
• GPG-13: Boundary Monitoring Warning Status
• GPG-13: Boundary Monitoring Device Commands
• GPG-13: Packet Passed at Security Boundary
• GPG-13: Full Packet Capture Dropped at Boundary
• GPG-13: IPS Command and Response
• GPG-13: Full Packet Capture Passed at Boundary
• GPG-13: Boundary Monitoring Device Critical Status
• GPG-13: Auth Failure on Boundary Device
• GPG-13: Attack Detected at Boundary
• GPG-13: Boundary Monitoring Error Status
• GPG-13: User Session on Boundary Device
• GPG-13: Boundary Monitoring Device Change
• GPG-13: Attack Recognition Software Policy Change

PMC4 - Recording of workstation, server or device status

The objective of this control is to detect changes to device status and configuration. Changes may occur through accidental or deliberate acts by a user or by subversion of a device by malware (for example, installation of trojan software or so called "rootkits"). It will also record indications that are typical of the behavior of such events (including unexpected and repeated system restarts or addition of unidentified system processes).

It also attempts to detect other unauthorized actions in tightly controlled environments (for example, attachment of USB storage devices). This includes extension to extensive monitoring of any business critical file areas.

1. All critical host messages at Critical status and above (servers and selected workstations).
2. Malware detection incident on any host (workstation or server).
3. All critical host messages at Error status and above (servers and selected workstations).
4. Every change in status of any hosts anti-malware software signature base.
5. Every failing file system access attempt should be logged and reportable.
6. Changes to file or path access rights within system folders.
7. Change in status of all networked hosts.
8. Change in status of attachment of devices attached to controlled hosts.
9. Change in status of storage volumes of monitored hosts.
10. Change in software configuration status.
11. Changes detected to files within system folders.
12. All critical host messages at Warning status or below (servers and selected workstations).
13. Any changes to system configuration (or registry) settings any host.
14. Change in status of system processes on monitored hosts.
15. Enhancement to Event 10. records to include package software inventory.
16. Enhancement to Event 11. records to include the contents of changes to files.
17. Enhancement to Event 13. records to include the content of changes to configuration settings.

• GPG-13: Critical Host at Critical Status
• GPG-13: File Monitoring Event - File Changes
• GPG-13: Malware Detected on Host

• GPG-13: Critical Host at Critical Status
• GPG-13: Change in Software Config Status (Linux)
• GPG-13: Change in Software Config Status (Windows)
• GPG-13: File Monitoring Event - File Changes
• GPG-13: Critical Host at Warning Status
• GPG-13: Changes to System Config on Monitored Host
• GPG-13: Status Change of Process on Monitored Host
• GPG-13: Successful/Failed Malware Detected on Host
• GPG-13: Critical Host at Error Status
• GPG-13: Endpoint Anti-Malware Signature Update
• GPG-13: Networked Host Status Change
• GPG-13: Status Change Device Connected to Host
• GPG-13: Failed File System Access (Linux)
• GPG-13: Failed File System Access (Windows)
• GPG-13: Storage Volume Status Change (Linux)
• GPG-13: Storage Volume Status Change (Windows)
• GPG-13: System File Permission Change (Linux)
• GPG-13: System File Permission Change (Windows)

PMC5 - Recording relating to suspicious internal network activity

The objective of this control is to monitor critical internal boundaries and resources within internal networks to detect suspicious activity that may indicate attacks either by internal users or by external attackers who have penetrated to the internal network.

Likely targets for heightened internal monitoring include:

• Core electronic messaging infrastructure (for example, email servers and directory servers)
• Sensitive databases (for example, HR databases, finance, procurement/contracts, etc.)
• Information exchanges with third parties
• Project servers and file stores with strict "need to know" requirements

1. Packets being dropped by internal firewalls.
2. All internal monitoring system console messages at Critical status and above.
3. User authentication failures on internal network devices and monitoring consoles.
4. All internal monitoring system console messages at Error status.
5. User sessions on internal network devices and monitoring consoles.
6. All changes to internal firewall and other relevant device rule-bases.
7. The detection of all suspected internal attacks.
8. All internal monitoring system console messages at Warning status or below.
9. All commands issued to internal network devices and central consoles of internal monitoring systems should be logged and reportable.
10. Packets being passed by internal firewalls should be logged and reportable.
11. Enhancement to Events 1. records to include full packet capture.
12. All actions invoked by users in response to an internal attack notification.
13. Every change in status of the internal attack recognition software (SIEM, NBA, IDS or IPS) signature base.
14. All automated responses at internal network control points (by an IPS).
15. Enhancement to Events 10. records to include full packet capture.

• GPG-13: Auto Response from Intrnl Bndry Dvc
• GPG-13: Intrnl Monitor Dvc Critical
• GPG-13: Auth Failure on Intrnl Boundary Dvc
• GPG-13: Intrnl Bndry Monitor Dvc Chg
• GPG-13: Suspected Internal Attack

• GPG-13: Packet Dropped at Internal Boundary
• GPG-13: Packet Passed at Internal Boundary
• GPG-13: User Session on Internal Boundary Device
• GPG-13: Internal Boundary Monitoring Device Change
• GPG-13: Suspected Internal Attack
• GPG-13: Intrnl Attack Recog Software Sig Update
• GPG-13: Auto Response from Internal Bndry Firewall
• GPG-13: Internal Monitoring Device Critical Status
• GPG-13: Auth Failure on Intrnl Boundary Dvc
• GPG-13: Internal Boundary Monitoring Error Status
• GPG-13: Internal Monitoring System at Warning
• GPG-13: Internal Network Device Changes
• GPG-13: Internal Boundary Network Deny Activity

PMC6 - Recording relating to network connections

The objective of this control is to monitor temporary connections to the network either made by remote access, virtual private networking, wireless or any other transient means of network connection. This includes:

• Environments which are permissive and that support Wireless LANs (WLANs), mobile users and remote working which includes more restrictive environments in which the attachment of modems and wireless access points are prohibited.

1. User authentication failures for remote access.
2. All unsuccessful Virtual Private Network (VPN) node registrations.
3. Changes of status of dynamic IP address assignments.
4. User sessions via remote access.
5. Changes in status of VPN node registration.
6. All rejected attempts to connect equipment to protected network attachment points.
7. All network connection console messages at Critical status and above.
8. User authentication failures on network connection consoles.
9. All network connection console messages at Error status.
10. All cases of attachment attempts of wireless devices to legitimate wireless access points.
11. User sessions on network connection consoles.
12. The detection of all suspected wireless attacks.
13. All network connection console messages at Warning status or below.
14. All commands issued to network connection consoles
15. All actions invoked by users in response to an internal attack notification.
16. Every change in status of the internal attack recognition software (WIDS) signature base.
17. Detection of all rogue wireless interfaces and wireless access points should be logged, reportable and alerted.

• GPG-13: Remote Access Auth Failure
• GPG-13: Suspected Wireless Attack
• GPG-13: Suspicious Rogue Host Activity
• GPG-13: VPN Node Registration Failure
• GPG-13: Rejected Connection to Network
• GPG-13: Network Connection Console Critical
• GPG-13: Network Auth Failure

• GPG-13: Remote Access Auth Failure
• GPG-13: Discovered Wireless Access Activity
• GPG-13: User Session on Network Connection Console
• GPG-13: Suspected Wireless Attack
• GPG-13: Network Connection Console Warning Status
• GPG-13: Internal Boundary Monitoring Device Change
• GPG-13: WIDS Config Change
• GPG-13: Suspicious Rogue Host Activity
• GPG-13: VPN Node Registration Failure (un-auth)
• GPG-13: VPN Node Registration Failure (authorized)
• GPG-13: DHCP IP Address Assignment Change
• GPG-13: User Remote Access Session
• GPG-13: Status of VPN Node Registration (un-auth)
• GPG-13: Status of VPN Node Registration (auth)
• GPG-13: Rejected Connection to Network
• GPG-13: Network Connection Console Critical Status
• GPG-13: Network Auth Failure
• GPG-13: Network Connection Console at Error Status

To monitor user activity and access to ensure they can be made accountable for their actions and to detect unauthorized activity and access that is either suspicious or is in violation of security policy requirements. This is intended to support accountability requirements such that users can be held to account for actions they perform on ICT systems.

1. User network sessions.
2. User network account status change.
3. Changes to network user privileges and user group status and membership.
4. Use of any application or database administrative facility.
5. User network account status changes to locked-out state should be alerted.
6. Change in privilege level status of a user on a server or critical workstation.
7. Invocation of any accountable user transaction (including interactions with applications and database servers).
8. Local user sessions on critical workstations.
9. Local user account status change on critical workstations should be logged and reportable.
10. Changes to critical workstation user accounts and group membership or status.
11. Running of all network commands and executables.
12. Enhancement to Event 7. records to include transaction contents.
13. Running of all critical workstation commands and executables.

• GPG-13: Network Account Locked Out Status

• GPG-13: User Network Sessions Summary
• GPG-13: Critical WS User Acct Priv/Group Change
• GPG-13: Network Commands and Executables
• GPG-13: Critical WS Commands and Executables
• GPG-13: User Network Account Status Change Summary
• GPG-13: Network Account Privilege/Group Change
• GPG-13: User Privilege Level Change (su and sudo)
• GPG13: User Privilege Level Change (Windows)
• GPG-13: Accountable User Transactions Summary
• GPG-13: Local User Session on Critical Host
• GPG-13: Local Critical Host User Act Status Change
• GPG-13: APP or DB Administrative Activity

To provide a means by which previous know working states of information assets can be identified and recovered from in the event that either their integrity or availability is compromised.

Providing an audit trail of backup and recovery operations is an essential part of the backup process and will enable identification of the most reliable source of the prior ‘know good states’ of the information assets to be recovered in the event of data corruption, deletion or loss.

The need for more sophisticated backup and recovery facilities are generally driven by higher levels of risk to Integrity and Availability properties.

There is a complimentary requirement for online storage failure events to be alerted, this is met by PMC4 Recordable Event 1 (the detection of any server storage failure should be classed as an alertable Critical event).

1. Backup, test and recovery operations.
2. Backup, test and recovery operation failures should be alerted.
3. Enhancement of Event 1. records to include operation file catalogue details.
4. Enhancement of Event 3. records to include site reference and version information.

• GPG-13: Backup Ops Critical Error Failure

• GPG-13: Backup Operations Status

PMC9 - Alerting critical events

To allow critical classes of events to be notified in as close to real-time as is achievable.

The aware level requirement is for console based alerts that can be watched for by duty Security Managers.

It would be expected that extensive projects (with a continuous monitoring requirement) would require a Security Operations Centre with summary wall displays (with the most complex scenarios implementing redundant monitoring centers).

It should be noted that alerts themselves are recordable events.

Smaller projects can have a solution to fit their size and would typically only require a profile A solution with simple monitoring facilities (a Security Manager workstation). Smaller projects may also consider combination of functions (for example, security and network management) provided this does not conflict with segregation requirements.

Secondary alerting channels may also be supported for projects that cannot provide continuous console manning (for example, SNMP, email, SMS, etc.) via either in hours or out of hours services.

1. Alert messages routed to Security Manager console(s).
2. Simple alert notifications sent via secondary channels (email, SMS, pager, etc.).
3. Configuration changes of alerts and secondary alerts.
4. Graphical display of alert streams on consoles or wall displays.
5. Enhancement of Event 1. reports to include multicasting of alerts to several sites.

• GPG-13: LogRhythm Alert Config Change

PMC10 - Reporting on the status of the audit system

To support means by which the integrity status of the collected accounting data can be verified.

The Aware segment requisites comprise the need to inspect log status on end devices and alerting of logging errors or other security relevant conditions.

Upper segments expand the requirements to include the need for centralized log collection and querying systems (ultimately served as a resilient solution).

Smaller (especially single location) projects can have a solution to fit their size and would typically only require a profile level A solution without log collection facilities (perhaps assisted by COTS log analysis tools).

1. Log resets, error conditions, failures and threshold exceptions.
2. Query of status of active log storage on all devices on which logs are kept either locally or centrally.
3. Optionally provide a time record of Event 2. information, displaying trends.
4. Enhancement to Event 2. records to include log rotation information.
5. Movement of segments and messages along the log collection chain. Message time-stamps should not be superseded.
6. Query at central collector(s) to provide a report of log sources.
7. Optionally provide a time record of Event 5. in graphical form, displaying trends over time.
8. Integrity checks failures at any point in the log handing chain.
9. Log access query requests including requests for production of log extracts.
10. The central collector(s) should be able to query the online and selectively retrieved archive accounting data.

• GPG-13: Logging Exception

• GPG-13: Logging Exception
• GPG-13: Log Volume Report
• GPG-13: Log File Rotated
• GPG-13: Log Volume by Log Source

PMC11 - Production of sanitized and statistical management reports

To provide management feedback on the performance of the protective monitoring system in regard of audit, detection and investigation of information security incidents.

Exact report content requirements needs to be agreed with management and it needs to be ensured that the contents are readily digestible by the target community. The objectives of such reporting are to:

• Promulgate awareness of the current information security situation to management and staff;
• Demonstrate the ongoing contribution and return on investment of Protective Monitoring services deployed on a project;
• Support business cases for improvement;
• Provide evidence for IA capability maturity assessment.

All reports need to be designed with this in mind.

Examples of appropriate content for management reports includes:

• Trends of attacks over current period plus history;
• Performance of detection and defense mechanisms (including percentage ratio of: real alerts / (real + false alerts));
• Rolling "top 10" attacks experienced;
• Geographic representation of where the attacks are coming from;
• Statistics on internal violations;
• Sanitized summaries of significant ongoing events or investigations;
• Summary of current audit and compliance check results.

These will be combined with information from other sources (for example, SIEM system) to provide a complete information security status report. Due to the broad range of outputs possible no Accounting Recommendations table is provided for this risk treatment.

Requirements for management reports will largely dictated by the technology adopted for any given project.

The more advanced log management and SIEMs can be expected to provide report templates as well as a series of preformatted reports. It is possible that some tools will support multiple purposes and can provide support for:

• information security incident management;
• computer forensic investigations;

In these cases they should be able to provide complete information security status reports.

• GPG-13: Audit Failure Executive Summary
• GPG-13: Audit Success Executive Summary
• GPG-13: Operations Events Executive Summary
• GPG-13: Privileged Failure Summary
• GPG-13: Security Events Executive Summary
• GPG-13: Successful/Failed Malware Detected at Boundary
• GPG-13: Successful/Failed Malware Detected on Host
• GPG 13: Terminated Account Summary
• GPG-13: Top Attacker Summary
• GPG-13: Top Suspicious Login Summary
• GPG-13: Top Targeted Application Summary
• GPG-13: Top Targeted Host Summary
• GPG 13: New Account Summary
• GPG-13: Logging Exception
• GPG-13: File Integrity Monitor Summary
• GPG-13: User Access Granted/Revoked Summary

To ensure that all monitoring and interception of communications is conducted lawfully and that accounting data collected by the system is treated as a sensitive information asset in its own right.

The most significant aspect of ensuring Protective Monitoring is lawful is ensuring that it is justified. A major part of the evidence for that justification is that the risk management process ensures there is neither too much nor too little.

There are certain aspects of user consent that need to be recorded as part of the system implementation. As for the other treatments the degree of rigor and trust in these increased along the scale of increasing segments. It is important to seek legal advice on compliance with the law and wording of all related screen messages and documents. Online electronic sign up may also be supplemented, or alternatively replaced, by manual records of user agreements and monitoring policies.

1. User sign up operations.
2. It should be possible to configure alerts for user sign up refusals.
3. Enhancement to Event 1. reports to include a user digital signature. Log records should also be recorded for each re-affirmation.
4. Enhancement to Event 3. reports to include a hardware token or smartcard reference.
5. Log records should also be recorded for authorization transaction involving that user.

• GPG-13: Account Modified Rule