Whether doing security research or troubleshooting networks, network sniffers and packet analysis can be invaluable tools. If you're a network engineer like me, you've probably been holding onto your favorite 4 or 8-port 10/100 hub for 25 years now. The reason is that hubs (not switches) make great network taps. By design, all Ethernet transmissions on a hub are sent to all ports. To monitor another device, you can place it on a hub along with your laptop/sniffer and then connect that hub to the rest of your network (if needed). All packets sent to or from this device will also be sent to your sniffer on the hub. Even 25 years later, the hub I bought during college still makes a great network tap. It was only recently that I needed something a little more powerful.

Hubs date back to the early years of Ethernet when twisted-pair cabling started being used for networking (like Cat-3/Cat-5). These networks initially ran at only 10 Mb/s and early hubs were also limited to that throughput. As technology advanced, Ethernet speeds increased to 100 Mb/s and new Ethernet switches were created. Unlike hubs, switches only forward packets to the port needed for the packet to reach its intended destination. This was done because hubs can suffer from "collisions" that occur when more than one device tries to transmit at the same time. Switches eliminate packet collisions and allow networks to remain efficient as the number of networked devices grow. Modern switches also support 10/100 Mbit/s and gigabit (1,000 Mbit/s) throughputs. While this is great for network performance, most inexpensive switches can't be used as a network tap.

So, what can you do when you need to monitor a highspeed gigabit link and can't afford an expensive network tap? How about the $39.99 10/100/1000 8-port Netgear GS308E switch with "Enhanced Features". As you probably guessed, one of those enhanced features, called Port Mirroring, allows this switch to be used as a network tap. And unlike a hub, port mirroring allows you to monitor another port without it also monitoring you.

How To:

Follow the instructions below to configure a high-speed (up to gigabit) network tap using the Netgear GS308E switch.

Physical connections:

Port 1 – Device (or Network Segment) Being Monitored

Port 2 – Sniffer (My Laptop)

Port 8 – Uplink to Network (optional)

1. Log into your Netgear GS308E by going to it's management IP address with a web browser. The default URL is http://192.168.0.249 if there is no DHCP server available to assign an address. (See owners manual if you are having trouble accessing the switch management.)
2. Click: System (top row) >> Monitoring (2nd row) >> Monitoring (left button)
3. Port Mirroring Configuration:
   1. Click the Source Port of the port you want to monitor. In our example, this is Port 1. Multiple ports can be selected if you want to monitor several ports at the same time.
   2. In the Mirroring dropdown, select Enable.
   3. In the Destination Port dropdown, select the port that you will connect your sniffer to. In our example, this is Port 2.
   4. Validate that your settings are correct and click Apply.

A screenshot of a computer Description automatically generated.

That's all there is to it! Make sure your devices are connected to the proper ports and start your network analysis.

Why the GLBA Safeguard Rule change might apply to your business

Back in 1999, the Gramm-Leach-Bliley Act was passed in the United States. Its main purpose was to allow banks to offer services that previously were forbidden by laws passed even farther back in 1933. In doing so, the scope of these new rules surrounding these services not only applied to banks, but also to any organization that offered them.

A primary component of this Act, Section 501, requires the protection of non-public personal information. It states, "...each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information."

Privacy, Security, Confidentiality. Could you identify a hot topic in information security today that doesn't involve one or all three of those areas? Couple that intense interest with the changes in technology that have occurred over the past 20 years and you can understand why amendments to the GLBA were needed.

The main rule we will discuss here is the Standards for Safeguarding Customer Information, commonly called the Safeguards Rule. Originally published in 2001, this rule was just amended (January 10, 2022) and some of the most important provisions became effective on December 9, 2022. The overlying goal of this rule is the requirement to have, "the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information."

Does this apply to me?

You can't duck the issue based on size. Nearly all rules apply except for some new elements which apply to entities that maintain fewer than 5,000 consumer records. The most important qualifier is:

1. You are considered to be a "financial institution" under the GLBA's definitions, or
2. You receive information about customers of financial institutions.

If either of these are true, then the GLBA rules apply to you.

What is a financial institution according to the GLBA? The exact definition is, "any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k)."In case you don't have the Bank Holding Company Act handy, here is a list of examples of financial institutions that the GLBA applies to, as noted in 16 CFR 314.2(h)(2)(iv):

• An organization that cashes checks, regularly wires money to and from consumers, brokers loans, or provides real estate settlement services
• A retailer that extends credit by issuing its own credit card directly to consumers
• An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
• A personal property or real estate appraiser
• A career counselor that specializes in providing career counseling services to individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company
• A business that prints and sells checks for consumers, either as its sole business or as one of its product lines
• An accountant or other tax preparation service that is in the business of completing income tax returns
• A business that operates a travel agency in connection with financial services
• A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate

These are just some examples, and this list is not all inclusive. Note that simply letting someone run a tab or accepting payments in the form of a credit card that was not issued by the seller does not make an entity a financial institution.

Ok, it applies to me. Now what?

At the heart of the Safeguards Rule are a number of key elements involving the development, maintenance, and enforcement of a written information security plan (ISP). The keys aspects and notable amendments:

1. A single qualified individual must be designated to oversee, implement, and enforce the ISP. This is a change from the original language, which allowed for one or more employees to coordinate the program. If your organization doesn't have a qualified individual on staff, a third-party company can be utilized for this function. This does, however, require the designation of a senior member of the organization to direct and oversee the third-party representative(s) and all compliance obligations remain with the hiring organization.
2. A risk assessment process must be in place. This process must identify and assess risks to customer information in each relevant company area and evaluate the effectiveness of current controls implemented to mitigate those risks. This is not a new requirement, however, for companies maintaining information on 5,000 or more customers, the following elements must be part of the risk assessment documentation:
   1. The criteria used to evaluate and categorize risks and threats to information systems
   2. The criteria used to assess the confidentiality, integrity, and availability of information and systems used to process customer information and adequacy of the existing controls
   3. A description of how identified risks will be mitigated or accepted, and how the ISP will address those risks
3. Design and implement a safeguards program, and regularly monitor and test it. This is not a new requirement, however, the amendments added eight specific types of safeguards that must be part of this program:
   1. Physical and technical access controls, including a review of authorized users
   2. Identification and evaluation of the data, personnel, devices, and systems used that interact with customer data
   3. Encryption of all customer information, both in transit and at rest
   4. Secure development practices and security testing for applications used for transmitting, accessing, or storing customer information
   5. Implementation of multi-factor authentication for any information system that contains customer information accessed by any individual. This requirement can also be met if the qualified individual noted in item 1 has approved an equivalent or stronger control.
   6. Procedures for the secure disposal of customer information no later than two years after the last date the information is used unless retention is otherwise required or necessary for legitimate business purposes
   7. Implementation of change management policies
   8. Implementation of policies, procedures, and controls to monitor and log authorized user activity and detect unauthorized use
4. Routine testing and monitoring of controls enforcing the safeguards program must be conducted to evaluate their effectiveness. Two specific control tests are now required for companies maintaining information on 5,000 or more customers:
   1. Conduct vulnerability scanning at least every six months
   2. Undergo penetration testing at least annually
5. Specific policy requirements for training of information systems personnel and general security awareness training. The amendments add specificity to the existing training requirements and require formal documentation of the policies. These elements include:
   1. Security updates and training procedures to address new risks specific to systems that are running in the enterprise's environment
   2. Verification that key personnel are maintaining their knowledge of threats and available defenses against those threats
   3. General security awareness training requirements and procedures for all employees and engaged third parties utilizing the enterprise's information systems
6. The requirement to oversee service providers that assist in the preparation, maintenance, and use of the environment handling consumer data was part of the original rule. This requires the selection of service providers capable of maintaining appropriate safeguards, and that contract language mandates these safeguards. The amendments add an additional requirement that the service providers must be periodically assessed on the risks associate with their use, and the adequacy of the safeguards they have implemented.
7. A new requirement for entities handling more than 5,000 consumer records is for the existence of a written incident response plan. There are seven requirements for this plan in the new amendments:
   1. Stated goals of the response plan
   2. A description of internal procedures for responding to a security event
   3. The definition of roles, responsibilities, and levels of decision-making authority for individuals involved in the incident response process
   4. Plans for handling internal and external communications, and details on the use of information sharing resources
   5. Procedures for the remediation of identified weaknesses in information systems and associated controls
   6. Requirements for documenting and reporting of security events, procedures classifying incidents, and the activation of the incident response plan
   7. A defined process for post-incident performance, evaluation, and revision of the incident response plan following an event.
8. Another new requirement for entities handling more than 5,000 consumer records is for a written report, presented to the enterprise's governing body or senior/executive level individual, done on at least an annual basis. This report is to be created by the qualified individual responsible for oversight of the ISP as noted in item number one. There are two elements required to be in the report:
   1. The overall status of the ISP, including its compliance with the updated Safeguards Rule
   2. Recommendations for changes or improvements, and any other material matters related to the ISP

How long do I have to comply?

Covered financial institutions should be in compliance with the non-amended components of the Safeguards Rule already, since the formal effective date of the rule was January 10, 2022. The FTC has allowed for an effective date of December 9, 2022, for the amended provisions due to the length of time required to implement them.

Are there penalties for non-compliance?

Besides the potential costs associated with breaches, successful malware attacks, ransomware, and the like, there are penalties that can be assessed by the FTC for non-compliance. These penalties can apply to the enterprise and/or individuals responsible for compliance as follows:

• The institution will be subject to a civil penalty of not more than $100,000 for each violation
• Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
• The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both

So, if this does apply to you and your organization, hopefully you are already compliant and none of this was a surprise to you. If this doesn't apply to you, I commend you for reading on. And if it applies and you are completely surprised by the requirements and amendments, the clock is ticking! Contact SynerComm for compliance support.

SynerComm and ChannelBytes hosted an engaging virtual discussion with Check Point, touching on topics ranging from “Innovative ways Check Point is tackling cloud security issues” to “How does machine learning and AI play into automation?” and “Advice for security teams adopting new security dynamics”.

In this video we’re discussing cloud security in the modern world with SynerComm, a leading security consultant. Our experts dive into developing cloud capabilities and the cybersecurity implications associated with it. Watch and learn from Kirk Hanratty, SynerComm’s CTO and Co-founder, and TJ Gonen, Head of Cloud Security at Check Point.

SynerComm and ChannelBytes hosted an engaging virtual discussion with Expel,  touching on topics ranging from “Advancements from SIM technology” to “Email phishing and the cybersecurity lifecycle” and “Implications and threats within IoT”.

In this video we’re discussing the rise and fall of cybersecurity breaches with SynerComm, a leading security consultant. Watch and learn from Kirk Hanratty, SynerComm’s CTO and Co-founder, and Matt Peters, Chief Product Officer at Expel.