Keeping Top-Priority Legal Data Safe from Unauthorised Access

The Lithuanian State Enterprise Centre of Registers manages highly sensitive and valuable legal information on real estate ownership, boundaries, company ownership and address data. With the help of Qualys solutions, the organisation has improved its ability to comply with strict EU data protection standards, and can rapidly and thoroughly test web applications for potential security issues.

Registrų centras (the State Enterprise Centre of Registers) administers three large national registers related to land and real estate in Lithuania. These registers – now managed as electronic databases – hold highly sensitive and valuable information on real estate ownership, land ownership boundaries, company ownership, and addresses.

Since Lithuania's accession to the European Union in 2004, the legal requirement to keep this private information safe from unauthorised access has become all the more important. The Centre of Registers faces the ongoing challenge of balancing privacy and security with growing expectations for easy access to data via the internet.

Increasingly, the public's preferred way of submitting and accessing data in the registers is through web applications. For the Centre of Registers, this implies a complex and constantly expanding set of technology assets that it must monitor and protect against potential vulnerabilities – translating into a major administrative burden for a relatively small team of technicians.

Checking Out the Lie of the Land

The first step in ensuring data security is to understand the IT systems and their perimeters. On taking up his role at the Centre of Registers, Linas Laucius, Chief Security Officer, undertook a complete review of the organisation's complex and sprawling infrastructure. As he recalls, "This is one of the largest and most complex set of systems in Lithuania. I was faced with 2,000 desktops and several hundred servers, both virtual and physical, organised into multiple overlapping network domains – and all with very limited documentation."

The Centre of Registers had deployed Qualys Vulnerability Management (VM) and Qualys Web Application Scanning (WAS) several years earlier to improve its security posture, but was using the solutions in a relatively limited and unplanned way. Seeing the need for a more rigorous approach that would make full use of the solutions, Laucius started by using the discovery function of Qualys VM to map out the network topology. This enabled him to correct and enrich the existing view, and to identify and remove a number of unauthorised sub-networks and computers.

"The outcome was a much better understanding of the entire network infrastructure, and a clear view of the scale of the task we were facing," says Laucius. "There were more than 1,000 different critical vulnerabilities to address, many of which were present on all of our assets. This allowed us to define the scope and make plans to remediate the vulnerabilities, and we quickly reduced the number by at least 50 percent, especially for Windows systems. We are constrained in the manpower that we can dedicate to patching, and we currently lack the ability to apply centralised patching to our Linux machines. Qualys VM enables us to understand where the most critical issues are and how to mitigate them, and it allows us to track our progress."

As part of improving the effectiveness of the Qualys solutions, the Centre of Registers signed up for free training sessions, gaining valuable skills and experience.

Identifying and Remediating Vulnerabilities

The Centre of Registers scans approximately 300 systems for vulnerabilities on a weekly basis. The majority are web servers in the demilitarised zone (DMZ) of the network, including physical Windows servers, and virtual Windows and Linux servers running in VMware environments. The scheduled weekly scans also include a number of critical Oracle database servers that run behind the corporate firewall.

The organisation also continues to scan for unapproved network devices and for open network ports – both to identify potential vulnerabilities and to confirm (by seeing that the appropriate comms port is open) that antivirus packages are installed.

"In my experience, you can check with Microsoft and find that no patches are needed," comments Laucius. "When you then scan with Qualys VM, you find that you are missing three or four priority patches – it's much more accurate, and that's the real value. You also get both the recommended remediation action and the link, so you can immediately click to download the patch."

Improving the Quality of Application Security

The Centre of Registers maintains approximately 100 applications, using a combination of its internal team of 50 software developers and external contractors. Given their direct exposure to the internet, web apps are clearly a much more risky proposition from the security perspective than internal systems, and it is particularly important for the Centre of Registers to audit the security of outsourced code.

The organisation is using Qualys WAS to scan 15 web apps, and expects this number to at least double in the coming year as new apps come online or existing ones are converted for web use. These are mostly self-service apps for checking the ownership of land and property, and an app for registering new businesses.

When development is complete, each app is deployed to a test environment that is identical to the final production environment. The new app is analysed for vulnerability to attacks such as SQL injection and cross-site scripting. If no Category Four or Category Five vulnerabilities are found, the app is released to production.

"If we had to manually test web apps, the testing time would increase from 12 hours to perhaps one week," says Laucius. "When we review apps written a few years ago, we tend to find 20 to 30 serious vulnerabilities, whereas for new apps we rarely even find three. Much of that improvement is down to the transparency and better security awareness we now have. We can now produce secure apps much faster than before, and we have seen a significant improvement in the quality of our code."

Maintaining Robust Security without Effort

The three databases that the Centre of Registers manages are among the most important national information assets, and it is vital for the organisation to ensure secure 24/7 access to the data they contain. It must also comply with strict EU data privacy laws, ensuring zero unauthorised access to personal data.

"Security is a moving target; you can never be 100 percent secure at all times, but our experience shows that you can make it extremely difficult for anyone to penetrate your systems," comments Laucius. "Internal managers and external contractors absolutely trust the information we provide on vulnerabilities because there are almost never any false positives. And the automation of the Qualys solutions means that we can maintain a strong security posture without huge amounts of work. Without tools like these, I simply can't imagine how an organisation would tackle the security problem."