topic Re: Integrity checks in Tech Talk

Integrity checks

Deyan — Wed, 21 Feb 2018 11:01:37 GMT

Hello community,

Please give me your opinion about this security control called integrity checks. I am specifically interested in the context of NIST 800 53 controls catalog:

SI-7(1) Software, Firmware, And Information Integrity | Integrity Checks that lists requirement that the information system should "performs an integrity check of software/firmware/information] at startup or regularly.

I am really puzzled are we talking about a standalone separate tool that does integrity checks or ... for example the WIndows chkdisk or the built in features in most OS count for this?

I guess my question is - can you give me an example of such integrity checking tool that would make me compliant with this control (built in or 3rd party), also - if you have any opinions about this I would appreciate.

Re: Integrity checks

Early_Adopter — Wed, 21 Feb 2018 11:20:27 GMT

So there are a few Host Intrusion Prevention/Detection Sys HIPS/HIDS out there

Three examples that would probably work:

Tripwire is the original take a hash of all the files on the system and then compare for modification, Symantec has the Control Compliance Suite and Data Center Security that do similar things, and McAfee has a Host Intrusion Prevention product for Desktops and Servers.

If you want to check data integrity files just have something encrypt and sign it with x.509 or OpenPGP(look after your keys).

Now the one that's interesting to me verification of Firmware, quite difficult to achieve and while I know of many possible attacks I guess the approach I would have is to have one system watch the other, but how would you tell if both systems graphics cards were lying to you?

These guys look to be top dog http://trapezoid.com at the moment - but if I remember the approach you might take with vehicles is to monitor communications between components over CAN bus or AFDX. not being able to install much on to components. Not sure how this maps to PCs/Servers/VMs/Container but it looks fun:

https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html

Re: Integrity checks

Deyan — Wed, 21 Feb 2018 11:37:26 GMT

Thanks for your input Adopter.

Re: Integrity checks

denbesten — Wed, 21 Feb 2018 14:53:30 GMT

Early_Adopter makes some good points about what we as administrators can do.

I would also say it includes selecting systems that use "Trusted Computing Platform", which validates a digital signature on the boot loader before the firmware will transfer control to it.

It would also include things that manufacturers are doing for us behind the scenes, such as installer signing, which causes both Windows and RedHat to refuse to install software that does not have a valid digital signature (E.g. signed by a CA in your certificate store). Java is now doing the same thing at run-time for applets.

Re: Integrity checks

CISOScott — Wed, 21 Feb 2018 17:42:49 GMT

@Deyan wrote:
Hello community,

Please give me your opinion about this security control called integrity checks. I am specifically interested in the context of NIST 800 53 controls catalog:
SI-7(1) Software, Firmware, And Information Integrity | Integrity Checks that lists requirement that the information system should "performs an integrity check of software/firmware/information] at startup or regularly.

I am really puzzled are we talking about a standalone separate tool that does integrity checks or ... for example the WIndows chkdisk or the built in features in most OS count for this?
I guess my question is - can you give me an example of such integrity checking tool that would make me compliant with this control (built in or 3rd party), also - if you have any opinions about this I would appreciate.

Also don't forget to look at the corresponding entry in 800-53A, the manual used for testing compliance with the control in 800-53. Here is what it says:

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators].

Test: [SELECT FROM: Software, firmware, and information integrity verification tools].

So you can use any of the above methods to check/meet compliance. It may not be a software method, it may be a person manually checking firmware dates manually and documenting that they haven't changed.

A good way to prove compliance is to look at the manual your auditor is going to use to verify compliance, which is 800-53A.

Re: Integrity checks

Deyan — Thu, 22 Feb 2018 06:25:13 GMT

Thanks CISO Scott

Re: Integrity checks

Edd — Mon, 26 Feb 2018 16:11:40 GMT

Looking at what an auditor will check for is an excellent way to approach this. Having said that, sometimes an experienced auditor will approach this with an open mind for any kind of 'health-check', technical or organizational measure (aka TOM) that an organization uses to verify the configuration/patch-level/settings/etc. for systems. I recommend doing a quarterly walk-through of each system (if possible) looking at user IDs, access policies, software (including firmware and OS) versions and patches, application settings, network configuration and anything else that might be pertinent in your environment. Not a 'fun' task, but essential for the basic hygiene of systems. Good luck!

Re: Integrity checks

Deyan — Mon, 26 Feb 2018 19:50:21 GMT

Thanks Edd and everyone.