Cyber security encompasses both the concept of system integrity and file security.
System integrity covers the state of infrastructure - applications, endpoints and networks. On the other hand, application binaries, application configuration data, system, networks and security logs are all stored in files - therefore making file integrity the core of a secure cyber profile.
Cyber integrity is built on these two concepts by weaving people, processes and technology together into a holistic framework that secures the modern enterprise against changes, whether authorised or unauthorised, that could potentially weaken security and destabilise operations.
In a SANS Institute article titled Back to Basics: Building a Foundation for Cyber Integrity authored by Barbara Filkins (PDF download), The Center for Internet Security's Critical Security Control (or better known as CIS Controls) can be used to create a prioritised set of action for establishing cyber integrity within an organisation.
Establishing Cyber Integrity
The first step in establishing cyber integrity is to develop the asset inventory in terms of hardware (CIS Control #1) and software (CIS Control #2). This will allow you to establish a secure configuration baseline.
1. Establish the configuration baseline for your infrastructure.
Once you know your assets, the next step is to understand how they are configured.
Use both CIS Controls #5 and #11 to help you develop your initial configuration baseline, which enables management of present, approved configurations, cataloging of approved exceptions and alerting when unauthorised changes occur.
2. Determine the critical files and processes you need to monitor your established baseline.
Use the CIS Controls #7–#16 to help you refine your monitoring requirements, especially in terms of the file types and the metrics associated with each type of file and process.
Key processes include any that will interface with these files (create, read, update or delete) as well as processes that involve logging and alerting, especially around the use of administrative privileges and the capture and maintenance of audit logs (CIS Control #6).
3. Document your static and dynamic configuration monitoring procedures.
Refer to CIS Controls #3 (specifically #3.1 and #3.2) for how to configure your automated scanning tools to detect all potential vulnerabilities, both static and dynamic:
Static monitoring - simple tracking of a file’s time/date stamp against other network parameters to more rigorous methods, such as periodically comparing the current cryptographic checksum for a monitored file (e.g., using MD5 or SHA-2 hashing algorithms) against a previously calculated and validated checksum.
Dynamic monitoring - provides real-time change notification, typically implemented within or as an extension to the kernel of the operating system that flags when a file is accessed or modified.
4. Implement continuous vulnerability monitoring.
Evaluate the scope of what you intend to include in your continuous monitoring program in order to develop an actionable approach and select the proper tools.
Follow the guidance provided by CIS Control #3 to ensure notification when suspicious activities take place on critical files or when authorised changes result in misconfigurations or situations exposing the organisation to increased risk and compromise.
In most organisations, the IT team is responsible for configuration management, while the security team is responsible for vulnerability assessment. See how these two teams can work together to ensure that cyber integrity is fully realised.
5. Establish formal change management processes to evaluate requests and track outcomes.
The objective of change management is to make changes in a planned, managed, systematic fashion, with the ability to recover if the change proves problematic.
Assess whether change management problems exist that impede achieving cyber integrity. Does the organisation use a risk-rating process to prioritise (and approve) the remediation of discovered vulnerabilities (Control #3.7)?
Are there unapproved, non-process changes being implemented?
Does the change management process result in a known, updated and approved configuration baseline?
Is an inordinate amount of time during problem resolution spent in determining the exact location and nature of the problem?
Does the organisation suffer from snowflake syndrome (an IT environment where no two endpoints are the same)?
6. Establish training for your staff.
Finally, CIS Control #18 provides guidance on how to focus the necessary training and awareness around cyber integrity:
Perform a gap analysis to understand the skills and behaviours needed for workforce members to adhere to cyber integrity, then use this information to build your baseline education and training road map.
Deliver training to address the skills gap identified to positively affect workforce members’ security behavior around cyber integrity.
Create an awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviours and skills to help ensure the cyber integrity of the organisation.
Establishing and maintaining cyber integrity can be a daunting task. Using a pragmatic approach like the CIS Controls makes it easier, because the concept of cyber integrity is actually woven throughout the entire set of controls.
Additionally, make plans to continually measure and improve cyber integrity’s value to the business through reduced risk and improved cyber hygiene, such as using the defined measures and metrics for CIS Controls V7. When done right, cyber integrity will improve security and reduce unplanned work for IT operations.
Tools for File integrity monitoring: WebALARM
Ransomware protection: ARWare
Extracted from Beyond the Basics: Building a Foundation for Cyber Integrity