Compliance Managers Support Forensics

(This article was originally published on the Findings From the Field blog.) One aspect of forensics practice which is regularly mentioned but is rarely described in any detail is configuration management. All of the references in last week's post Security Basics: Control System Forensics recommend documenting security configuration and other aspects of important hosts so that when there is an incident, you can compare the state of a potentially compromised host to the approved configuration for that host. However, none of the references describes how to record or manage such "approved configuration" information. Configuration Baselines To facilitate forensic investigations, you should have a record of the configuration, and especially the security-relevent aspects of the configuration, of every device on your critical networks. This way, if you ever need to analyze the current state of a device, you have a clear idea of how the device should be configured. The record of approved device configurations is often called a "baseline" configuration for the device. One reason baseline procedures are rarely described in detail may be that they are hard to describe. A great deal of information on modern computers is relevant to security. A configuration baseline should contain all of the following and more: network settings: network addresses, routes, DNS servers, and domain servers, account settings: users with accounts on the machine, privileges for each of those users, password settings, and applications which auto-start when the user logs in, installed software: the packages installed on the computer, their versions and patch levels, and any application-specific security settings, the operating system itself: what features are installed, what version and which patches are installed, and operating system security settings, such as firewall rules, open ports, running services, and applications which auto-start when the machine boots. Gathering this information manually, archiving it and keeping it current for a large number of machines is a lot of work. It gets worse though. In any control system, there are many devices which are not conventional computers. For each such device, there is information which should be captured and archived: network device configurations should be archived and analyzed for important information, such as version and patch levels, user names, passwords, access rights, open ports, encryption methods, authentication methods, and other security settings, Programmable Logic Controller firmware and programming both should be archived and analyzed for version numbers, patch levels and high-level characteristics of user-supplied programs and function blocks, Remote Terminal Units, smart sensors and other devices should at minimum record firmware versions and patch levels, as well as other characteristics where applicable, such as user names and permissions. Forensics investigators use configuration baselines when examining a device to determine whether it has been changed in unauthorized ways. Identifying what has changed is the first step in determining if those changes were legitimate and authorized, or if they were the result of errors and omissions, or if they were were introduced maliciously. The problem with baselines is that they contain a lot of information, which changes slowly over time. As a result, they are costly to manually create and maintain. Compliance Management Enter a new class of tool known as compliance managers. Compliance managers are designed precisely to relieve the burden of gathering and managing information about the configuration of important computers and other devices. Examples of this new kind of tool are the Industrial Defender Compliance Manager, and the Microsoft Security Compliance Manager, both released in 2010. Compliance Manager tools not only automate the collection of baseline configuration information, they let you summarize and analyze this information as well. After automatically collecting the data, compliance management tools tend to focus on reports, especially audit-relevant reports. Often the tool vendors will provide security baseline templates for different kinds of devices which you can customize. Then you can compare current configurations to the baselines and produce reports of deviations from these approved configurations. Advanced features include the ability to carry out such comparisons regularly and automatically and raise alerts whenever unauthorized changes are detected. As always though, when selecting tools to deploy on your industrial networks, you need to think about the impact of the tool on the industrial applications, and you need to ask about the breadth of coverage. Enterprise-focused tools tend to have good support for Windows operating systems and common client and server applications, such as desktops, web browsers and relational databases. Some enterprise tools will also support firewalls, routers and possibly other network devices. Industrial-focused tools will have this kind of support, but should also be aware of industrial applications and devices, such as control systems, historians, and PLC's. Further, industrial managers should be aware of control system issues, including sometimes limited network bandwidth and limited host computing resources available for background tasks like compliance management data gathering and analysis. Looking Forward The good news for forensic analysts and industrial network administrators alike is that many organizations are considering investing in compliance management technologies as cost-saving measures for regulatory compliance programs. This is good news, especially at sites regulated by CFATS and NERC-CIP standards, because it means that the power of these tools will be available to these organizations. Compliance managers can save organizations time and money by automating compliance data acquisition, management and reporting, but they add value to forensics investigations as well. The baseline data, the reports and especially the ability to alert on configuration changes and compare configurations over time, can be very valuable when investigating security incidents, and even when investigating more routine control system performance and reliability problems.