(This article was originally published on the Findings From the Field blog.) One aspect of forensics practice which is regularly mentioned but is rarely described in any detail is configuration management. All of the references in last week's post Security Basics: Control System Forensics recommend documenting security configuration and other aspects of important hosts so that when there is an incident, you can compare the state of a potentially compromised host to the approved configuration for that host. However, none of the references describes how to record or manage such "approved configuration" information. Configuration Baselines To facilitate forensic investigations, you should have a record of the configuration, and especially the security-relevent aspects of the configuration, of every device on your critical networks. This way, if you ever need to analyze the current state of a device, you have a clear idea of how the device should be configured. The record of approved device configurations is often called a "baseline" configuration for the device. One reason baseline procedures are rarely described in detail may be that they are hard to describe. A great deal of information on modern computers is relevant to security. A configuration baseline should contain all of the following and more:
It gets worse though. In any control system, there are many devices which are not conventional computers. For each such device, there is information which should be captured and archived:
Compliance Management Enter a new class of tool known as compliance managers. Compliance managers are designed precisely to relieve the burden of gathering and managing information about the configuration of important computers and other devices. Examples of this new kind of tool are both released in 2010. Compliance Manager tools not only automate the collection of baseline configuration information, they let you summarize and analyze this information as well. After automatically collecting the data, compliance management tools tend to focus on reports, especially audit-relevant reports. Often the tool vendors will provide security baseline templates for different kinds of devices which you can customize. Then you can compare current configurations to the baselines and produce reports of deviations from these approved configurations. Advanced features include the ability to carry out such comparisons regularly and automatically and raise alerts whenever unauthorized changes are detected. As always though, when selecting tools to deploy on your industrial networks, you need to think about the impact of the tool on the industrial applications, and you need to ask about the breadth of coverage. Enterprise-focused tools tend to have good support for Windows operating systems and common client and server applications, such as desktops, web browsers and relational databases. Some enterprise tools will also support firewalls, routers and possibly other network devices. Industrial-focused tools will have this kind of support, but should also be aware of industrial applications and devices, such as control systems, historians, and PLC's. Further, industrial managers should be aware of control system issues, including sometimes limited network bandwidth and limited host computing resources available for background tasks like compliance management data gathering and analysis. Looking Forward The good news for forensic analysts and industrial network administrators alike is that many organizations are considering investing in compliance management technologies as cost-saving measures for regulatory compliance programs. This is good news, especially at sites regulated by CFATS and NERC-CIP standards, because it means that the power of these tools will be available to these organizations. Compliance managers can save organizations time and money by automating compliance data acquisition, management and reporting, but they add value to forensics investigations as well. The baseline data, the reports and especially the ability to alert on configuration changes and compare configurations over time, can be very valuable when investigating security incidents, and even when investigating more routine control system performance and reliability problems. |
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2011-02-01
Compliance Managers Support Forensics |
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment