Appendix A List of Acronyms¶
COI |
community of interest |
DI |
data integrity |
DSP |
Directory Services Protector |
ESM |
Enterprise Security Manager |
IT |
Information Technology |
ISO/IEC |
International Organization for Standardization/International Electrotechnical Commission |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
NIST IR |
NIST Interagency Report |
RMF |
Risk Management Framework |
SP |
Special Publication |
TLC |
Tripwire Log Center |
TLS |
Transport Layer Security |
USB |
Universal Serial Bus |
VM |
Virtual Machine |
vsftpd |
Very Secure File Transfer Protocol Daemon |
WORM |
Write Once Read Many |
WSA |
Web Security Appliance |
Appendix B Glossary¶
Access Control |
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances) SOURCE: Federal Information Processing Standard (FIPS) 201; CNSSI-4009 |
Architecture |
A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability). SOURCE: FIPS 201-2 |
Audit |
Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures SOURCE: CNSSI 4009-2015 |
Backdoor |
An undocumented way of gaining access to a computer system. A backdoor is a potential security risk. SOURCE: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82 Rev. 2 |
Backup |
A copy of files and programs made to facilitate recovery if necessary SOURCE: NIST SP 800-34 Rev. 1 |
Compromise |
Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred SOURCE: NIST SP 800-32 |
Continuous Monitoring |
Maintaining ongoing awareness to support organizational risk decisions SOURCE: NIST SP 800-137 |
Cybersecurity |
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation SOURCE: CNSSI 4009-2015 (NSPD-54/HSPD-23) |
Data |
A subset of information in an electronic format that allows it to be retrieved or transmitted SOURCE: CNSSI-4009 |
Data Integrity |
The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner SOURCE: CNSSI-4009 |
Information Security |
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability SOURCE: FIPS 199 (44 U.S.C., Sec. 3542) |
Information Security Risk |
The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems SOURCE: CNSSI 4009-2015 (NIST SP 800-30 Rev. 1) |
Information System |
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information SOURCE: FIPS 200 (44 U.S.C., Sec. 3502) |
Insider |
An entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization SOURCE: NIST SP 800-82 Rev. 2 (RFC 4949) |
Kerberos |
An authentication system developed at the Massachusetts Institute of Technology (MIT). Kerberos is designed to enable two parties to exchange private information across a public network. SOURCE: NIST SP 800-47 |
Log |
A record of the events occurring within an organization’s systems and networks SOURCE: NIST SP 800-92 |
Malware |
A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system SOURCE: NIST SP 800-111 |
Privacy |
Assurance that the confidentiality of, and access to, certain information about an entity is protected SOURCE: NIST SP 800-130 |
Risk |
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring SOURCE: FIPS 200 |
Risk Assessment |
The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis SOURCE: NIST SP 800-63-2 |
Risk Management Framework |
The Risk Management Framework (RMF), presented in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. SOURCE: NIST SP 800-82 Rev. 2 (NIST SP 800-37) |
Security Control |
A protection measure for a system SOURCE: NIST SP 800-123 |
Virtual Machine |
Software that allows a single host to run one or more guest operating systems SOURCE: NIST SP 800-115 |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source SOURCE: FIPS 200 (Adapted adapted from CNSSI 4009) |
Appendix C References¶
- B1
Sedgewick, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, National Institute of Standards and Technology, Gaithersburg, Maryland, Apr. 2018, 55 pp. Available: https://www.nist.gov/cyberframework/framework.
- B2
L. Kauffman, N. Lesser and B. Abe, Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy, NISTIR 8050, National Institute of Standards and Technology, Gaithersburg, Maryland, April 2015, 155pp. Availabe: https://nccoe.nist.gov/sites/default/files/library/nistir-8050-draft.pdf.
- B3
G. Stoneburner, et al., Guide for Conducting Risk Assessments, NIST Special Publication (SP), 800-30 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, September 2012, 95 pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-30r1.
- B4
R. Ross, et al., Guide for Applying the Risk Management Framework to Federal Information Systems, NIST Special Publication (SP) 800-37, National Institute of Standards and Technology, Gaithersburg, Maryland, February 2010, 101pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-37r1.
- B5
R. Ross et al., Managing Information Security Risk, NIST Special Publication (SP) 800-39, National Institute of Standards and Technology, Gaithersburg, Maryland, March 2011, 87pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-39.
- B6
M. Souppaya et al., Guide to Enterprise Patch Management Technologies, NIST Special Publication (SP) 800-40 Revision 3, National Institute of Standards and Technology, Gaithersburg, Maryland, July 2013, 25pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-40r3.
- B7
R. Ross et al., Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication (SP) 800-53 Revision 4, National Institute of Standards and Technology, Gaithersburg, Maryland, April 2013, 461pp. Available: https://doi.org/10.6028/NIST.SP.800-53r4.
- B8
U.S. Department of Commerce. Security Requirements for Cryptographic Modules, Federal Information Processing Standards (FIPS) Publication 140-3, Mar. 2019, 65pp. Available: https://csrc.nist.gov/publications/detail/fips/140/3/final.
- B9
K. Kent et al., Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication (SP) 800-86, National Institute of Standards and Technology, Gaithersburg, Maryland, August 2006, 121pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-86.
- B10
K. Kent and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication (SP) 800-92, National Institute of Standards and Technology, Gaithersburg, Maryland, September 2006, 72pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-92.
- B11
P. Bowen et al., Information Security Handbook: A Guide for Managers, NIST Special Publication (SP) 800-100, National Institute of Standards and Technology, Gaithersburg, Maryland, October 2006, 178pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-100.
- B12
M. Swanson et al., Contingency Planning Guide for Federal Information Systems, NIST Special Publication (SP) 800-34 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, May 2010, 148pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-34r1.
- B13
Office of Management and Budget (OMB), Management of Federal Information Resources, OMB Circular No. A-130, November 2000. Available: https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
- B14
P. Cichonski et al., Computer Security Incident Handling Guide, NIST Special Publication (SP) 800-61 Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, August 2012, 79pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-61r2.
- B15
M. Souppaya and K. Scarfone, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, NIST Special Publication (SP) 800-83 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, July 2013, 46pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-83r1.
- B16
C. Johnson et al., Guide to Cyber Threat Information Sharing, NIST Special Publication (SP) 800-150, National Institute of Standards and Technology, Gaithersburg, Maryland, October 2016, 42pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-150.
- B17
M. Bartock et al., Guide for Cybersecurity Event Recovery, NIST Special Publication (SP) 800-184, National Institute of Standards and Technology, Gaithersburg, Maryland, December 2016, 52pp. http://dx.doi.org/10.6028/NIST.SP.800-184.
- B18
J. Banoczi et al., Access Rights Management, NIST Special Publication (SP) 1800-9, National Institute of Standards and Technology, Gaithersburg, Maryland, October 2017. Available: https://www.nccoe.nist.gov/projects/use-cases/access-rights-management.
- B19
B. Fisher et al., Attribute Based Access Control, NIST Special Publication (SP) 1800-3, National Institute of Standards and Technology, Gaithersburg, Maryland, September 2017. Available: https://www.nccoe.nist.gov/projects/building-blocks/attribute-based-access-control.
Appendix D Functional Evaluation¶
A functional evaluation of the data integrity (DI) example implementation, as constructed in our laboratory, was conducted to verify that it meets its objective of identifying assets and vulnerabilities within the enterprise. Furthermore, the project aims to protect these assets prior to an attack. The evaluation verified that the example implementation could perform the following functions:
discover assets on the network
discover and mitigate vulnerabilities in assets on the network
protect data from modification prior to an attack
provide a baseline for daily activity and asset integrity
Section D.1 describes the format and components of the functional test cases. Each functional test case is designed to assess the capability of the example implementation to perform the functions listed above and detailed in Section D.1.
D.1 Data Integrity Functional Test Plan¶
One aspect of our security evaluation involved assessing how well the reference design addresses the security characteristics it was intended to support. The Cybersecurity Framework Subcategories were used to provide structure to the security assessment by consulting the specific sections of each standard that are cited in reference to that Subcategory. The cited sections provide validation points that the example solution is expected to exhibit. Using the Cybersecurity Framework Subcategories as a basis for organizing our analysis allowed us to systematically consider how well the reference design supports the intended security characteristics.
This plan includes the test cases necessary to conduct the functional evaluation of the DI example implementation, which is currently deployed in a lab at the National Cybersecurity Center of Excellence. The implementation tested is described in Section 4.
Each test case consists of multiple fields that collectively identify the goal of the test, the specifics required to implement the test, and how to assess the results of the test. Table 6‑1 describes each field in the test case.
Table 6‑1 Test Case Fields
Test Case Field |
Description |
|---|---|
Parent Requirement |
Identifies the top-level requirement or the series of top-level requirements leading to the testable requirement |
Testable requirement |
Drives the definition of the remainder of the test case fields. Specifies the capability to be evaluated. |
Description |
Describes the objective of the test case |
Associated Cybersecurity Framework Subcategories |
Lists the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 4 controls addressed by the test case |
Preconditions |
The starting state of the test case. Preconditions indicate various starting state items, such as a specific capability configuration required or specific protocol and content. |
Procedure |
The step-by-step actions required to implement the test case. A procedure may consist of a single sequence of steps or multiple sequences of steps (with delineation) to indicate variations in the test procedure. |
Expected results |
The expected results for each variation in the test procedure |
Actual results |
The observed results |
Overall result |
The overall result of the test as pass/fail. In some test cases, determination of the overall result may be more involved, such as determining pass/fail based on a percentage of errors identified. |
D.2 Data Integrity Use Case Requirements¶
Table 6‑2 identifies the DI functional requirements addressed in the test plan and associated test cases.
Table 6‑2 Capability Requirements
Capability Requirement (CR) ID |
Parent Requirement |
Sub requirement 1 |
Test Case |
|---|---|---|---|
CR 1 |
The DI example implementation shall identify and protect assets against malware that encrypts files and displays notice demanding payment. |
||
CR 1.a |
Vulnerability in Active Directory server is identified. |
Data Integrity IP-1 |
|
CR 1.b |
User is blocked from visiting malicious site. |
Data Integrity IP-1 |
|
CR 1.c |
Downloads from site are blocked. |
Data Integrity IP-1 |
|
CR 1.d |
Vulnerability is patched. |
Data Integrity IP-1 |
|
CR 1.e |
Ransomware cannot send information to home server. |
Data Integrity IP-1 |
|
CR 1.f |
Backups are taken. |
Data Integrity IP-1 |
|
CR 1.g |
File integrity information is baselined. |
Data Integrity IP-1 |
|
CR 2 |
The DI example implementation shall identify and protect assets against malware inserted via Universal Serial Bus (USB) that modifies and deletes user data. |
Data Integrity IP-2 |
|
CR 2.a |
Backups are taken. |
Data Integrity IP-2 |
|
CR 2.b |
File integrity information is baselined. |
Data Integrity IP-2 |
|
CR 3 |
The DI example shall identify and protect virtual machines against deletion. |
Data Integrity IP-3 |
|
CR 3.a |
Backups of virtual machines are taken. |
Data Integrity IP-3 |
|
CR 4 |
The DI example implementation shall identify and protect assets against malware received via phishing email. |
Data Integrity IP-4 |
|
CR 4.a |
Downloads from the spreadsheet are blocked. |
Data Integrity IP-4 |
|
CR 4.b |
Backups of configurations are taken. |
Data Integrity IP-4 |
|
CR 4.c |
Configuration integrity information is baselined. |
Data Integrity IP-4 |
|
CR 5 |
The DI example implementation shall identify and protect the database against changes made through a web server vulnerability in custom code. |
Data Integrity IP-5 |
|
CR 5.a |
Vulnerability is identified. |
Data Integrity IP-5 |
|
CR 5.b |
Vulnerability is resolved. |
Data Integrity IP-5 |
|
CR 5.c |
Backups of database are taken. |
Data Integrity IP-5 |
|
CR 5.d |
Database integrity information is baselined. |
Data Integrity IP-5 |
|
CR 6 |
The DI example implementation shall identify and protect assets against targeted modification by malicious insiders with elevated privileges. |
Data Integrity IP-6 |
|
CR 6.a |
Backups are taken. |
Data Integrity IP-6 |
|
CR 6.b |
File integrity information is baselined. |
Data Integrity IP-6 |
|
CR 6.c |
Backups are encrypted. |
Data Integrity IP-6 |
|
CR 6.d |
Backups are stored securely. |
Data Integrity IP-6 |
|
CR 7 |
The DI example implementation shall identify and protect assets against an intrusion via compromised update server. |
Data Integrity IP-7 |
|
CR 7.a |
Downloads from site are temporarily blocked. |
Data Integrity IP-7 |
|
CR 7.b |
Backups are taken. |
Data Integrity IP-7 |
|
CR 7.c |
Program integrity information is baselined. |
Data Integrity IP-7 |
|
CR 7.d |
File integrity information is baselined. |
Data Integrity IP-7 |
|
CR 8 |
The DI example implementation shall identify new and unmaintained assets on the network. |
Data Integrity IP-8 |
|
CR 8.a |
Machines that are new to the network are identified. |
Data Integrity IP-8 |
|
CR 8.b |
Machines that are not up-to-date are identified. |
Data Integrity IP-8 |
D.3 Test Case: Data Integrity IP-1¶
Table 6‑3 Test Case ID: Data Integrity IP-1
Parent requirement |
(CR 1) The DI example implementation shall identify and protect assets against malware that encrypts files and displays notice demanding payment. |
Testable requirement |
(CR 1.a) Vulnerability identification, (CR 1.b, 1.c, 1.e) Denylisting, (CR 1.d) Maintenance, (CR 1.f) Backups, (CR 1.g) Integrity Baselining |
Description |
Show that the DI solution can identify and resolve vulnerabilities and protect against ransomware. |
Associated Cybersecurity Framework Subcategories |
ID.AM-1, ID.AM-2, ID.RA-1, ID.RA-2, ID.RA-6, DE.CM-8, PR.IP-12, RS.MI-3, PR.IP-4, PR.DS-1, PR.DS-6, PR.PT-1, PR.MA-2 |
Preconditions |
User navigates to a malicious website and clicks on an ad for a virus cleaner. The virus cleaner is actually ransomware, which propagates across the domain and encrypts user files. |
Procedure |
The denylisting capability is used to prevent access to and downloads from known malicious sites. The inventory capability is used to identify organizational assets and devices. The network protection capability is used to prevent the propagation of ransomware across the enterprise. The vulnerability management capability is used to identify vulnerabilities that allow malware to propagate. The integrity monitoring and logging collect integrity information and baseline the file system. The backups capability is used to take backups of the file system. |
Expected Results (pass) |
The vulnerability that allows the ransomware to propagate is identified (CR 1.a). The user cannot access the site when it is blocked (CR 1.b). The user cannot download the ransomware from the site when it is blocked (CR 1.c). The build can identify (and possibly execute) a fix for the vulnerability. When the fix is made, the ransomware is unable to propagate (CR 1.d). The ransomware is unable to communicate with its home server when the site is blocked (CR 1.e). The build can take backups of file systems (CR 1.f). The build can take and log integrity baselines of file systems (CR 1.g). |
Actual Results |
Cisco WSA (denylisting) stops the user from accessing the site when it is blocked. Cisco ISE (inventory) is used to identify devices on the network. Symantec DLP (inventory) is used to identify organizational data assets on monitored machines. CryptoniteNXT (network protection) prevents propagation of ransomware through an allowlist of approved communications in the enterprise. Tripwire IP360 (vulnerability management) detects vulnerabilities in Active Directory that allow ransomware to propagate. Tripwire Enterprise (integrity monitoring) and ArcSight ESM (logging) baseline critical data assets across the enterprise. Duplicati and FileZilla (backups) create backups of organizational data as a contingency, should ransomware be able to affect any systems. |
Overall Result |
Pass. All requirements for this use case are met. |
D.4 Test Case: Data Integrity IP-2¶
Table 6‑4 Test Case ID: Data Integrity IP-2
Parent requirement |
(CR 2) The DI example implementation shall identify and protect assets against malware inserted via USB that modifies and deletes user data. |
Testable requirement |
(CR 2.a) Backups, (CR 2.b) Integrity Baselining |
Description |
Show that the DI solution can preemptively protect against destructive malware. |
Associated Cybersecurity Framework Subcategories |
PR.IP-4, PR.DS-1, PR.DS-6, PR.PT-1 |
Preconditions |
A user inserts an unidentified USB drive into their computer. They click on a file on the drive, which immediately destroys any files on their machine. |
Procedure |
Backups schedules and creates backups of the user’s documents. The integrity monitoring capability is used to take integrity baselines of the file system. Logging collects logs and baselines system activity. |
Expected Results (pass) |
The build can take backups of file systems (CR 2.a). The build can take and log integrity baselines of file systems (CR 2.b). |
Actual Results |
Duplicati and FileZilla (backups) are used to take and store backups of the user’s documents. Tripwire Enterprise (integrity monitoring) is used to take an integrity baseline of the user’s file system prior to the malicious USB drive being inserted into the computer. ArcSight ESM (logging) takes a baseline of system activity prior to the USB drive being inserted into the computer. |
Overall Result |
Pass. All requirements for this use case are met. |
D.5 Test Case: Data Integrity IP-3¶
Table 6‑5 Test Case ID: Data Integrity IP-3
Parent requirement |
(CR 3) The DI example implementation shall identify and protect virtual machines against deletion. |
Testable requirement |
(CR 3.a) Backups |
Description |
Show that the DI solution can preemptively protect against data integrity events that involve virtual machines (VMs). |
Associated Cybersecurity Framework Subcategories |
PR.IP-4, PR.DS-1 |
Preconditions |
A routine maintenance script contains an error that accidentally deletes a VM. |
Procedure |
The backups capability is used to schedule and create backups of a VM. |
Expected Results (pass) |
The build can take backups of VMs (CR 3.a). |
Actual Results |
Duplicati and FileZilla (backups) take and store backups of VMs. |
Overall Result |
Pass. All requirements for this use case are met. |
D.6 Test Case: Data Integrity IP-4¶
Table 6‑6 Test Case ID: Data Integrity IP-4
Parent requirement |
(CR 4) The DI example implementation shall identify and protect against malware received via phishing email. |
Testable requirement |
(CR 4.a, CR 4.b) Denylisting, (CR 4.c) Backups, (CR 4.d) Integrity Baselining |
Description |
Show that the DI solution can identify phishing emails and protect against configuration changes made by malicious attachments. |
Associated Cybersecurity Framework Subcategories |
ID.AM-2, ID.AM-3, ID. RA-1, ID.RA-2, ID.RA-5, DE.CM-8, PR.IP-4, PR.DS-1, PR.PT-1 |
Preconditions |
The user receives a phishing email with a malicious attached spreadsheet. The spreadsheet is downloaded and opened, causing account changes in Active Directory. |
Procedure |
The integrity monitoring capability is used to baseline Active Directory activity. This information is forwarded to the logging capability, along with other available Active Directory information. The backups capability is used to take backups of the Active Directory configuration. The malicious web server is added to the denylisting capability to prevent downloads. |
Expected Results (pass) |
The spreadsheet cannot download files (CR 4.a). The build can take backups of configurations (CR 4.c). The build can take and log integrity baselines of configurations (CR 4.d). |
Actual Results |
Semperis DSP (integrity monitoring) successfully baselines Active Directory activity. ArcSight ESM (logging) successfully logs activity from Active Directory, including log-ons and changes. When the external web server is added to the denylist, Cisco WSA (denylisting) prevents the Excel sheet from downloading malicious files. Semperis ADFR (backups) is used to successfully take backups of the Active Directory configuration. |
Overall Result |
Pass. All requirements for this use case are met. |
D.7 Test Case: Data Integrity IP-5¶
Table 6‑7 Test Case ID: Data Integrity IP-5
Parent requirement |
(CR 5) The DI example implementation shall identify and protect the database against changes made through a web server vulnerability in custom code. |
Testable requirement |
(CR 5.c) Backups, (CR 5.d) Integrity Baselining |
Description |
Show that the DI solution can protect the database against a vulnerability in the custom code of a web server. |
Associated Cybersecurity Framework Subcategories |
PR.IP-4, PR.DS-1, PR.PT-1, PR.DS-6 |
Preconditions |
A vulnerability in the source code of an intranet webpage is discovered by a malicious insider. The insider exploits this vulnerability to delete significant portions of the database. |
Procedure |
The backups capability is used to take backups of the database. The integrity monitoring and logging capabilities take baselines of the database, for comparison post-modification. |
Expected Results (pass) |
The build can take backups of the database (CR 5.c). The build can take and log integrity baselines of the database (CR 5.d). |
Actual Results |
Duplicati and FileZilla (backups) successfully backs up the database. Tripwire Enterprise (integrity monitoring) successfully detects changes in the database. ArcSight ESM (logging) successfully logs changes to the database. |
Overall Result |
Pass. All requirements for this use case are met. |
D.8 Test Case: Data Integrity IP-6¶
Table 6‑8 Test Case ID: Data Integrity IP-6
Parent requirement |
(CR 6) The DI example implementation shall identify and protect assets against targeted modification by malicious insiders with elevated privileges. |
Testable requirement |
(CR 6.a) Backups, (CR 6.b) Integrity Baselining, (CR 6.c) Encrypted Backups, (CR 6.d) Secure Storage |
Description |
Show that the DI solution can protect assets and backups against targeted modification by malicious insiders. |
Associated Cybersecurity Framework Subcategories |
PR.IP-4, PR.DS-1, PR.PT-1, PR.DS-6 |
Preconditions |
A malicious insider attempts to modify targeted information in both the enterprise systems and the backup systems, using elevated credentials obtained extraneously. |
Procedure |
The inventory capability is used to identify data assets. The backups capability provides encrypted backups. Secure storage prevents modification or deletion of backups. Integrity monitoring and logging collect integrity information and baseline the file system. |
Expected Results (pass) |
The build can take backups of the file system (CR 6.a). The build can take and log integrity baselines of the file system (CR 6.b). Backups are encrypted (CR 6.c). Backups are stored securely and cannot be modified or deleted (CR 6.d). |
Actual Results |
Symantec DLP (inventory) identifies critical data assets across the enterprise. Duplicati and FileZilla (backups) provide encrypted backups of the file system. GreenTec WORMdisks (secure storage) provide write-protection for backups, preventing them from being modified or deleted. Tripwire Enterprise (integrity monitoring) and ArcSight ESM (logging) baseline critical data assets across the enterprise. |
Overall Result |
Pass. All requirements of this use case are met. |
D.9 Test Case: Data Integrity IP-7¶
Table 6‑9 Test Case ID: Data Integrity IP-7
Parent requirement |
(CR 7) The DI example implementation shall identify and protect assets against an intrusion via compromised update server. |
Testable requirement |
(CR 7.a) Denylisting, (CR 7.b) Backups, (CR 7.c, 7.d) Integrity Baselining |
Description |
Show that the DI solution can protect against compromised update server as well as intrusion made possible by vulnerable programs. |
Associated Cybersecurity Framework Subcategories |
ID.RA-1, ID.RA-2, ID.RA-5, DE.CM-8, PR.IP-12, RS.MI-3, PR.IP-4, PR.DS-1, PR.PT-1, PR.DS-6, PR.MA-2 |
Preconditions |
An external update server has been compromised, and a user workstation attempts to update from this server. |
Procedure |
Integrity monitoring capability is used to take baselines of the integrity of both the programs and the file systems. The backups capability is used to back up the file system. The denylisting capability is used to prevent communication between the update server and the machine. |
Expected Results (pass) |
Machines cannot update from this site while it is denylisted (CR 7.a). The build can take backups of file systems (CR 7.b). The build can take integrity baselines of programs (CR 7.c). The build can take integrity baselines of file systems (CR 7.d). |
Actual Results |
Tripwire Enterprise (integrity monitoring) successfully takes an integrity baseline of both programs and files. Duplicati and FileZilla (backups) successfully takes backups of the file system. Cisco WSA (denylisting) successfully prevents communication between the update server and workstations. |
Overall Result |
Pass. All requirements for this use case are met. |
D.10 Test Case: Data Integrity IP-8¶
Table 6‑10 Test Case ID: Data Integrity IP-8
Parent requirement |
(CR 8) The DI example implementation shall identify new and unmaintained assets on the network. |
Testable requirement |
(CR 8.a) Asset Identification, (CR 8.b) Vulnerability Identification |
Description |
Show that the DI solution can identify machines new to the network, as well as unpatched machines. |
Associated Cybersecurity Framework Subcategories |
ID.AM-1, ID.AM-2, ID.RA-1, ID.RA-2, ID.RA-5, DE.CM-8 |
Preconditions |
A new machine with several critical patches missing is connected to the network for the first time. |
Procedure |
The inventory capability is used to identify various aspects about the machine. The policy enforcement identifies the existence of security solutions on the machine and grants/denies access to the network, based on their presence. The vulnerability management capability is used to scan for vulnerabilities on the new machine. |
Expected Results (pass) |
New machine is identified on the network (CR 8.a). New machine is identified as unmaintained, and required fixes are identified (CR 8.b). |
Actual Results |
Cisco ISE (inventory) successfully logs information about new connections, including the user, date, device, and network information. Cisco ISE (policy enforcement) successfully prevents the new machine without 50 security software from connecting to the network. Tripwire IP360 (vulnerability management) successfully identifies vulnerabilities on the new machine. |
Overall Result |
Pass. All requirements for this use case are met. |