So I’ve had some questions about exactly what I mean by baselining and what types of things an auditor should be baselining when they’re examining a system. So let me take a few words to clarify what I meant.
First of all remember, the reason we perform a baseline is to determine if changes to the system change the security level of the system being examined. Ideally we are establishing a baseline of a system in a “known good” or secure state. In government terms this might be likened to a certification and accreditation process. But the idea is to identify a snapshot of what “secure” looks like for a given system. Then by performing subsequent baselines of the system and comparing them to the original, we will be able to see if there are any unauthorized changes to the system and if those unauthorized changes lower the overall security level of the system. This process works for auditors, incident handlers, forensicators, and others looking to assess the security level of a system.
So the baselining process would be:
- Build a clean system / declare a system to be secure.
- Create a baseline of the system in the “known good” state.
- Engage in a healthy change / configuration management process.
- Update system baselines after every approved change.
- Periodically create a new baseline of the system’s current state.
- Compare the most recent baseline to the last “known good” baseline.
- Analyze the two baselines for differences.
- Repeat / remediate risk if necessary.
We can use this process to look for unauthorized changes. Unauthorized changes to a system very likely can be indicators of a bigger problem, and most definitely something an auditor would want to be aware of when performing an assessment.
Next we’ll cover what to baseline and how…
I’ll be presenting a webcast for the SANS Institute, along with Alan Paller and Eric Cole on the 20 Critical Security Controls. There’s been a lot of news on these controls in the past few months and a lot of discussion on how they interact with FISMA and NIST guidance for information security. This webcast is meant to talk about the latest developments with these controls and give some real life examples of how these controls are being used by organizations today to thwart some of the cyber-attacks that have been taking place.
If you have a few minutes to listen, I think it will be worth it – plus you can’t beat the price (free). Here’s the link to register, you’ll want to make sure you’re signed up in advance to make sure you get a spot:
There will be Questions & Answers after the webcast. If you want to get your questions to the top of the pile, send it to my Twitter account at @jamestarala.
Welcome to the Enclave Security / AuditScripts blogs page! This is our new location for publishing information that we hope will be helpful to the information security community as a whole. Often times we’re asked, where is that resource located, or where can I find more information on that, or have you ever seen this before? Well, rather than us just answering that question for one person and the data goes into the e-mail abiss, this will be the place where we’ll start posting that information and make it available to everyone.
There will be a number of people that will be posting to this space and as time goes on we’ll introduce them all. Everyone brings a unique perspective and we look forward to everyone’s comments.
Most importantly we want to welcome you to the site. Expect quite a few anouncements over the upcoming weeks as we introduce new content and information to the site. We look forward to you being able to use this as a resource that will truly be an aid in your security efforts.