So I’ve had some questions about exactly what I mean by baselining and what types of things an auditor should be baselining when they’re examining a system. So let me take a few words to clarify what I meant.

First of all remember, the reason we perform a baseline is to determine if changes to the system change the security level of the system being examined. Ideally we are establishing a baseline of a system in a “known good” or secure state. In government terms this might be likened to a certification and accreditation process. But the idea is to identify a snapshot of what “secure” looks like for a given system. Then by performing subsequent baselines of the system and comparing them to the original, we will be able to see if there are any unauthorized changes to the system and if those unauthorized changes lower the overall security level of the system. This process works for auditors, incident handlers, forensicators, and others looking to assess the security level of a system.

So the baselining process would be:

  1. Build a clean system / declare a system to be secure.
  2. Create a baseline of the system in the “known good” state.
  3. Engage in a healthy change / configuration management process.
  4. Update system baselines after every approved change.
  5. Periodically create a new baseline of the system’s current state.
  6. Compare the most recent baseline to the last “known good” baseline.
  7. Analyze the two baselines for differences.
  8. Repeat / remediate risk if necessary.

We can use this process to look for unauthorized changes. Unauthorized changes to a system very likely can be indicators of a bigger problem, and most definitely something an auditor would want to be aware of when performing an assessment.

Next we’ll cover what to baseline and how…