- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
Keep authoritative reference copies of files and checksums on write-protected or read-only media stored in a physically secure location. Consider using a tool such as PGP (Pretty Good Privacy) to "sign" the output generated by the checksum tool.
Consider making paper copies of configuration files and cryptographic checksums as backups to preclude being unable to recover uncorrupted electronic versions.
When transmitting authoritative reference data over unsecured network connections, be sure to verify the data upon arrival at the destination host (for example, by using MD5). Consider encrypting the reference data at the source host to reduce the likelihood of the information being compromised, to protect confidentiality and privacy, and to prevent password capture.
Encrypt characterization information, authoritative reference data, and hardware inventory if the organization's security requirements demand this level of protection.
Keep characterization information, authoritative reference data, and system inventory information up to date.