How Do You Know If Something's Amiss? Characterize Your Systems
- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
How can administrators know whether something has gone wrong with their systems or networks when they don't know what it means for things to be operating normally? This excerpt from The CERT® Guide to System and Network Security Practices and the CERT security improvement module Detecting Signs of Intrusion advises administrators to characterize their systems. Characterization is the process of identifying network traffic and performance; system, process, and user behavior; files and directories; hardware devices and topology; and configuration settings; as well as keeping a log of their changes and gaining some understanding of what constitutes normal behavior. Once administrators have a characterization baseline, they can compare currently running systems with this baseline to determine whether anything unexpected or suspicious has occurred.
CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office.