- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
6: Generate an Inventory of System Hardware
When a system operates, the hardware should remain unchanged, so the addition of new hardware such as a modem or another network interface card is generally unexpected and should prompt further investigation. For example, is the addition of a second Ethernet controller on a desktop workstation normal behavior?
Create an inventory of all computing hardware assets. This is most easily accomplished by performing a physical audit. Use a tool such as a database management system or spreadsheet to record the initial inventory and keep it up to date. Select a tool that will make subsequent inventory comparisons easy to perform.
Make sure that procedures are in place to update the hardware inventory when the physical location of equipment changes, when its hardware configuration is upgraded (for example, when memory is added), and when equipment is added to or removed from systems.
Produce and maintain complete, up-to-date network infrastructure information that captures the architecture, connectivity, and identity of all network devices, including the following:
- Layout or topology of all network devices
- Network architecture
- Network and device connectivity
- Network and device configuration
- Administrative domains
- Physical location of all network devices
- Intermediate public networks, if any
Identify network monitoring and management mechanisms to keep this information up to date and to provide alerts when anomalies occur.
Use automated tools to detect installed hardware and compare the results with the physical inventory. For PC-based systems, the Windows operating system provides a complete hardware inventory capability as part of system properties. A variety of vendor and public domain tools are also available, such as Nmap. Tools such as daemon dialers can help determine what modems are connected to telephone lines, systems, and networks.