S 4.93 Regular integrity checking

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Regular checks of the file system, file attributes, and process information as well as other important elements of the system configuration (for example the registry in Windows) for unexpected changes helps to detect inconsistencies. The detection of such inconsistencies can be used to help prevent instability of the system, but can also be used to detect attacks promptly. When a system has actually been attacked, it is important to be able to reconstruct the actions taken by the attacker. On the one hand, this helps to detect manipulations to data, and on the other hand, to detect hidden back doors that the attacker may have installed on the computer to gain access to it later.

Calculation of cryptographic checksums

Programs that calculate cryptographic checksums using a large percentage of the files on the system or using other resources can be used to detect manipulations. There are two different types of integrity check programs for this purpose; programs that only operate at the file level and programs that can also check processes and special configuration data such as the Windows registry or the data structures of the kernel. It is recommended to make sure that these tools can be administered and monitored centrally. In addition, the cryptographic mechanisms used by the program must conform to the current state of the art in technology.

Some programs are only able to determine if changes have been made to the file system. To accomplish this, they check if the data access rights, the date of last change, or the contents of the particular file have been changed. Modifications are detected by comparing the cryptographic checksum actually calculated with the reference checksum generated earlier. In many cases, it is even possible to detect read accesses to files using a special option.

Protection of the checksum file

In order to prevent the possibility of the integrity check program itself or the file containing the checksums of the system being corrupted by an attacker or malware, they should be stored on write-protected data media. However, it will be necessary to change the checksum file after making authorised changes to the file system, so it is recommended to use CDs, DVDs, or removable hard drives for this purpose. The checksum file can also be made available as a read-only file on the network as an alternative. This method should be preferred in cases where the integrity check program is administered over the network. Malicious software sometimes camouflages itself so that it cannot be detected by methods of the manipulated operating system. For this reason, it makes sense to check the system by means of a manipulation-free operating system in case of suspicion. This can be booted from a CD-ROM, for example, which was created by a trusted reference system.

Check interval and scope of checks

An integrity check should be performed regularly, for example every night. The selection of a suitable check interval depends highly on the purpose of the particular IT system and on the application environment. When performing integrity checks, it is also necessary to take the storage space capacity and processor capacity required to compute and compare the checksums into account. Normal operation must not be impaired due to the use of the integrity check program.

Minor and major changes are made constantly to the system files of every large IT system during normal operation. It is therefore recommended in general to configure the integrity check program so that it only detects changes made to relevant files. Otherwise there is a risk of triggering too many change reports that are due to completely normal operating procedures and not due to attempted attacks (false positives), in which case it may become impossible to evaluate the log files promptly any more.

Process information in the internal memory

In addition to file-based integrity checks, there is also the option to check process information from the internal memory against a list of allowed processes (white list). In this manner, it is also possible to detect certain manipulations which do not leave traces in the file system. On the other hand, there are manipulations which do not affect the processes themselves, but only their configuration. Such manipulations may be easier to detect by checking the integrity of the configuration files. Integrity checks of the file system and the internal memory may therefore sometimes have different protective effects. An advantage of checking process information in the internal memory is that this requires only a limited number of hard disk accesses or no hard disk accesses at all which are significantly slower than internal memory accesses. This allows for much more frequent checks than when using a file-based method where a large amount of information has to be read from the hard drive. In most cases, unwanted programs can therefore be detected more quickly than when using file-based integrity checking.

Notification

The administrator should be notified automatically of the results via e-mail or using a similar route, even if no changes were found. It should be specified in advance which safeguards need to be taken when a loss of integrity has been detected. It is important to know, for example, if the actions should be performed manually or automatically.

Review questions:

© Federal Office for Information Security. All rights reserved.