CMMC Weekly Series #5
Posted on April 24, 2020 by Theodore Wernet, CISSP
Systems and Information Integrity (SI)
The Systems and information Integrity Domain contains four capabilities. These capabilities are “Identify and manage information system flaws”, “Identify malicious content”, “Perform network and system monitoring” and “Implement advanced email protections”. In this post we look at the practices that make up these capabilities and offer some insight on how they might be addressed.
SI.1.210 Identify, report, and correct information system flaws in a timely manner. This practice contains both technical and procedural requirements. On the technical side, you should always have vendor software updates enabled if available. This does not necessarily mean the update should install itself without user intervention, but it should at least notify you that there are updates available if there is a concern about automatic installation. On the procedural side you should sign-up for any vendor security/update notifications. Vendors do not want their products to be vulnerable and most are very good about providing emails, RSS Feeds, etc. that can help keep you updated when security fixes become available. It is also a good practice to sign up for notifications from third party vulnerability tracking systems. These would include the National Vulnerability Database (NVD), Mitre Common Vulnerabilities and Exposers (CVE) and CERT Vulnerability Notes Database (VNDB) to name a few. And finally, ensure your software is licensed so you have access to any updates/patches when they are released.
SI.1.211 Provide protection from malicious code at appropriate locations with organizational information systems. For this practice you are going to want to look at your infrastructure as a whole and identify systems and locations where you should implement malicious code protections. From the perimeter, you will want to examine your firewall to ensure its configuration fits your organizational needs and allows the traffic that is necessary. If you have an internal email server, you want to implement an anti-malware scanner. For all host systems, you will want to install anti-virus/anti-malware solutions to protect them. Of course, it is imperative to keep the definitions for these systems up to date.
SI.1.212 Update malicious code protection mechanisms when new releases are available. This practice is straightforward. Keep your definitions up to date. This can usually be achieved automatically by configuring the software to update at given intervals.
SI.1.213 Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened or executed. Most anti-virus applications can meet the requirement easily. You will need one task setup to perform whole systems scans. It is usually best to schedule these scans outside of normal operational hours as they can have an impact on system performance. You will also want a policy that scans new files as they are introduced to the system. Some examples of this would be plugging in an external drive, downloading software or pulling data from a network drive.
SI.2.214 Monitor system security alerts and advisories and take action in response. For this practice, you simply need to subscribe to a third-party system that provides security alerts and advisories. Review these alerts to determine if they apply to any systems in your environment and patch accordingly.
SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. This practice is all about system and network monitoring. There are a plethora of network and system monitoring tools on the market today. But a key element to this process is understanding how systems and users operate in your environment and creating a baseline from that. With a baseline in place, it will be much easier to notice deviations or unusual system/network behavior which can really aid in identifying malicious activity.
SI.2.217 Identify unauthorized use of organizational systems. This practice actually requires two elements. The first element is to understand your environment so you can develop an acceptable-use policy that supports your environment. This policy will allow you to define appropriate permissions, roles, system usage, etc. For the second element, you need to review any monitoring solutions (IDS/IPS, audit logs, network traffic, etc.) you have in place to identify unauthorized use.
SI.3.218 Employ spam protection mechanisms at information system access entry and exit points. This practice is also straightforward. If you have an on-premise email server, ensure you have a SPAM filter in place to monitor both inbound and outbound email. Monitor your organizations SPAM levels and create rules to reduce SPAM levels. If you have a subscription-based device, report any SPAM so new updates can help to reduce your SPAM levels automatically.
SI.3.219 Implement email forgery protections. The intent of this practice is to help ensure email integrity. This practice would apply if you have an on-premise email server or if you manage your own DNS records. If you have a hosted solution you want to verify that they are providing email forgery protections. Regardless of your environment you will want to ensure SFP, DKIM and DMARC are implemented with your email solution. There are literally hundreds of blogs and how-to guides to implement these solutions and they may vary depending on your environment so do a little research before you begin.
SI.3.220 Utilize sandboxing to detect or block potentially malicious email. What is sandboxing? Sandboxing is the process of taking things like email attachments and executing that attachment to determine if it is malicious. If you are in a cloud environment such as Office 365, this is probably already being handled for you, but like anything else you want to verify. If you have an on-premise email system, there are several solutions from vendors like Barracuda, Spam Titan, Spambrella, etc. that can provide Cloud-based and local-based products.
SI.4.221 Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting. Wow that was a mouthful! So, what do they want from this practice? They want your organization to join an Information Sharing and Analysis Center (ISAC) to share information about Tactics, Techniques and Procedures (TTP) utilized by bad actors to inform, educate, and help identify when attacks maybe taking place.
SI.5.222 Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions. As malicious actors get better and better at evading detection from our arsenal of security tools, this practice wants you to take security a step further. With tools that support Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA), you can now detect malicious activity by identifying actions or activities that fall outside of normal operations. Detecting these types of events early can be very critical in the attack identification and mitigation process.
SI.5.223 Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior. This practice is very similar to SI.5.222. They are looking for ways to detect malicious activity by establishing normal user behavior and then looking for anomalies to this behavior. A User and Entity Behavior Analytics (UEBA) solution would meet this requirement.