Part 7 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.1
Requirement 3.7 of the NIST Special Publication 800-171 (NIST SP 800-171) covers maintenance of organizational systems and has two basic security requirements:
- 3.7.1 Perform maintenance on organizational systems.
- 3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
How is your institution maintaining organizational systems? How are system updates applied? Are you installing all patches in a timely manner and according to industry data security standards? How are support staff connecting to those systems?
While periodic maintenance improves the overall performance of operating systems, as well as overall security, it is important to have clearly defined procedures and a maintenance schedule to manage the process. If someone on the IT operations team fails to perform basic maintenance or update systems properly, this can very easily lead to a security incident. In fact, a 2017 study revealed that organizations running out-of-date operating systems were three times more likely to suffer a data breach than those running newer operating systems. Organizations with out of date web browsers were two times more likely to experience a data breach.
The first step in your maintenance program is to ensure you have an up-to-date and accurate inventory of your organization’s IT infrastructure, systems, supporting systems, devices, and applications.
From here, it is important to define and document an effective schedule for maintaining systems according to manufacturer recommendations or relevant compliance requirements. Many operating systems require daily maintenance tasks that can be part of an automated script or initiated manually as a result of an alert or logged event. Through the use of enterprise management tools and backup software, as well as an approved changed management process, a defined schedule will help keep systems up to date and prevent any systems from falling through the cracks.
Ensure system administrators are aware of requirements for applying critical vulnerability patches. For example, for systems that may reside within your cardholder data environment, the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.2 requires that all critical security patches are installed within one month of release. If systems remain unpatched, hackers can take advantage of those vulnerabilities, putting all of the data that is stored on those systems and other connected systems at risk. (You may remember that the massive Equifax breach could have been prevented if a web application vulnerability had been patched two months prior to the compromise, when the patch had first become available.)
Outside of the regular maintenance schedule, new security risks and vulnerabilities are discovered periodically that may require systems to be updated more frequently or outside of the scheduled maintenance window. Collecting intelligence from industry data sources and listservs is a good way to keep up to date, then your security team can determine which updates apply to your organization’s systems and prioritize risk accordingly. Proactively identifying potential new threats and vulnerabilities helps you to secure systems before they are compromised.
Organizations can also use tools like Simple Network Management Protocol (SNMP) to monitor their networks and systems so that events like hardware failures, or attacks against them, are detected as abnormal and the organization can respond effectively.
Alerting those that are affected (vendors, customers, staff, etc.) is also an important part of scheduled maintenance as it can require that systems and networks are shut down for a brief period of time for maintenance. This can present an inconvenience to users, so keeping them updated on the schedule, and any outages, allows them to prepare. It often makes sense to plan for maintenance activities during low usage periods – after hours, on the weekends, or during planned breaks. If maintenance is planned during these periods, be sure to verify that vendor support will be available if needed, and allow IT staff sufficient time to complete maintenance updates and resolve any resulting issues.
The Derived Security Requirements from 3.7 of the NIST SP 800-171 include:
- 3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
- 3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
- 3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
- 3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.
When defining your maintenance program, organizations should implement controls defining how information systems, devices, and supporting systems are updated, and who has permission to do so. This can include a list of the authorized personnel, authorized tools, and authorized techniques and mechanisms. Approve and monitor all maintenance activities, whether the equipment is serviced onsite, remotely, or moved to another location.
Review all maintenance activities and document whether updates will be performed onsite or remotely, and whether the equipment is going to be serviced onsite or moved to another location. If maintenance does need to be performed by relocating a system offsite there should be policy requiring a designated staff member to provide approval for the removal of the information system. Before the system is taken for offsite maintenance, the equipment must be sanitized to remove all sensitive information.
Monitor maintenance personnel that come to your location, verify what tools they are using, and confirm what they are doing. For example, is the technician using a USB drive to run diagnostics on a server? How do you know he hasn’t been plugging that same USB into multiple other customers and systems? Check media meant to be used for troubleshooting, diagnostics, or other maintenance for malicious code before use by requiring the media be run through an anti-virus or anti-malware program.
Organizations should also restrict physical access to onsite systems by locating them in protected data centers or dedicated, locked storage rooms. The activities of maintenance personnel without authorized access should always be monitored. When maintenance is provided by a third party service provider, nondisclosure agreements should be in place before any maintenance support is performed.
All remote access to an information system for maintenance or diagnostics should occur via an approved remote solution using multi-factor authentication. Remote sessions should be terminated when maintenance is complete, as allowing vendors to have 24/7 access can increase the chance of unauthorized access. Terminating the remote session is also a requirement of the PCI DSS (Requirement 8.1.5) and specifically applies to the cardholder data environment.
Whether performed internally or externally, maintain records of all maintenance activities. Review logs on a regular basis to verify correct configuration settings, evaluate access, and assess activities performed on organizational systems.
Costs, resources, time, etc. are reasons often given for failing to update to current operating systems and browser versions, but those costs will seem miniscule compared to the fines that can be suffered in the event of a data breach caused by out of date or unsupported systems. The reputational damage to your organization can also take years to overcome.
Additional guidance from our Offensive Security team below:
[Hobby]: The 800-171 Maintenance Controls endeavor to assure that three best practices are in place: first, that maintenance activities are regularly scheduled, documented, and performed by trained personnel; second, that systems and information are protected from unauthorized access during maintenance; and third, that maintenance activities are appropriately supervised.
Regular maintenance plays a critical part in protecting systems from information security threats. When done well, maintenance such as that required by 800-171 can greatly improve your cybersecurity defense posture. Without regular maintenance, systems can quickly become outdated and develop weaknesses that can expose your sensitive information to information security threats.