This article concludes our 14-part series on NIST Special Publication 800-171 Rev. 2, focusing on System and Information Integrity. (Just in time for the NIST SP 800-171 Rev.3!)
3.14 System and Information Integrity
This security control is included to do exactly what it sounds like, ensure the integrity of systems and any information that is processed, stored, or transmitted by your organization. It focuses on preventing unauthorized access and unauthorized changes by identifying and responding to detected security threats.
Compliance with Requirement 3.14 involves implementing specific security controls based on your organization’s risk assessments and regularly updating your processes as new threats and vulnerabilities evolve. Your organization should have a formal, documented program in place to ensure regular and timely maintenance of all critical information systems, through ongoing monitoring, implementing applicable patches, scanning for malicious code, and identifying unauthorized access.
It is also important to conduct periodic assessments or audits to ensure all organizational departments are following your documented processes and have implemented the recommended controls.
The Basic Security Requirements from 3.14 include:
- 14.1 Identify, report, and correct system flaws in a timely manner.
Managing the process of deploying security updates is just one component of your organization’s vulnerability management program, often referred to as patch management. Patches are pieces of software code that are installed to improve or fix an application, and once installed will reduce your organization’s attack service and risk for exposure.
Cybercriminals continue to compromise organizational systems through unpatched software. In fact, recent reports detailed that unpatched vulnerabilities are directly responsible for nearly 60% of all data breaches. If you remember, in 2017 Equifax exposed the personal information of 150 million people due to an unpatched framework in one of its databases, which has resulted in over $575 million in penalties and fines. Despite this, many organizations still delay installing security patches to avoid business interruptions, with studies reporting only 47% of organizations applying patches immediately, and 28% doing so monthly or even less frequently.
Your organization should have processes in place to review relevant alerts or vendor announcements regarding discovered vulnerabilities or flaws. Available resources include the Common Weakness Enumeration (CWE) database or the Common Vulnerabilities and Exposures (CVE) database. These public sites share information on known cybersecurity vulnerabilities and exposures. Regular vulnerability scans will also highlight any known vulnerabilities that have not yet been remediated or patched within your systems.
Common patch management structure will follow the below steps:
- Identify the systems and software that need to be patched due to announced software vulnerabilities or flaws. (if needed, refer back to Part 4 of the NIST series reviewing Configuration Management to ensure you have an accurate inventory of all critical information systems and current configurations)
- Create a patch management schedule. Most organizations will have a standard that defines reasonable timeframes for resolving any detected system or application flaws. The standard may be to address them automatically/immediately, or your organization may have a specific number of days defined for which patches must be applied based on your overall risk management process.
You should always apply relevant software and firmware updates at the earliest appropriate maintenance cycle to address identified issues. Timelines will be based on a variety of factors including the criticality of the update (i.e., the severity of the vulnerability related to the discovered flaw), required testing, available resources, etc. Critical flaws may require an emergency update between the normal, established maintenance cycles.
- Establish a patch management process. Determine (and document) who will be responsible for implementing patches and the process by which they will be implemented.
- Test patches in a non-production environment when possible before deploying them to make sure they don’t create any issues in your live systems.
- Deploy the patches into production.
- Monitor and regularly confirm that patches are being implemented correctly and on schedule.
- Keep track of all patches that have been implemented and assess and document the results. This will give your teams an up-to-date inventory of which systems and software have been updated and which still need to be patched.
Patch management is not just an information security best practice. Many regulations also require you to maintain secure systems and software. For example, PCI DSS version 4.0 requirement 6.3.3 requires that all system components within your cardholder data environment are protected from known vulnerabilities by installing security patches or updates as follows:
- Critical or high-security patches/updates must be installed within one month of release.
- All other applicable security patches/updates are to be installed within an appropriate time frame as determined by your organization.
- Requirement 11.3 also refers to scanning, and ensuring any vulnerabilities found are patched or otherwise remediated.
- Failure to deploy a patch quickly enough could result in fines and penalties.
- 14.2 Provide protection from malicious code at designated locations within organizational systems.
Designated locations within systems include entry and exit points which may include firewalls, remote access servers, workstations, email servers, web servers, proxy servers, computers, and mobile devices. Malicious code (i.e., malware, viruses, spyware, Trojan horses, etc.) can create unauthorized functions or processes within your systems that then impact the confidentiality, integrity, and/or availability of information. Malware can be encoded in various formats or contained within compressed or hidden files. It can also be inserted into systems in a variety of ways including web access, email, email attachments, and portable storage devices. Anti-malware software can detect, block, or quarantine malicious code and generate alerts. It is important to ensure that anti-malware protection software is deployed on all critical systems and kept up to date.
When possible, if organizations can scan for malicious code as files are downloaded, opened, and/or run, you can help identify and prevent threats in real time. Full system scans can also be performed on a regular cadence. Within most organizations, any capable system that houses organizational data is required to have anti-virus and anti-malware software. If a system is not capable of running this software, then additional, mitigating controls must be put in place and approved by your security teams.
In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. In this case, organizations should rely on secure coding practices, configuration management and control, and monitoring practices to help ensure that software does not perform functions other than the functions intended.
- 14.3 Monitor system security alerts and advisories and take action in response.
There are many publicly available sources of system security alerts and advisories. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information-sharing and analysis centers (ISACs) also provide security alerts and advisories.
Examples of response actions include notifying necessary external third parties and following your organizational response plan to address any relevant security alerts.
The Derived Security Requirements within 3.14 include:
- 14.4: Update malicious code protection mechanisms when new releases are available
- 14.5: Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed
- 14.6: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks (i.e., intrusion detection and intrusion prevention systems)
- 14.7: Identify unauthorized use of organizational systems
Unfortunately, ensuring regular and timely maintenance of all critical information systems is not an easy task. Ironically, it is often the announcement of available patches that triggers cybercriminals to exploit specific vulnerabilities as they know the majority of organizations won’t be able to deploy the patch immediately. Patching critical systems in a timely manner will protect your organization from these attacks and should be prioritized within your organization’s overall information security strategy.
Refer to additional guidance from the RedLens Information Security Team below:
[Sullivan]: While section 3.14 of NIST SP 800-171 is entitled ‘System Integrity’ the principles found within this requirement have an impact on all three pillars of Information Security (Confidentiality, Integrity, and Availability). Implementing the procedural changes as well as the technical controls found within this requirement helps your organization take a proactive approach to complete organizational security.
Oftentimes in our assessments, we find that the biggest dangers to an organization come from a lack of monitoring systems and accounts for unauthorized access using compromised credentials as well as unmonitored attacks against systems that have not been patched.
The biggest counter to these types of attacks is to implement the comprehensive monitoring mentioned within this requirement, create a baseline of ‘normal’ traffic to filter out, and actively alert on traffic that is not considered normal. Additionally, prioritizing patching of critical and public-facing systems reduces the window of opportunity for attackers to exploit any vulnerabilities found within your organization’s network.