Data Integrity: The Forgotten Layer of Defense
Imagine for a moment that you are responsible for keeping a pile of money safe. Your budget is unlimited, and you spend it on the best safes and locks you can find and put the money inside. A few weeks later, your boss comes to you and notes that the safe looks damaged and the locks are scratched and asks if all of the money is still in there. It suddenly dawns on you. No one counted the money before putting it into the safe.
This is a scenario that appears to be avoidable using common sense. You wouldn’t give your money to a bank that wasn’t able to tell you at any given moment that all of your money was there. You couldn’t file a claim against your homeowner’s insurance if you couldn’t give an accounting of what you owned before a fire or burglary.
Yet it is this very scenario that IT administrators are in every day without realizing it. Security today is largely focused on the perimeters—barriers (safes and locks) that administrators believe will protect them from the big bad wolf.
Firewalls, intrusion detection, packet sniffers, VPNs, vulnerability assessment and other perimeter software and hardware all make up the majority of security spending today. Yet very little attention is given to one critical layer in security: data integrity.
“Is my data the same today as it was yesterday?” is the underlying theme of data integrity. If you can’t trust the state of your company’s critical information assets then how can your customers trust your company?
One extreme example of how invalid data can have some pretty spectacular results: In September 1999, NASA spent hundreds of millions of dollars getting the Mars Climate Orbiter to the red planet to study the Mars atmosphere and be a relay station for the Mars Polar Lander (which was lost on a later mission, ironically enough).
However, when it came to inserting the probe into orbit, it suddenly disappeared. After investigating further, the NASA engineers discovered that some of the calculations for the orbital insertion maneuver were done in metric measurements and not converted into English measurements. The result? The probe was way off in its trajectory and probably burned up in the atmosphere.
Now, this situation was due to a human error but could have just as easily been the result of a hacker who altered some subtle numbers. Nothing major, but just changing a decimal point of two could mean the difference of inches or feet or miles. Would you get into a plane where the engineering diagrams had been hacked? How could you trust the authenticity or validity of the numbers in your phone book?
Egghead software went out of business because they could not tell customers whether or not their credit card data had been compromised. It cost credit card vendors millions of dollars to research and replace hundreds of thousands of cards that may or may not have been stolen.
We rely on information and data for virtually every facet of our lives, whether we realize it or not. If suddenly we were unable to trust that information, our lives would be very difficult indeed.
Data integrity is getting more attention from lawmakers. The Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley act for financial institutions both contain requirements and guidelines for ensuring that the integrity of confidential and sensitive data is not compromised or lost.
Data integrity is an issue that needs more attention at every level of an organization. Threats to that data not only can come from Joe Hacker on the outside, but also can come from the inside. Just ask the folks over at the Omega Corp. where a disgruntled employee essentially put them out of business by deleting all of their critical data using a logic bomb.
The threats don’t even have to be malicious. We are constantly being bombarded by advisories for patches, hot-fixes and application updates. In an ideal world we would be able to test every single piece of software before putting it into production.
However, in the real world we can’t or don’t test every piece of code, and quite often it ends up breaking something or causing problems somewhere else. Most of us also have very fat fingers, and misconfigurations are a fact of life.
Not only do we depend on trustworthy data for almost every element of our lives, but almost everything that we as IT administrators do can affect that very collection of information. The simplest thing can corrupt or alter data in ways we can’t even imagine.
Some companies will respond that if anything does happen to their data, they can handle it because they have excellent backup tools. Great. How do you validate that what you restored is trustworthy? The verification features of most backup software simply tell you that what you restored was exactly what you backed up. But what if what you backed up was already corrupted?
You may not know how long the hacker was in your system and might be restoring compromised data, or your data on tape may be hours if not days old. Here’s another thought: How do you figure out what data to restore? If you don’t know what’s changed, then quite often your only recourse is to do a global restore of the entire system or rebuild the darn thing from scratch and restore what you hope is valid data.
Raise your hands…how many of us have spent a weekend night or two in the data center trying to recover from a problem such as the ones I have outlined above? I thought so.
This is not to say that we should throw out all of our perimeter defenses. They are an essential layer in the defense-in-depth strategy. However, without data integrity your defense-in-depth will be shallow indeed. The addition of data integrity tools and software will add the extra layer of depth that your company may need to be assured that in the event of an incident, regardless of cause, they will be able to trust the information stored on their systems.
Correct implementation of a data-integrity-assurance solution will not only provide a sense of confidence in your data but also in other elements of your IT environment. Operating systems, applications, even your perimeter defenses will benefit from data integrity.
Data-integrity software can also provide valuable forensic uses as well in the form of reports that can be used to start your investigation or even as evidence in a court of law. For those of you who have cyber insurance from Lloyd’s of London or other major insurance companies, you may be able to get a discount on your premium if you have a data integrity solution in place.
Where can you learn more about data integrity? SANS (www.sans.org), one of the leading organizations for security education, makes data integrity part of their basic Security Essentials Certified course. CERIAS (www.cerias.purdue.edu), headed up by security luminary Eugene Spafford, also has information about data integrity.
Purdue is where one of the first data-integrity tools, Tripwire, was created as a free academic source release for UNIX in 1992. Tripwire was commercialized with extended platform coverage, including Windows NT, 2000 and XP and now offers a two-day certification course on Tripwire and data integrity (www.tripwire.com).
In the end, it comes down to one simple idea. If you don’t know what you have, how will you know if it’s gone? You have to count the money before you put it into the safe. Information is rapidly becoming a form of currency, and without data-integrity assurance, you may as well leave the safe open.
Chris Orr, MCP, GSEC, is a system engineer for Tripwire Inc., a data integrity software company in Portland, Ore. He has been working in IT for seven years and in security for three with a focus on the forensic uses of Tripwire softw