Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
 

Security Disciplines for Objective 2: Prevention

2-3. Data Integrity

Description

Data integrity refers to the process and mechanisms used to ensure that data cannot be accidentally or maliciously modified, altered, or destroyed. In order to maintain data integrity during operations such as transfer, storage, and retrieval and to ensure preservation of data for their intended use, several threat types must be addressed by policy, practice, and/or security technologies.

Purpose

The task of trying to maintain data integrity is compounded by the fact that threats can originate from hardware defects, software errors, poor design concepts, internal component and telecommunications interference (noise), friendly humans, and hostile humans, to name just a few. The purpose of this section is to discuss some of the more common threats to data and some of the preventative security measures available.

Best Practices

System Failures, Communications, and Program Threats—There are many possible causes of data corruption in a computer system, such as electronic noise, physical hardware defects, hardware design errors, data communications and transfer, and software (systems) design errors.

Most system managers rely on basic precautions such as a properly sized, uninterruptible power source (UPS) and instituting an offline data backup program to protect against data integrity problems resulting from hardware, software, and/or communications systems failures.

For situations where businesses cannot afford to risk the integrity of their data, purchasing specialized equipment can provide additional protection. Systems are available, usually at increased cost, that deploy parallel processors that cross-check each other’s output and perform end-to-end checksums on all data being transported.

Unintentional Human Threats—Users who want to simply view a file but are unfamiliar with read-only viewing tools may revert to using file editors. When editors are used to view data, it is very easy to unintentionally delete or modify characters while reading a file.

When deleting files, extreme care must be taken to not delete some files by mistake. This is especially true when using a wild card command. If, for example, in order to delete files coff001.dat through coff009.dat, the command “delete coff*.dat” is used, a file that should be retained called coffee.dat will also be deleted. Selecting the wrong backup tape, when doing a file restore, is a common way to corrupt data, as well.

Unintentional human threats should be addressed by using improved software utilities and training, training, and more training.

Protection can be improved by using good file name standards, access control restrictions, and utilities that detect and compensate for possible human error. For example, most properly installed and configured tape management utilities will prevent restoring a file from other than the most current finalized backup copy. If an older version needs to be used, a manual override must be applied.

Utilities that come with most of today’s modern operating systems can be configured to provide protection from many of the unintentional user threats. For example, many file deletion utilities can be configured to create a backup copy of every file that is deleted. Although there are software solutions available to restore deleted files and to correct corrupted records, there is little that can be done to prevent the harm that can come from using data that has been corrupted.

Unintentional human threats will continue to evolve with improvements in technology. The more common threats will be eliminated by software improvements, only to be replaced by threats that are introduced by new software capabilities. Systems administrators must remain aware of the situations and software vulnerabilities that contribute to unintentional human threats. Software remedies should be implemented when available, and policy updates combined with training should be used to address the threats that remain.

Intentional Human Threats—Intentional human threats are, unfortunately, not limited to external perpetrators. Disgruntled and/or dishonest employees with access privileges and knowledge of the target system(s) pose significant threats that are much more difficult to detect.

External Human Threats—Other sections of this document describe some of the security services available to reduce the risk of intrusions and protect internal resources, including data, from being compromised. Two of the primary objectives provided by this suite of security services are origin authentication and content authentication.

Both origin and content authentication are required to protect systems resources, and it is common for both to be provided by the same security services.

Origin authentication allows the identity of a message originator to be verified. This service denies access to unauthorized originators and counters the threat of masquerades. Content integrity service complements origin integrity service by allowing the originator to provide proof that the content of a message has not been modified.

Content integrity methods vary somewhat depending upon the type of origin integrity being used. The basic methodology involves the sender including an integrity control value that is computed using a cryptographic algorithm or private key to “fingerprint” message content. Message content is used to construct the integrity control value (or hash value), so the probability is minute that another piece of plaintext or encrypted text could hash to the same value. The longer the hash, usually 112–168 bits, the more minuscule the probability.

The receiving system uses the same hash algorithm and/or digital signature to recalculate the hash total for the message received. If the recalculated hash matches the hash sent with the message, the message was not altered while in transit. It is recommended that hash totals be at least 128 bits.

When digital signatures are used to support data integrity, a public key infrastructure (PKI) may be required to manage encryption keys. The PKI keeps track of the assignment and revocation of public encryption keys to users and organizations.

Public keys are associated with a user or an organization by using a computer file called a “digital certificate.” The digital certificate includes the certificate holder’s name, serial number, and the identity (name and digital signature) of the “Certification Authority” that assigned the certificate.

When used to provide integrity services, a hash derived from the block of data to be protected is encrypted with the sender’s private key. This encrypted hash code is the sender’s digital signature. Upon receipt, the sender’s digital signature is decrypted and a new hash function calculated from the protected data block. If the sender and recipient’s hash values match, the data has not been altered. The fact that the digital signature of the sender was created using his private key also provides “nonrepudiation” (i.e., the sender cannot deny that it was his message).

As an alternative to digital signature and PKI, secret cryptography can be used to provide data integrity. A secret key application is simpler in that only one key is used and must be in the possession of both the sender and the recipient for the encryption and decryption to function. Secret key systems are widely used but suffer from the difficulties that come with the task of distributing the secret keys in a secure manner.

Internal Human Threats—Data integrity cannot be maintained adequately without protection from disgruntled and dishonest employees. Sections 1-2 and 1-3 cover some of the core security services and policies that are necessary to reduce the risk of internal human threats. For example, all employees that handle sensitive information should have background checks completed (see Section 1-3), and a separation of duties should be implemented. If an employee does not need access to systems resources, deny access (see Section 1-4). Consider creating a security policy manual that includes a chapter on internal threats for employees to have on hand. Implement two-level authentications (what you know and what you have), strict password policies, and logoff procedures for access to information resources. And last but not least, use audit system and intrusion deletion software.

Prevention and Recovery

  • Prevention—The following simple precautions can significantly reduce the chances of experiencing data integrity problems.
    • Back up data and other software resources on a regular schedule, and store current copies at a secure off-site location.
    • Avoid using freeware or any other software that does not originate from a trusted source.
    • Back up data at intervals determined by the length of the recovery process.
    • Always use up-to-date virus protection software.
    • Have a properly maintained UPS and power-conditioning equipment operational at all times.
    • Enable auto-save features in system software and utilities, when available.
    • Implement and maintain auditing/detection tools capable of detecting and reporting changes to mission critical system files. See Section 3-1.
  • Recovery—Prepare a thorough plan for responding to data integrity problems. This plan can be a subset of the Intrusion Detection Response and/or Disaster Recovery Plans.

References