The Immutable kBlog: thoughts on data integrity

Editors Note: Nearly every day these days, some sort of new data assurance-related issue is featured in the news. We thought it might be a good time to blog on some of the more noteworthy aspects of news and trends. The first in this series is on the use of trusted time.

Time is used throughout the judicial; landscape to provide a chronology of events. In the digital world, these events are often captured in audit logs where each event is associated to a timestamp. When things go wrong and the audit log data will be needed in a court of law as evidence, it does beg the question of whether system time synchronization capabilities have been used or even better, whether trusted time stamping solutions are installed. At issue here, is whether it can be proven that the data has not been compromised or tampered-with in any way.

Organizations that have implemented Network Time Protocol (NTP) are better off than those only relying on the systems hardware clock which is usually set at the beginning of the hardware’s life or maybe during some critical hardware maintenance event. This would mean that any time data e.g. in audit logs would have their time data equivalent to that of the hardware engineer’s wristwatch. In well run IT environments this is not so common. Additionally, well run organizations would use a Log centralization tool that would include its own timestamp from when it received that audit event data. If this is done in real-time across a multitude of systems, the forensics and audit value is very high.

Going back to using these audit log records for digital evidence. If I were a cross examining lawyer that wanted to diminish the value of the time data, it would be fun finding out if the audit logs time source comes from some time synchronized system, or not. Obviously any time data associated with the hardware engineers watch as an endpoint would result in significantly lower evidential weight. Or if an NTP time server was used; then the question arises “How vulnerable is the NTP timeserver and what is the time source that sets its clock?”. Motivation may be a defense but that discussion is for another blog post. There have been many vulnerabilities posted associated with the use of NTP for example, Cisco Security Advisory: NTP Vulnerability and Ubuntu NTP vulnerability, many more are available through a simple web search.

Trustworthy time is a crucial attribute in the digital evidence world. If the time data within the audit logs of at least important systems does not carry sufficient evidential weight, then there could become happy defense lawyers and their clients celebrating their successes out there .

Author: Nadeem Bukhari

I’ve read a great post on David Lacey’s blog. Very clearly, he points out how most people and organizations are forgetting that information security is based is a three-pillar house (Availability, Confidentiality and Integrity, or CIA).

Availability was the main focus some years ago. Denial-of-service was the main worry, and business continuity was the focus of organizations. Then came the turn for confidentiality, and encryption became something that was -almost- everywhere. The impacts of a loss in availibility is big; the impact of a loss of confidentiality is bigger… and scarier.

But now comes the time for data integrity. Right now, few decision-making minds in organizations focus on that, or care about it. But still, the impact of a loss in data integrity is -and here we agree with Mr. Lacey- huge. What if somebody changed the data -intentionally or not? Results can go from from undermining the people’s (think about the recent alleged attack by a hacker to the Virginia Health Professions Database) or even fraud (think about the Satyam Computers‘ case.

And it gets darker. The problem comes not only by safeguarding integrity, but also to the long and painful process of recovering from one of this attacks: how to know exactly which data is trustworhty (i.e. hasn’t been tampered with) and what is not?

It is surprising that currently there is not a big concern about this. We are guessing that unfortunately this concern will come when it is too late, and there are many breaches in data integrity and costs and consequences are there to remind us of its important. That is why, in David Lacey’s words,  it a time-bomb, waiting to explode.

We’ve already mentioned that data integrity is going to be the next big threat. Well, Sarb Sembhi,  president of the London chapter of ISACA, also thinks like that.
In this very intresting short article, Mr. Sembhi points out something many people think: there are many more attacks than the ones disclosed to the public. He also points out that, tied with the economic climate we currently have, several high-profile fraud cases are being discovered (and we think that unfortunately there are many more to come). Although not directly linked, he implies also that high-value frauds and data integrity attacks are closely related. The likeliness of data integrity being part of these data manipulations increases as the total value of the fraud gets higher; hence, it wouldn’t be wrong to assume that -again- the lack of proper data integrity protection tools certainly doesn’t help preventing this type of cases in organizations.

We are working for showing Mr. Sembhi that we are what he misses: a data integrity protection solution aimed at protecting every type of data.

In the meantime, he mentions a fact as true as the sky is blue: it all starts with putting proper procedures in place. For reducing the organization’s exposure to data integrity attacks (and to high-value frauds), Mr. Sembhi mentions:

• “Create policies and procedures for data quality and data integrity
• Create policies and procedures to identify the extent of the problem and record incidences of data integrity compromises and suspected incidents of fraud
• Ensure information assets are correctly valued, (including configuration and log files, and meta data)
• Undertake threat assessment of valued data
• Take a risk management approach to protecting data integrity
• Ensure adequate protection of all data that is relied upon for investigatory purposes
• Include data integrity protection as part of security awareness programme”

The British Standards Institution (or BSI) has recently published the BSI 10008, a new standard that focuses on the evidential weight of electronic information. It establishes up a set of requirements organizations should follow in their data management procedures for ensuring… yes, you got it: the integrity of information.

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.