Data integrity attacks have compromised corporate information including emails, employee records, financial records, and customer data. Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to quickly recover from an event that alters or destroys data. Businesses must be confident that recovered data is accurate and safe.
The National Cybersecurity Center of Excellence (NCCoE) at NIST built a laboratory environment to explore methods to effectively recover from a data corruption event in various Information Technology (IT) enterprise environments. NCCoE also explored auditing and reporting IT system use issues to support incident recovery and investigations.
This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event. The solutions outlined in this guide encourage monitoring and detecting data corruption in commodity components—as well as custom applications and data composed of open-source and commercially available components.
Thorough quantitative and qualitative data collection is important to organizations of all types and sizes. It can impact all aspects of a business including decision making, transactions, research, performance, and profitability, to name a few.
CHALLENGE
Organizations must be able to quickly recover from a data integrity attack and trust that any recovered data is accurate, complete, and free of malware. Data integrity attacks caused by unauthorized insertion, deletion, or modification of data have compromised corporate information including emails, employee records, financial records, and customer data. Some organizations have experienced systemic attacks that caused a temporary cessation of operations. One variant of a data integrity attack–ransomware–encrypts data and holds it hostage while the attacker demands payment for the decryption keys.
SOLUTION
The NCCoE developed and implemented a solution that incorporates appropriate actions in response to a detected cybersecurity event. If data integrity is jeopardized, multiple systems work in concert to recover from the event. The solution includes recommendations for commodity components and explores issues around auditing and reporting to support recovery and investigations.
While the NCCoE used a suite of commercial products to address this cybersecurity challenge, this guide does not endorse any particular products—nor does it guarantee compliance with any regulatory initiatives. Your organization’s information security experts are responsible for identifying the available products that will best integrate with your existing tools and IT system infrastructure. Your organization can choose to adopt this solution or one that adheres to these suggested guidelines or you can use this guide as a starting point for tailoring and implementing parts of the solution.