NIST SPECIAL PUBLICATION 1800-11
Data Integrity¶
Recovering from Ransomware and Other Destructive Events
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
Timothy McBride
Michael Ekstrom
Lauren Lusty
Julian Sexton
Anne Townsend
DRAFT
NIST SPECIAL PUBLICATION 1800-11
Data Integrity: Recovering from Ransomware and Other Destructive Events
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
Tim McBride
National Cybersecurity Center of Excellence
National Institute of Standards and Technology
Michael Ekstrom
Lauren Lusty
Julian Sexton
Anne Townsend
The MITRE Corporation
McLean, VA
DRAFT
September 2017
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Kent Rochford, Acting Undersecretary of Commerce for Standards and Technology and Director
- Volume B
- 1. Summary
- 2. How to Use This Guide
- 3. Approach
- 4. Architecture
- 5. Example Implementation
- 6. Security Characteristics Analysis
- 6.1. Assumptions and Limitations
- 6.2. Analysis of the Reference Design’s Support for CSF Subcategories
- 6.2.1. PR.IP-3: Configuration Change Control Processes Are in Place
- 6.2.2. PR. IP-4: Backups of Information Are Conducted, Maintained, and Tested Periodically
- 6.2.3. PR.DS-1: Data-at-Rest Is Protected
- 6.2.4. PR.DS-6: Integrity Checking Mechanisms Are Used to Verify Software, Firmware, and Information Integrity
- 6.2.5. PR.PT-1: Audit/Log Records Are Determined, Documented, Implemented, and Reviewed in Accordance with Policy
- 6.2.6. DE.CM-3: Personnel Activity Is Monitored to Detect Potential Cybersecurity Events
- 6.2.7. DE.CM-1: The Network Is Monitored to Detect Potential Cybersecurity Events
- 6.2.8. DE.CM-2: The Physical Environment Is Monitored to Detect Potential Cybersecurity Events
- 6.2.9. PR.IP-9: Response Plans and Recovery Plans Are in Place and Managed
- 6.2.10. DE.AE-4: Impact of Events Is Determined
- 6.3. Security of the Reference Design
- 7. Functional Evaluation
- 8. Future Build Considerations
- Volume C
- 1. Introduction
- 2. Product Installation Guides
- 2.1. Active Directory and Domain Name System (DNS) Server
- 2.2. Microsoft Exchange Server
- 2.3. SharePoint Server
- 2.4. Windows Server Hyper-V Role
- 2.5. MS SQL Server
- 2.6. HPE ArcSight Enterprise Security Manager (ESM)
- 2.7. IBM Spectrum Protect
- 2.8. GreenTec WORMdisks
- 2.9. Veeam Backup & Replication
- 2.10. Tripwire Enterprise and Tripwire Log Center (TLC)
- 2.11. Integration: Tripwire Log Center (TLC) and HPE ArcSight ESM
- 2.12. Integration: HPE ArcSight ESM with Veeam and Hyper-V
- 2.13. Integration: GreenTec WORMdisks and IBM Spectrum Protect
- 2.13.1. Install IBM Spectrum Protect Server on the GreenTec Server
- 2.13.2. Configure IBM Spectrum Protect
- 2.13.3. Connect the GreenTec Server to the IBM Spectrum Protect Server
- 2.13.4. Define a Volume on the GreenTec Server
- 2.13.5. Create a Policy to Backup to GreenTec disks
- 2.13.6. Create a Schedule That Uses the New Policy
- 2.13.7. Installing Open File Support on the Client
- 2.13.8. Temporarily Add Client to GreenTec IBM Server
- 2.14. Integration: Backing Up and Restoring System State with GreenTec
- 2.15. Integration: Copying IBM Backup Data to GreenTec WORMdisks
- 2.16. Integration: Tripwire and MS SQL Server