Today, almost all organizations use firewalls, configure them with configuration standards, and monitor their systems by keeping their systems safe with anti-virus and log records.
However, assuming you interpret the requirements correctly, file integrity monitoring (FIM) software becomes a real advantage for tracking your critical files when combined with other requirements.
The use of File Integrity Monitoring (FIM) software is a PCI DSS requirement, and in short, it allows you to obtain security in its purest form by alerting you to essential file changes.
The use of File Integrity Monitoring (FIM) software has long been considered the cornerstone of best practices in information security. However, there are still several common misunderstandings about why File Integrity Monitoring (FIM) software is essential and what it can provide.
PCI DSS Requirement 11.5 explicitly uses the definition of file integrity monitoring regarding the need to alert authorized personnel against unauthorized modification of critical system or configuration files.
According to PCI DSS requirements, file Integrity Monitoring (FIM) software should be configured to perform weekly critical file comparisons.
file monitoring software should be used much more widely to support an information technology asset’s security. For example, many major PCI DSS requirements can be best met using file integrity monitoring technologies:
PCI DSS Requirement 1: Monitoring firewall and router configuration standards
PCI DSS Requirement 2: Following configuration standards for all system components
PCI DSS Requirement 6: Monitoring of system and application critical files
PCI DSS requirement 10: Ensuring log files cannot be altered
PCI DSS requirement 11: Detecting file changes
Using File Integrity Monitoring (FIM) software for the above requirements will make your job much more comfortable. However, as stated earlier, PCI DSS is a network of interconnected and overlapping requirements, and so the file integrity check task also spans a much broader scope.
file integrity monitoring tools supports system hardening, system standards, and other change management requirements.
What Types of File Integrity Monitoring (FIM) Are?
File integrity monitoring (FIM) software refers to a security process and technology that tests and checks the operating system (OS), database, and application files to determine whether files have been modified or corrupted.
File Integrity Monitoring (FIM), a type of change control, verifies the latest known versions of these files against a reliable “baseline.” If FIM detects that files have been modified, updated, or compromised, it can generate alerts to allow further investigation and, if necessary, correct.
File integrity monitoring includes reactive (forensic) inspection and proactive inspection, i.e., active monitoring based on rules.
File integrity monitoring works in two ways, Agent-based and Agentless.
In agent-based file integrity monitoring software, an agent (application) is installed on the host computer and performs file monitoring by transmitting the changes it detects to the central server in real-time. In this way, the File Integrity Monitoring (FIM) agent also reduces the host and network’s recurring load for scanning.
The FIM agent is defined on a master file tracking management server, and then adjustments are made through this master server.
On the other hand, agentless File Integrity Monitoring (FIM) scanners can only detect changes at scheduled times, meaning they don’t have real-time detection or reporting capabilities. Agentless FIM scanners usually need to re-base and hash every file on the device each time they scan.
What Are the Approaches Used in File Integrity Monitoring?
Business integrity monitoring solution involves the use of one of the following approaches:
Baseline Comparison: In the baseline comparison, one or more file properties known as checksums are calculated for potential use. One reliable method is to use the cryptographic checksum for a file being monitored and synchronize it with a predetermined hash that serves as a basis.
Real-Time Change Notification: This notification format is associated as an extension of the operating system kernel. The real-time change will send a notification to the management server or authorized personnel in case of unauthorized access to the file.
The most widely used approach to file integrity monitoring is a basic comparison.
What are the File Integrity Monitoring (FIM) Requirements on PCI-DSS?
PCI DSS Requirement 11.5 requires the use of detection solutions such as File Integrity Monitoring (FIM) tools to control critical file changes and notify when such changes are detected.
If the change detection solution is not implemented correctly, a malicious person could alter the contents of the configuration file, operating system programs, or executable files for the application.
If unauthorized changes are not detected, they can render existing security controls ineffective or cause cardholder data to be stolen without any noticeable impact on the regular operation.
PCI DSS Requirement 10.5.5 and 11.5 are intended to ensure sensitive logs’ confidentiality from systems covered by the PCI. Changes made to files do not allow violations of PCI data.
PCI DSS requirement 10.5.5 ensures that implementing a File Integrity Monitoring (FIM) solution is necessary to ensure that log files cannot be altered. The log files meet the required requirements during forensic analysis and maintain the integrity of existing log data.
PCI DSS requirement 11.5 requires the use of file integrity monitoring tools to detect file changes and contributes to even more regular monitoring of the actual integrity of systems covered by the PCI.
The most crucial point about file integrity monitoring is that the solution has a real-time file monitoring feature and does not consume system resources negatively in terms of performance.
Why Is Monitoring File Integrity Important?
File Integrity Monitoring (FIM) software scans, analyze, and reports unexpected changes to critical files in your environment. Thus, file integrity monitoring provides a crucial layer of file, data, and application security while speeding up incident response.
The four main advantages of monitoring file integrity are as follows:
Detection of Illegal Activity
You need to know if a cyber attacker breaks into your environment if he tries to replace any critical files to your operating systems or applications. Even if you avoid or modify log files and other detection systems, FIM can still detect changes in essential parts of your information technology ecosystem. With FIM applied, you can monitor and protect the security of your files, applications, operating systems, and data.
Detecting Unwanted Changes
Often unwanted file changes are accidentally made by an administrator or other employee. Sometimes the consequences of these changes can be minor and overlooked. At other times, they can create security backdoors or disrupt the continuity of business operations. File integrity monitoring simplifies your work by helping you focus on change in error so you can revert changes or make other corrections.
Verifying Update Status and Monitoring System Health
With the post-patch checksum, you can quickly check whether files are patched to the latest version by scanning installed versions in multiple locations and machines.
Meeting Compliance Competencies
The ability to audit changes and track and report certain types of events is required not only for PCI DSS but also for compliance with regulatory requirements such as GLBA, SOX, HIPAA.
What is PCI DSS File Integrity Monitoring Scope?
When properly designed and implemented, and File Integrity Monitoring (FIM) solution makes a valuable addition to the layers that protect the infrastructure in detail.
It is necessary to check all file attachments, updates, and deletion activities, as any changes that compromise the server’s security can be significant. Any changes to file attributes and file size should change that need attention.
It should be noted that Trojans are created to mimic existing device files and still behave normally, appearing like the original executable, dynamic link library, or driver script.
For most of its settings, Windows uses the registry and the Win32 API, a tightly controlled and restricted domain.
Windows-based devices that communicate with cardholder data, including EPoS terminals and equipment, System32 or SysWOW64 folder, and sensitive application program files, should be minimally controlled.
File Integrity Monitoring (FIM) is essential for Linux and Unix systems and Windows-based environments. As part of the general file system, configurations are much more vulnerable in Linux and Unix environments.
Exposed configurations make Linux and Unix more vulnerable to direct attacks and hacked binary executables. Updating and replacing core files on Linux or Unix means attackers can easily inject malicious code.
For Linux and Unix, the /etc/ and /usr/bin/ locations and all associated software configuration files must be checked for integrity along with the installer files.
The most critical step in File Integrity Monitoring (FIM) is determining which files to watch. Viewing too many files can interfere with research. Watching too few files can lead to the loss of critical data to identify a security incident.
The following file types need to be carefully monitored and checked:
Operating System Files and Directories: It is important to monitor system files and libraries to prevent system manipulation and unauthorized intervention. The following folders should be watched in Windows operating systems:
- Boot/start, password, Active Directory, Exchange SQL, etc.
Critical directories to watch in Linux are as follows:
Bootloader, kernel parameters, background routines and services, run commands, cron jobs, profiles, etc.
Application Files: File Integrity Monitoring (FIM) can also be configured to check whether an attacker has altered the web application’s code or files. Program files usually contain various programs that run regular processes and activities on your machine. These programs include Firewalls, anti-virus software, Windows media players and similar files, device files such as configuration files and libraries. These files should be monitored closely. In Windows, files are usually stored in:
- C:\Program Files
- C:\Program Files (x86)
Applications on Linux systems are located in:
Configuration Files: Configuration files are an integral part of the operating system and applications and are usually accessed when the respective application or service is started and run. Configuration files describe the functioning of the device and the application.
Configuration files usually contain the Windows registry and various text-based configuration files found on Linux, OSX systems. It is vital to watch these files with FIM.
Log Files: Log files contain records of transactions or events. Depending on the application, various events are logged and may include access details, user behavior, errors, and other details. After an intrusion, the attacker’s primary goal is to hide and delete any traces left behind.
Log records are rich sources of information and help in responding to incidents. Log files can only be accessed and updated by the authorized application. Active log collection from the network must be performed and stored on separate tamper-proof servers to prevent log files from being tampered with.
Logs are stored in the event viewer in Windows operating systems, while in UNIX-based operating systems, they are held by the system in the /var/log directory.
Digital Keys, Certificates, and Credentials: Digital keys are used in cryptography to ensure that data and information are transmitted securely between authorized persons. In authentication systems, certificates are used instead of the traditional login system that requires a username and password.
Also, identification information, including confidential information such as your login details, financial statements, bank account information, may be stored. All digital keys, certificates, and credentials are stored in file format, and FIM monitoring is essential to prevent major disasters.
File Integrity Monitoring (FIM) and Anti-Virus Software
The File Integrity Monitoring (FIM) program is an excellent help for your malware protection checks. Much new malware is released almost every day. Therefore, you cannot rely solely on anti-virus software to protect your system.
Set the FIM program to scan for changes in important file folders. Usually, the FIM program is designed to monitor areas where sensitive files are located in a computer’s file system. FIM tools can generate an alert that can be followed when a file is updated.
Malware is a program that consists of files copied to the target device. Even if your anti-virus program does not recognize malicious software files’ signatures, the FIM program will detect that the files were written to your computer and alert you to analyze and make sure you know what those files are.
Are File Integrity Monitoring (FIM) and SIEM the Right Solution?
PCI DSS requirement ten deals with logging required security events, backing up, and analyzing log files. In this context, a logging system will be an essential component of your PCI DSS toolkit.
Both SIEM or Event, log management systems rely on some agent or interrogated WMI process to access log files. When new events are added to the log file, these recent events are captured by the SIEM program, centrally backed up, and evaluated for clear evidence of security events or varying activity levels that might suggest a security incident.
Most SIEM software has extended this approach to include a simple FIM check on device and configuration files and evaluate whether any files have changed.
A modified system file can reveal that a Trojan horse or other malware has infiltrated the host system. Besides, a modified configuration file may weaken the “hardened” state, which is inherently protected, making it more vulnerable to attacks.
PCI DSS requirement 11.5 requires tracking “unauthorized” changes, and therefore a change management mechanism is needed. You can classify other changes as “Expected,” “Approved,” or “Expected.”
That’s why adjusting the FIM rating is an excellent way to maintain your infrastructure consistently. But in reality, file integrity monitoring designed in such a ‘black and white’ fashion is quite useless in the real world. It often creates too many false and vague adaptations that hide legitimate ones for the information security team.
Enterprise File Integrity Monitoring (FIM) will provide you with a snapshot of whether databases, servers, EPoS systems, workstations, routers, and firewalls are securely configured to meet your hardening standard. Conversely, when there is a change, a SIEM system will be unaware of how the devices are configured.
File Integrity Monitoring (FIM) and Change Management Process
When File Integrity Monitoring (FIM) is implemented and configured in a standard way, it will generate many false positive alerts. The FIM process should be compatible with the built-in Change Management process of an organization as a best practice.
Since File Integrity Monitoring (FIM) has zero-tolerance for any change, the change management process must be well established and implemented. File integrity monitoring software should be notified well in advance of any changes that are about to occur so that the number of false positives does not increase.
Also, most advanced FIM programs have a pre-definable change template to track all changes defined as a scheduled operation. It will also help identify unplanned changes that are potentially dangerous or malignant.
What are File Integrity Monitoring Best Practices?
To create a “digital fingerprint,” file integrity monitoring examines different aspects of a file. It then compares this fingerprint to a well-known, elemental fingerprint.
Enterprise File Integrity Monitoring (FIM) software looks at many different aspects of files, including:
- Settings and permissions were created, changed, and accessed.
- Security and privilege settings
- Content of the file
- Basic features and size
- Mixed values according to file contents
- Configuration values
- ID information
A useful FIM tool should monitor all the components of your environment, including:
- Network devices and servers
- Workstations and remote devices
- Databases, directories, operating system, and middleware
- Cloud-based services
- Hypervisor configurations and Active Directory
An enterprise FIM solution should provide alerts with change management, real-time logging, centralized logging, and reporting. File integrity monitoring is often part of a more comprehensive audit and security solution, including features such as the automatic rollback of changes to an earlier, trusted state.
An ideal FIM solution should give you clear and fast information about who, what, where, and when for every access and change event.
Using an FIM product without certain useful features will not provide sufficient security. An FIM product must be able to detect that there is an unauthorized change, what has changed, and who has changed.
Below are the key features an FIM product should have:
Detect any unauthorized modifications.
The FIM product’s first and most important feature will be identifying any unauthorized changes to the file system. FIM should define changes accepted in a change control process as an FIM alert.
File Integrity Monitoring (FIM) products need to create a hash using algorithms such as SHA to prevent malware and data theft.
It is generally thought that the risk of a malicious program doing anything on the network is low once you have an anti-malware or anti-virus solution. However, even with anti-malware solutions, zero-day vulnerabilities can harm your system.
However, in case of a zero-day attack, you can detect any suspicious file content changes with FIM. That’s why FIM is a necessary solution that acts as a last line of defense.
Learn more about who changed what and when.
Creating a reliable hash indicates that something has changed but does not give you other important information such as what changed, who changed it. A correct FIM strategy should go beyond recognizing that something has changed but provide detailed information on who has changed it and what has changed exactly.
To do this, the FIM software must describe the file and save the file as readable text.
Monitor File or Folder Access.
Hashes need to be created for files that need to be tracked, and FIM still generates a hash in its analysis to detect any changes. However, log files are regularly updated, and therefore, a hash is generated, and a reconstructed hash in FIM analysis usually triggers a false positive warning.
Most of the data thefts that occur are due to unauthorized access. Therefore, to manage log files and directories, access permissions must be under FIM oversight to identify any allowed or unauthorized access.
The FIM product should create a full audit trail to track who has accessed the data and further processing.
Use an FIM agent that does not add any additional burden to the system.
If using an agent-based File Integrity Monitoring (FIM) solution, the FIM agent installed on the system should be very light and not consume too many resources. Organizations should control the processing intensity and resource usage of the FIM agent. Otherwise, unwanted system interruptions may occur.