| The PCI DSS (Payment Card Industry Data Security | | | | 5. File-Integrity monitoring provides protection not just |
| Standard) specifies the following | | | | from malware being introduced to the system, and not |
| "Use file-integrity monitoring or change-detection | | | | just from a hacker attack, where an application has |
| software on logs to ensure that existing log data | | | | been modified and a vulnerability unwittingly introduced, |
| cannot be changed without generating alerts (although | | | | but also from an internal threat where a trusted |
| new data being added should not cause an alert)" | | | | employee with administrator rights can bypass your |
| File or host integrity monitoring software can serve a | | | | AV and HIPS systems to either introduce a backdoor |
| significant and distinct role in your security policy. Host | | | | to your system, or packet sniffing software, or sql |
| integrity monitoring software serves as another hurdle | | | | injection or cross-site scripting attack. Don't think this |
| for an attacker to defeat and can provide the first | | | | could ever happen to you? Read about Heartland |
| indication of a break-in or compromised host. When | | | | Systems about Albert Gonzalez here |
| properly configured and deployed, this type of | | | | 6. File-integrity monitoring can be used for desktops |
| software is a powerful addition to the layers that | | | | and servers although in a PCI DSS scenario, the |
| defend your infrastructure in depth. | | | | technology is typically aimed at servers handling |
| File-integrity monitoring is vitally important from a | | | | cardholder data. As a minimum, the System32 folder |
| security standpoint for the following reasons | | | | should be governed as well as key application |
| 1. File-integrity monitoring must always be combined | | | | program folders. |
| with other practices such as event log analysis, anti | | | | 7. It is important to verify all adds, changes and |
| virus, firewalling and intrusion detection/protection | | | | deletions of files as any change may be significant in |
| systems, remote logging, and keeping your hosts up to | | | | compromising the security of a host. Changes to |
| date with security patches. | | | | monitor for should be any attributes changes and the |
| 2. Host-based monitoring tools such as anti-virus and | | | | size of the file. |
| host intrusion protection systems (HIPS) providing | | | | 8. The hash for files should also be verified as a unique |
| firewall and intrusion protection give granularity that | | | | indentifier. A Secure Hash Algorithm, such as SHA1, is |
| makes attacks visible on the host on which they are | | | | analogous to a DNA Fingerprint of the file. This is |
| installed. However, no one system or application by | | | | important as an application can be changed |
| itself can be trusted with the task of providing | | | | programmatically while maintaining the filesize. SHA1 |
| assurance of host integrity. For instance, Zero Day | | | | produces a unique, 160 bit hash based on the contents |
| Attacks ie newly introduced security vulnerabilities | | | | of the file. |
| which are either systemic (eg part of the host OS or | | | | 9. What is the file-integrity baseline? Any file-integrity |
| application) or from malware, mean your AV and HIPS | | | | monitoring system works by comparing file attributes, |
| systems cannot always provide protection | | | | filesizes and SHA1 hash signatures from one time to |
| 3. Whitelisting of processes is an approach which | | | | another. The assumption therefore is that the initial |
| restricts the Host to only run a pre-approved list of | | | | baseline is for a vulnerability-free, completely |
| processes. Similar to AV and HIPS systems, this is an | | | | uncompromised host and application. |
| effective measure to protect your host systems but is | | | | 10. Zero Tolerance to unplanned changes is required, |
| not infallible. Whitelists need to be maintained for all | | | | so any file-integrity change must be investigated and |
| versions of all applications which provides a | | | | authorised as a matter of urgency. However, files will |
| management overhead. In-house developed | | | | need to changed on a regular basis - windows |
| applications provide a separate challenge. | | | | updates appear to arrive at a rate of ten per week, |
| 4. Host systems running secure application | | | | every week, and anti-virus signatures can easily |
| environments as required for a PCI DSS estate need | | | | require daily updates. Therefore tightly managed |
| to be 'locked down'. File-Integrity Monitoring means that | | | | Release Management and Change Management |
| any new files being introduced to, or removed from, | | | | processes need to be in place which is why these |
| the host are detected and alerted. This provides | | | | processes are also a key dimension of the PCI DSS, |
| protection from any malware being introduced (eg a | | | | section 6.4 |
| Trojan) or any other modification to the host set-up | | | | "Follow change control procedures for all changes to |
| which could introduce a vulnerability. | | | | system components. |