Nowadays, most of the IT systems use file-based architectures to store and process information. In addition, the critical applications such as operating systems, application binaries, configuration data of systems and applications, organization’s sensitive data, logs, and data which is pertinent to security events are stored in files. If any of these files is compromised, the financial and reputational damage occur to organizations. Therefore, ensuring the integrity and security of critical files extremely is important than ever. This is the reason File Integrity Monitoring (FIM) services come into place.
The FIM is the process of checking important files such as operating system, utility programs, databases, applications, to determine if they have been tampered with or corrupted. FIM validates files by comparing the latest versions to trusted versions of these files; then identifies the unexpected and unauthorized changes to make sure if the file has been modified. In a nutshell, FIM helps in:
- Detecting unauthorized changes and illicit activities
- Change management and diagnosing unwanted changes to files
- Logging and interpreting the change and identifying if it is a security risk
- Alerting in case of illicit/improper changes and aids in forensics
- Addressing compliance requirements of various standards including PCI DSS, HIPAA, etc.
FIM in PCI DSS
As mentioned before, FIM helps in meeting compliance standards. It is specifically suggested in PCI DSS regulatory standard.
PCI DSS mandates the following:
- Requirements: They stipulate that using file-integrity monitoring or change-detection software on logs ensures that existing log data cannot be changed without raising alerts.
In addition, deploying file integrity monitoring software to alert analysts upon unauthorized changes of critical system files, configurations files, or content files is necessary; and configuring the software to perform critical file comparisons at least weekly is also crucial.
FIM is a powerful layer of data security which adds defense-in-depth to your overall security posture.
Approaches used in FIM
FIM uses one of the following approaches:
- Baseline Comparison: In a baseline comparison, data analysts capture or calculate one or more attributes of the file (usually known as checksum) for future use. One of the trustworthy approaches is to utilize the cryptographic checksum (e.g., SHA-2 or MD5 hash algorithms) for a monitored file and compare it with a previously calculated hash which acts as baseline.
- Real-time Change Notification: This type of notification is associated as an extension to the kernel of the operating system. In the event of unauthorized file access or medication, the real-time change will generate a notification to the security administration.
Of these, baseline comparison is the most commonly used approach.
Scope of File Integrity Monitoring
Determining which files to monitor is one of the most crucial steps to FIM. Too many files can hamper analysis whereas too few can result in loss of crucial data that can help in identifying a security event. Following file types should be carefully monitored across the environment:
- Operating System Files and Directories: Monitoring of system binaries and libraries are necessary in order to prevent system corruption and unauthorized tampering. Following directories should be monitored in windows:
On Linux, the critical directories include:
- Application Files: Application files involve various programs that normally perform day-to-day operations and activities on your system. Such programs include Firewalls, antivirus program, windows media players, and so on, as well as application files including binaries, configuration files, and libraries. These files must be monitored carefully. On Windows, most applications store their files in:
- C:\Program Files
- C:\Program Files (x86)
In Linux systems applications are present in:
- Configuration Files: The configuration files are an integral part of OS and applications and are typically accessed at the startup and running of the respective application or service. These define how the system and application will function. Typically, configuration files include Windows registry and various text-based config files stored in Linux and OSX systems. Monitoring of such files is indispensable.
- Log Files: Log files contain transaction or activity history. Depending upon the application various activities are logged which may include access information, user activity, errors and other information. It is the main target of the attacker to hide his tracks after a successful intrusion. These are rich sources of information and aid in incident response. Log files should only be accessed and modified by the authorized application. To prevent tampering of log files, active log collection should be performed from the system and these should be stored on separate tamper-proof storage. In Windows, logs are stored in event viewer whereas UNIX based system store logs in /var/log.
- Digital Keys, Certificates and Credentials: Digital keys are used in Cryptography and ensure the secure transition of data and information between authorized parties. Certificates are utilized in authentication systems to replace traditional login system that involves a user name and password. Lastly, credentials may include sensitive information such as your login details, financial statement, bank account details, or national security data. Digital keys, certificates, and credentials are all saved in the form of files and, there, their monitoring is extremely important to avoid massive disasters.
Security and integrity of files are necessary to avoid data breaches. Therefore, the use of Files Integrity Monitoring (FIM) services is always recommended for organizations. Fortunately, the integration of FIM is available with a SIEM tool that can collectively build a better layer of security.