Cybersecurity Insights | Blog | Foregenix

4 Reasons You Need File Integrity Monitoring (FIM) 

Written by Foregenix | 5/7/20 9:10 AM

eCommerce environments are under constant threat from attackers; if your website touches cardholder data at any point, you’re a target. It doesn’t matter if you’re a big multinational conglomerate, or a tiny independent merchant; if you’re deploying poor security measures, they probably have you in their sights.

File integrity monitoring (FIM) systems are a critical part of your website's immune system. If you want to find and destroy malicious code, you’ll need to know where it is and where it’s come from. FIM systems will log changes made to your website, where they’ve come from and when they were made. Utilising a FIM log in your security strategy will help provide you with up to date knowledge of the inner workings of your website.

But why is file integrity monitoring important?

1. You can find hackers early

As you may know, if you’re able to quickly spot an intruder in your environment, you can act faster to remove any suspected malicious code. Being on top of detecting and removing hackers from your website will reduce the amount of cardholder data/personally identifiable information being lost during an attack.

Utilising FIM is an approach that can identify successful intrusions very early, without using too much brain power. If a system file has been modified inexplicably, or if a file appeared somewhere all of a sudden, alarm bells should be ringing.

You do not need to scan a file and match it against a malware signature database; this is important because files uploaded by intruders don't always look malicious. For example: 

Uploading a standard database backup utility which allows them to grab a snapshot of an entire database is done using perfectly legitimate software. Malware scanners won't pick this up as the software itself is legit (the scanner has no way of knowing it's been used by the bad guys). 

FIM on the other hand will pick this up and raise an alert. Anyone with basic knowledge on how the server is supposed to be can review the alert, understand whats going on, and determine how serious it is. 

2. You can locate malicious file changes

If you’re the victim of a breach, you may be required to carry out a PFI. An important part of this process is scoping the severity of the breach, which includes the dates at which you began to lose cardholder data up to the point you stopped leaking cardholder data. If specific dates cannot be identified, you will be penalised for an estimated date range, which may far exceed the actual dates you began to loose data.

By deploying FIM systems, you will be able to pinpoint the following:

  • Date and time the attack took place
  • The location of the modified code

Knowing the location will save you having to comb through your websites code to find the unwanted malware. 

You can greater enhance your FIM capabilities by combining it with other data such as access logs, native auditing and WAF auditing to identify where an attack has come from; especially if said source is internal. 

Being able to provide these details could save you thousands in unnecessary fines.

 

3. Obtain/maintain PCI compliance

I needn’t stress the importance of PCI compliance for eCommerce merchants, not only does it help cover you in the event of a breach, obtaining compliance will protect your customers and your assets.

If you read through the PCI DSS requirements, sections 10.5.5 & 11.5 outline the need for companies to use FIM systems:

10.5.5

“Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”

“Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.”

“File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise.”

11.5

“Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”

“Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: System executables, Application executables, Configuration and parameter files, centrally stored, historical or archived, log and audit files, Additional critical files determined by entity (for example, through risk assessment or other means).”

“Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.”

“Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.”

The goal of PCI 10.5.5 and 11.5 is to maintain the integrity of critical files from the PCI environment and to ensure that changes to files do not allow a breach of PCI data. 

4. Keep control

Not only does FIM give you a robust addition to your security repertoire, it also gives you a new level of control over the management of your website. With the ability to monitor file changes, should something be changed by accident, you can pinpoint who changed it and make corrections quickly.

Some FIM systems will also provide you with the ability to restrict permissions for certain user groups, thereby lowering the risk of a breach stemming from internally. For example, your accounting team may not need access to files and folders managed by the support department. Creating internal blockades to data gives you peace of mind that employees are only accessing the files they need for business operations.

If you couple your FIM system with malware detection software, you can add an extra layer to your websites armoury. We offer ‘FGX-Web’ – a tool that acts as an ‘all in one’ website security solution, baking security into your environment. It includes:

  • An advanced web application firewall
  • Daily malware scanning
  • Daily cardholder data scans
  • File change monitoring
  • The secure seal
  • Website log monitoring