Cybersecurity Insights

Kirsty Trainer

Why Your Business Should Deploy File Integrity Monitoring

19/11/18 15:32

File integrity monitoring (FIM) systems are an important part of your website security's immune system. If you want to find and destroy malicious code, you’ll need to know where it is and where it’s come from. FIM systems will log changes made to your website, where they’ve come from and when they were made. Utilising a FIM system in your security strategy will help provide you with up to date knowledge of the inner workings of your website.

But why is file integrity monitoring important?

  1. You can identify the source of an attack

As you may know, if you’re able to quickly spot an intruder in your environment, you can act faster to remove any suspected malicious code. Being on top of detecting and removing hackers from your website will reduce the amount of cardholder data/personally identifiable information being lost during an attack.

If you’re the victim of a breach, you may be required to carry out a PFI. An important part of this process is scoping the severity of the breach, which includes the dates at which you began to lose cardholder data up to the point you stopped leaking cardholder data. If specific dates cannot be identified, you will be penalised for an estimated date range, which may far exceed the actual dates you began to lose data.

By deploying FIM systems, you will be able to pinpoint the following:

  • Date and time the attack took place
  • The IP address used
  • The location of the modified code

Being able to provide these details could save you thousands in unnecessary fines.

  1. Obtain/maintain PCI compliance

I needn’t stress the importance of PCI compliance for eCommerce merchants, not only does it help cover you in the event of a breach, obtaining compliance will protect your customers and your assets.

If you read through the PCI DSS requirements, sections 10.5.5 & 11.5 outline the need for companies to use FIM systems:

10.5.5

“Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”

“Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.”

“File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For fileintegrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise.”

11.5

“Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”

“Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: System executables, Application executables, Configuration and parameter files, centrally stored, historical or archived, log and audit files, Additional critical files determined by entity (for example, through risk assessment or other means).”

“Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.”

“Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.”

The goal of PCI 10.5.5 and 11.5 is to maintain the integrity of critical files from the PCI environment and to ensure that changes to files do not allow a breach of PCI data. 

  1. Keeping control

Not only does FIM give you a robust addition to your security repertoire, it also gives you a new level of control over the management of your website. With the ability to monitor file changes, should something be changed by accident, you can pinpoint who changed it and make corrections quickly.

Some FIM systems will also provide you with the ability to restrict permissions for certain user groups, thereby lowering the risk of a breach stemming from internally. For example, your accounting team may not need access to files and folders managed by the support department. Creating internal blockades to data gives you peace of mind that employees are only accessing the files they need for business operations.

If you couple your FIM system with malware detection software, you can add an extra layer to your websites armory. We offer ‘FGX-Web’ – a tool that acts as an ‘all in one’ website security solution, baking security into your environment. It includes:

  • An advanced web application firewall
  • Daily malware scanning
  • Daily cardholder data scans
  • File change monitoring
  • The secure seal
  • Website log monitoring

If you’re concerned that your website has malware but don’t want to commit to a month-on-month service, why not check out our Website Security Health Check service. It’s a one off service that will alert you to the presence of malware as well as give you an unprecedented view of where your vulnerabilities lie. You also get a dedicated analyst to support you through the process. For more information, follow the link below.

Start your Website Security Health Check

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More