Understanding How File Integrity Monitoring Works?

Date: 30 April 2018

FIM or File Integrity Monitoring, is without a doubt a highly important layer of defence in any network worth protecting. Required by data security standards such as PCI-DSS and recommended by auditors and security practitioners globally. FIM monitors critical system files, operating system components and even network devices for unauthorised changes.

By modifying ePOS terminals, operating system host files or critical applications, malicious parties can siphon off sensitive information, such as payment information from networks for their own benefit. FIM seeks to prevent the result of such hacks by alerting administrators to unauthorised changes in the network.

 

...but how does FIM actually work?

Since we are trying to prevent one of the most sophisticated types of hack, we must utilise a truly infallible means of guaranteeing file integrity. This requires each monitored file to be ‘Fingerprinted’, using a secure hash algorithm, such as SHA1 or MD5 to produce a unique, hash value based on the contents of the file.

The idea is that a file integrity baseline must be established first. Then any given file integrity monitoring system will work by comparing file attributes, file sizes and hash signatures from the baseline to another has value derived later on. Any changes made to the file after the baseline will result in a different hash value, which could be attributed to an authorised or unauthorised change.

The result is that that even if a program is maliciously modified to expose payment card details to unauthorised parties, but the file is then padded to make it appear the same size as the original file and with all its attributes edited to make the file look the same, the modifications will still be visible to a FIM solution.

The image below shows how a SHA1 algorithm generates a different hash value even for the smallest change to a file. This provides a unique means of verifying that the integrity of a file has been maintained.

UAewi

Interested in how FIM is related to PCI-DSS compliance? View our blog, "What is FIM and How is it Related to PCI-DSS?"

 

Challenges with FIM

One problem with using a secure hash algorithm for FIM is that the hashing of files is processor intensive. This means that in most cases, a change check can only be performed once a day, usually outside of business hours.

Another such issue is that you may have several different operating systems and platforms running in your network which need to be monitored. The numerous variants of Linux, Unix and Windows presents a number of challenges and the combination of text-based configuration files and binary program files mean that a combination of agent-based and agentless FIM technology will be needed. Windows OS components provide the basis for FIM, but identifying who made the change will require specialized, third-party technology.

In both instances, the need to filter changes based on file types, application type and/or location is paramount to avoid over-alerting for files that regularly change or are simply not relevant.

Furthermore, the scheduling, alerting and reporting of file integrity changes must in itself be a manageable and preferably an automated process.

 

How Can NNT Change Tracker Help?

Delivering a pragmatic response to the need for file integrity monitoring across all platforms that is effective, easy to deploy and manage and, above all, affordable, will continue to pose a challenge.

NNT can help!

Using the NNT Change Tracker Enterprise solution and their Log Tracker Enterprise solution set, you will benefit from:

  • FIM changes reported in real-time and delivered via daily summary reports.
  • Full auditability showing who made those changes.
  • Options to view both a simplified summary of the file changes and a forensic report.
  • Side-by-side comparisons of files, pre and post-change.
  • Security Incidents and Key Events correlated and alerted on.
  • Any breach of compliance rules reported. This includes file integrity changes.
  • All platforms and environments supported.
  • Detection of planned changes and any unplanned changes.
  • Device hardening templates which can be applied to a variety of operating systems and device types.

NNT Change Tracker CIS PCI-DSS Demonstration

Wisdom of Crowds

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422
yt-1