Businesses that process, transmit or store payment card data are required to comply with PCI-DSS requirements. So, while most online businesses deal with credit cards on some level, they automatically fall in the scope of PCI Compliance. Failure to comply with the standard will definitely turn out to be a costly affair for the business. Besides, the growing incidents of a data breach have made it essential for businesses to pro-actively monitor critical systems and keep in pace with the evolving regulatory standards and laws of PCI.
Traditionally to solve these security requirements, organizations adopt expensive point solutions. The tools used for monitoring unauthorized activities can be expensive especially when you consider the cost of investment in training and management of tools.
Businesses need a cost-effective solution to achieve and maintain compliance. This is when the addition of File Integrity Monitoring (FIM) is suggested for businesses. Besides implementation of FIM is a specification and a requirement outlined in the PCI DSS Standard. In today’s article, we have covered briefly on what is FIM and explained the role of FIM in PCI compliance.
What is FIM?
File integrity monitoring is a change detection technology designed to monitor, detect and alert any changes in systems or files that may most likely indicate a cyber-attack. Implementation of this technology adds a layer of security to your systems in addition to other controls such as Anti-virus and SIEM.
This helps in enhanced detection of unauthorized changes, including attempted attacks and even malicious activities by unauthorized insiders. It also monitors the integrity of systems, registry keys, and secure the operating system, including file access, creation, movement, modification, and other critical activities. The technology typically helps in detecting the occurrence of the following events or activities-
- New files are added to or deleted from systems.
- Modification of files or directories that may hamper the integrity.
- Specific files or files in a directory areaccessed oropened
The motive behind developing and implementing FileIntegrity Monitoring security is to detect potential security breach before it turns into an incident. While changes to critical data or systems can result in a potential security breach, implementing File Integrity Monitoring technology can be beneficial for the early detection of the breach. Addressing security issues concerning the integrity of systems or data will most likely require integration of File Integrity Monitoring security. Below, we have explained the role of File Integrity Monitoring in the PCI framework
Role of File Integrity Monitoring in PCI Compliance
Protecting sensitive cardholder data and monitoring critical system files, configuration files, and content files for detecting unusual or unauthorized activity is the most essential requirement of the PCI-DSS.The PCI Council outlines a set of 12 requirements that applies to all businesses dealing with payment card data. While some of the requirements are concerned with physical processes, two requirements are specific guidelines on ways to protect the data stored using File Integrity Monitoring.
The PCI-DSS (Payment Card Industry Data Security Standard) specifies the following requirements:
Requirement no 10.5.5 states that “Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)“.
PCI Guidance for Requirement no 10.5.5 “File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file-integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise“.
Requirement no 11.5 states that “Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise.
Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider)“.
PCI Guidance for Requirement no 11.5 “Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing“.
Requirement no 11.5.1 states that “Implement a process to respond to any alerts generated by the change-detection solution.”
The use of File Integrity Monitoring (FIM) in PCI DSS facilitates high-level security for it provides alerts in case of change or modification of the file. The use of FIM security is considered the industry best practice for the security of systems and data. As stated in the PCI DSS requirements, FIM software should be configured to perform weekly critical file comparisons. The technology should be used more widely to support the security of Infrastructure. Implementing the technology also helps meet other PCI DSS requirements like-
- PCI DSS Requirement 1: Establish and implement firewall and router configuration standards
- PCI DSS Requirement 3: Protect stored cardholder data
- PCI DSS Requirement 6: Develop and maintain secure systems and applications
- PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
- PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
- PCI DSS Requirement 11: Regularly test security systems and processes
The File Integrity Monitoring supports system hardening, system standards, and change management requirements. Implementing the technology will ease the process of meeting the above-mentioned requirements and make the efforts of achieving compliance a lot easier.
What you should look for in a FIM:
- FIM reports changes on a real-time basis and delivers reports via daily summary reports.
- Provides a complete audited report highlighting the ones who made the changes.
- Availability of options to view both a simplified summary of the file changes and a forensic report.
- Provides a comprehensive side-by-side comparisons of files, pre and post-change.
- Provides alerts on Security Incidents and Key Events correlated.
- Technology supported on all types of platforms and environment.
- Detection of planned changes and any unplanned changes.
- Features device hardening templates that applies to a variety of operating systems and device types.
Conclusion
For addressing security issues and meeting PCI compliance requirements, businesses must deploy FIM security for effective monitoring and detection of breaches. Implementing the technology will monitor all file modifications including additions, changes, and even deletions. It will also provide alerts when unauthorized changes to files and directories occur. Further, if the FIM system is coupled with malware detection software, you can add an extra layer of security to your systems for the complete protection of data and systems.
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec.