File integrity monitoring: Difference between revisions

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and the known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file.^[1] Other file attributes can also be used to monitor integrity.^[2]

Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process. Such monitoring can be performed randomly, at a defined polling interval, or in real-time.

Security objectives

Changes to configurations, files and file attributes across the IT infrastructure are common, but hidden within a large volume of daily changes can be the few that impact file or configuration integrity. These changes can also reduce security posture and in some cases may be leading indicators of a breach in progress. Values monitored for unexpected changes to files or configuration items include:

• Credentials
• Privileges and Security Settings
• Content
• Core attributes and size
• Hash values
• Configuration values

Compliance Objectives

Multiple compliance objectives indicate file integrity monitoring as a requirement. Several examples of compliance objectives with the requirement for file integrity monitoring include:

• PCI-DSS - Payment Card Industry Data Security Standard (Requirement 11.5)^[3]
• SOX - Sarbanes-Oxley Act (Section 404)^[4]
• NERC SIP - Nerc Standard SIP (System Security R15-R19)^[5]
• Department of Defense Information Assurance (IA) Implementation (DODI 8500.2)^[6]
• FISMA - Federal Information Security Management Act (NIST SP800-53 Rev3)^[7]
• HIPAA - Health Insurance Portability and Accountability Act of 1996 (NIST Publication 800-66)^[8]
• SANS Critical Security Controls (Control 3)^[9]

Applications

Many open-source and commercial software products are available that perform file integrity monitoring.

• NetIQ Change Guardian^[10]
• EventLog Analyzer™^[11]
• [Advanced Intrusion Detection Environment (AIDE)
• AFICK (Another File Integrity Checker)^[12]
• SecureVue USA^[13]
• CimTrak^[14]
• OSSEC^[15]
• Samhain^[16]
• Stealth^[17]
• Tripwire Enterprise and Tripwire File Integrity Manager^[18]
• Qualys^[19]
• nCircle Network Security^[20]
• Verisys^[21]
• Trustwave^[22]
• LogRhythm^[23]
• Change Tracker™^[24]
• CloudPassage Halo

References

1. "http://www.ionx.co.uk/products/verisys/how-it-works". Ionx. Retrieved 2012-09-21. {{cite web}}: External link in |title= (help)
2. "File Integrity Monitoring". nCircle. Retrieved 2012-04-18.
3. "Payment Card Industry Data Security Standard" (PDF). PCI Security Council. Retrieved 2011-10-11.
4. "Sarbanes-Oxley Sections 302 & 404 - A White Paper Proposing Practival, Cost Effective Compliance Strategies" (PDF). Card Decisions, Inc. Retrieved 2011-10-11.
5. "Standard CIP-011-1 - Cyber Security - BES Cyber System Protection" (PDF). North American Electric Reliability Corporation (NERC). Retrieved 2011-10-11.
6. "Department of Defense Instruction" (PDF). Department of Defense (DOD). Retrieved 2011-10-11.
7. "Applying NIST SP 800-53 to Industrial Control Systems" (PDF). National Institute of Standards and Technology (NIST). Retrieved 2011-10-11.
8. "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule" (PDF). National Institute of Standards and Technology. Retrieved 2011-10-11.
9. "Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers". SANS Institute. Retrieved 2012-11-19.
10. "Stop insider and targeted attacks with privileged-user activity monitoring". Netiq. Retrieved 2013-04-18.
11. "File Integrity Monitoring". Manage Engine. Retrieved 2014-06-04.
12. http://afick.sourceforge.net/. {{cite web}}: Missing or empty |title= (help)
13. Unified Situational Awareness http://www.eiqnetworks.com/products/securevue-usa/file-integrity-monitoring Unified Situational Awareness. {{cite web}}: Check |url= value (help); Missing or empty |title= (help)
14. "IT Integrity, Security, Compliance and Continuity". Cimcor. Retrieved 2012-04-18.
15. "Getting Started with OSSEC". OSSEC. Retrieved 2012-04-18.
16. "The Samhain HIDS" (PDF). Samhain Labs. Retrieved 2012-04-18.
17. "The Stealth File Integrity Scanner". Sourceforge. Retrieved 2012-09-27.
18. "File Integrity Monitoring: Invented Here, Perfected Here". Tripwire. Retrieved 2012-04-18.
19. "Verifying the Integrity of Files". Qualys. Retrieved 2012-04-18.
20. "File Integrity Monitoring". nCircle. Retrieved 2012-04-18.
21. "Verisys File Integrity Monitoring". Ionx. Retrieved 2012-05-01.
22. "File Integrity Monitoring. Clear and Simple". Trustwave. Retrieved 2012-11-19.
23. "File Integrity Monitoring". LogRhythm. Retrieved 2013-02-06.
24. "File Integrity Monitoring". NNT Workplace Solutions. Retrieved 2013-06-14.