This page contains a Flash digital edition of a book.
FIM and best defence U


Do you view security incidents in black and white? Or glorious Technicolor? Mark Kedgley, CTO at New Net Technologies sheds some light on file integrity monitoring


sing FIM, or file integrity monitoring, has long been established as a keystone of information security best practices. Even


so, there are still a number of common misunderstandings about why FIM is important and what it can deliver. Ironically, the key contributor to this confusion is the same security standard that introduces most people to FIM in the first place by mandating the use of it – the PCI DSS. FIM is an integral line of defines in all major security standards, but we will reference the PCI DSS to illustrate this particular discussion. PCI DSS Requirement 11.5 specifically uses the term ‘file integrity monitoring’ in relation to the need to “alert personnel to unauthorised modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly”. As such, since the term ‘file integrity monitoring’ is only mentioned in requirement 11.5, one could be forgiven for concluding that this is the only part FIM has to play within the PCI DSS.


In fact, the application of FIM is and should be much more widespread in underpinning a solid secure posture for an IT estate. For


example, other key requirements of the PCI data security standard are all best addressed using file integrity monitoring technology such as “Establish firewall and router configuration standards” (Req 1), “Develop configuration standards for all system components” (Req 2), “Develop and maintain secure systems and applications” (Req 6), “Restrict access to cardholder data by business need to know” (Req 7), “Ensure proper user identification and authentication management for non-consumer users and administrators on all system components” (Req 8), “Regularly test security systems and processes” (Req 11). Within the confines of Requirement 11.5 only, many interpret this requirement as a simple ‘has the file changed since last week?’ and, taken in isolation, this would be a legitimate conclusion to reach. However, as highlighted earlier, the PCI DSS is a network of linked and overlapping requirements, and the role for file integrity analysis is much broader, underpinning other requirements for configuration hardening, configuration standards enforcement and change management. But this isn’t just an issue with how


merchants read and interpret the PCI DSS. The new wave of SIEM vendors in particular are keen to take this narrow definition as ‘secure enough’ and for good, if selfish, reasons. PCI requirement 10 is all about logging and


The application of FIM is and should be much more widespread in underpinning a solid secure posture for an IT estate


80 www.risk-uk.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88