Identification of File Integrity Requirement through Severity Analysis



Similar documents
Host-based Intrusion Prevention System (HIPS)

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Verve Security Center

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Best Practice Configurations for OfficeScan (OSCE) 10.6

Total Defense Endpoint Premium r12

University of Pittsburgh Security Assessment Questionnaire (v1.5)

CloudCheck Compliance Certification Program

March

Cybersecurity Health Check At A Glance

Did you know your security solution can help with PCI compliance too?

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Cisco Advanced Services for Network Security

The Comprehensive Guide to PCI Security Standards Compliance

End-user Security Analytics Strengthens Protection with ArcSight

74% 96 Action Items. Compliance

CorreLog Alignment to PCI Security Standards Compliance

GFI White Paper PCI-DSS compliance and GFI Software products

Cyber Essentials Scheme

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Trend Micro OfficeScan Best Practice Guide for Malware

Managing Cloud Computing Risk

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Client Security Risk Assessment Questionnaire

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Information Blue Valley Schools FEBRUARY 2015

Software Asset Management (SWAM) Capability Description

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Fortinet Solutions for Compliance Requirements

Security Data Analytics Platform

Basics of Internet Security

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

How To Protect Your Cloud From Attack

Observation and Findings

Bio-inspired cyber security for your enterprise

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Sample Vulnerability Management Policy

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Fighting Advanced Threats

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Payment Card Industry (PCI) Data Security Standard

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Supplier Security Assessment Questionnaire

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Integrated Threat & Security Management.

Guideline on Auditing and Log Management

Data Management Policies. Sage ERP Online

Best Practice Configurations for OfficeScan 10.0

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Effective Software Security Management

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Best Practices For Department Server and Enterprise System Checklist

TRIPWIRE NERC SOLUTION SUITE

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

A Decision Maker s Guide to Securing an IT Infrastructure

Critical Security Controls

Network Based Intrusion Detection Using Honey pot Deception

STATE OF NEW JERSEY IT CIRCULAR

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Automated Risk Management Using NIST Standards

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

External Supplier Control Requirements

John Essner, CISO Office of Information Technology State of New Jersey

PCI DSS Requirements - Security Controls and Processes

How To Protect A Network From Attack From A Hacker (Hbss)

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Avoiding the Top 5 Vulnerability Management Mistakes

IBM Managed Security Services Vulnerability Scanning:

Automate PCI Compliance Monitoring, Investigation & Reporting

The Protection Mission a constant endeavor

Network Segmentation

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

SECURE SHARING AND COMMUNICATION. Protection for servers, and collaboration

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Projectplace: A Secure Project Collaboration Solution

SonicWALL PCI 1.1 Implementation Guide

Transcription:

Identification of File Integrity Requirement through Severity Analysis Zul Hilmi Abdullah a, Shaharudin Ismail a, Nur Izura Udzir b a Fakulti Sains dan Teknologi, Universiti Sains Islam Malaysia, Bandar Baru Nilai, 71800 Nilai, Negeri Sembilan, Malaysia. b Fakulti Sains Komputer dan Teknologi Maklumat, Universiti Putra Malaysia, 43400 Serdang, Selangor, Malaysia. zulhilmi.a@usim.edu.my Abstract. File integrity monitoring (FIM) tool is used to mitigate integrity violation risk in an operating system and storage environment. The main challenge is to ensure the modification of related files can be detected as soon as the event occurs as fast detection can be vital to prevent further damage. However, issues on FIM is about the performance penalty result of real time monitoring. In order to minimize performance overhead, identification of file integrity requirement is proposed. Integrity requirement is important for determining the file monitoring approaches either in real time or offline. Although some of the FIM tools provide a hybrid approach of integrity monitoring, there have still required manual intervention of system administrator for system configuration in identification of specific files with its specific monitoring approach. This practice is a difficult task for system administrators and may be exposed to human error. This paper proposes the model of file integrity requirement based on file metadata information (file attributes) to assist system administrators in setting up monitoring approaches for specific files within the application system environment. The proposed model can be applied to the FIM tool and other file protection tool like anti-malware, backup and restore solution as part of the defence in depth strategy. Keywords: File Integrity, Severity Analysis, Integrity Requirement, System Security. INTRODUCTION Integrity violation for the information system assets become a major concern. Threats from viruses and other malware that has a capability in modifying the system and application files increases the risk of integrity violation [1]. Increasing numbers of new malware every day also exposed the information system assets into the integrity violation. Therefore, well known information security related standard and guideline recommends that each organization should deploy the system integrity verification for their information asset protection. The security standard council recommends that system integrity becomes part of Payment Card Industry (PCI) Data Security Standard (DSS) requirement. The requirement is very important to ensure business can be operates effectively and as intended. Requirement implementing the file integrity monitoring is part of monitoring of security controls which also included the firewalls, anti-virus, IDS and IPS have been 355

stated in PCI DSS document version 2.0 and version 3.0 [2]. Other well-established compliance standards that recommend the system integrity monitoring is NIST 800-53 in System and Information Integrity (SI) Guidelines which stated in two main sections (SI-4 and SI-7) of the standards [9]. In NIST Special Publication 800-53 Revision 4 documents, SI-7 represents an enhancement of integrity control towards software, firmware and information integrity. There are several file integrity monitoring or verification tools that provide the integrity protection services for the system and application security, such as Tripwire [3], XenFIT [4], and OSSEC [5]. There is no big issue in the detection capability of most of the establish file integrity monitoring tools since they used standard and reliable detection mechanism. Issues arise more on the monitoring approach which involve real time or periodic monitoring approach for the system file. Although highly critical applications are developed with security concern by the developer, new security vulnerabilities still cannot be predicted on the development phase. Thus, the application software remains vulnerable to security flaws and needs to be protected. It is impossible to monitor every single application file in real-time due to the high cost needed in terms of resource consumption and processing time [6]. Therefore, a proper technique and approach should be initiated to ensure only required files are monitored in real time and let other file monitored with periodic time. This scenario is very crucial to ensure only integrity critical files should be protected in real time to ensure the performance impact of the system operation is minimal. Real time integrity protection may cause a performance penalty if the implementation is not properly configured. In order to ensure effective scheduling of file integrity monitoring, we proposed file integrity requirement identification based on severity analysis. FILE INTEGRITY REQUIREMENT (FIR) IDENTIFICATION File integrity requirement (FIR) is proposed to accommodate a file integrity monitor (FIM) tools in determining specific file with their specific monitoring approaches. In this paper, we focus on the file in Windows based operating system environment. Each setup and configuration included the virtual host also based on the Windows operating system. Identify related issues in file integrity monitoring analyzed previous techniques and practices Formulate a new pattern of file integrity requirement identification Evaluate formulated pattern FIGURE 1: Important steps for the research. Figure 1 shows the important steps in this research. This research begins with identification of related issues in the file integrity monitoring through an intensive review of related works. After specific issues have been discovered, several tools related to the file security monitoring such as FIM tools, anti-viruses tools, host-based intrusion 356

detection systems and files utilities tools are collected. All related tools are tested and observed in order to obtain patterns of existing practices in file protection. Result from the observation is analyzed. From the analyzed result, new pattern of file integrity requirement (FIR) identification is formulated. Lastly, the proposed FIR is evaluated in to test the accuracy of formulated pattern. Observation of Existing File Protection Practices In order to collect information and practices of existing file protection tools, five different virtual hosts are used. Each virtual host are installed with difference type of services such as web server, database server, print server, e-mail server and file sharing service. Related file protection tools are installed and tested in each virtual host to observe their practices in protecting the files. Figure 2 represents the steps involved in FIR identification. Run file protection tools Collect information used by related tools Analyze collected information FIGURE 2: File integrity requirement (FIR) identification. Firstly, data of the related file which monitored in real time are collected for each virtual host and file protection tools. Next, we analyzed the collected data by comparing and classify the pattern of file monitoring based on their attributes similarities. In practice, these steps are time consuming and complicated. It is assumed that existing file protection tools are monitored sensitive or important file in real time monitoring mode. Violation of the integrity After obtaining the pattern of file protection, we formulate a new file integrity requirement (FIR) in order to accommodate file integrity monitoring tool in determining monitoring mode for specific files. In this paper, FIR is formulated based on privilege security attributes (PSA) which each file is classified into five different FIR levels (system, high, medium, low and unprotected). Our FIR utilized five attributes of PSA, which obtained from the observed pattern of existing file protection tools. Evaluation In order to evaluate the accuracy of formulated FIR, data mining classifier is used. Figure 3 shows the steps involved to evaluate the proposed FIR. 357

Scan file attributes Capture and record identified attributes Analyze and interpret classification result Transform attributes information into nominal format Test dataset with specific classifiers FIGURE 3: FIR evaluation steps. In the evaluation phase of FIR data set are collected using file attributes scanner (FAS) tool. FAS tool was developed previously for our attributes based file integrity identification [7, 8]. The file attributes scanner (FAS) is customized accordingly in order to support the data collection process which based on the privilege security attributes (PSA). Five identified attributes are collected for each file. The data set will be transformed into a nominal format in order to accommodate the evaluation process. Data preprocessing done in this phase to minimize the noise. In this paper, Multilayer Perceptron (MLP) classifier is used to test our FIR based on five integrity level and five attributes. Lastly result from the classification is analyzed and interpreted based on research objectives. For initial result, our FIR score 92.5% of correctly classified instances based on 400 samples of the files which each file represents by five attributes. The score shows the impressive output from the FIR identification and formulation. However, there are still need some improvement in order to optimize the effectiveness of FIM monitoring mode for specific files. CONCLUSION Identification of file integrity requirement (FIR) becomes goods start to accommodates file integrity monitoring tools since there are increased of information security threats and attacks especially involved the unauthorized system modification. In addition, increases of operating system and application complexity due to highly sophisticated demands for the information services also required more effective file integrity monitoring without compromised the system performance. The evaluation result shows the promises future for the FIR identification. Currently we are working to formulate a new FIR that based on different type of file attributes. In addition, the formulated FIR will be incorporated into the prototype of file integrity monitoring system for testing in the real environment.. 358

REFERENCES Proceeding of IC-ITS 2015 e-isbn:978-967-0850-07-8 1. McKosky, R. A. & Shiva, S. G. A file integrity checking system to detect and recover from program modification attacks in multi-user computer systems Computers & Security, 1990, 9, 431 446. 2. LLC, P. S. S. C. Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.0 PCI Security Standards Council LLC, 2013 3. Kim, G. H. & Spafford, E. H. The design and implementation of tripwire: a file system integrity checker CCS '94: Proceedings of the 2nd ACM Conference on Computer and Communications Security, ACM, 1994, 18-29 4. Quynh, N. A. & Takefuji, Y. A novel approach for a file-system integrity monitor tool of Xen virtual machine ASIACCS '07: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ACM, 2007, 194-202. 5. Hay, A.; Cid, D.; Bary, R. & Northcutt, S. System Integrity Check and Rootkit Detection OSSEC Host-Based Intrusion Detection Guide, Syngress, 2008, 149 174. 6. Zhao, F.; Jiang, Y.; Xiang, G.; Jin, H. & Jiang, W. VRFPS: A Novel Virtual Machine-Based Real-time File Protection System ACIS 2009: International Conference on Software Engineering Research, Management and Applications, IEEE Computer Society, 2009, 0, 217-224. 7. Abdullah, Z. H.; Udzir, N. I.; Mahmod, R. & Samsudin, K. Towards a Dynamic File Integrity Monitor through a Security Classification International Journal of New Computer Architectures and their Applications (IJNCAA), The Society of Digital Information and Wireless Communication, 2011, 1, 766-779. 8. Abdullah, Z. H.; Udzir, N. I.; Mahmod, R. & Samsudin, K. File Integrity Monitor Scheduling Based on File Security Level Classification. Software Engineering and Computer Systems, Springer Berlin Heidelberg, 2011, 180, 177-189. 9. Locke, G. & Gallagher, P. D. Recommended Security Controls for Federal Information Systems and Organizations National Institute of Standards and Technology (NIST), 2009. 359

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information