PCI DSS File Integrity Monitoring



Similar documents
File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

Event Log Monitoring and the PCI DSS

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

The Art of Layered Security - Data Protection in a Threatscape of Modern Malware

Security Best Practices and File Integrity Monitoring

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Overcoming PCI Compliance Challenges

Secret Server Qualys Integration Guide

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

The Comprehensive Guide to PCI Security Standards Compliance

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Best Practices for PCI DSS V3.0 Network Security Compliance

CorreLog Alignment to PCI Security Standards Compliance

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Compliance: Protection Against Data Breaches

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

A Rackspace White Paper Spring 2010

MITIGATING LARGE MERCHANT DATA BREACHES

Security Management. Keeping the IT Security Administrator Busy

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI DSS Reporting WHITEPAPER

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Software that provides secure access to technology, everywhere.

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

PCI Requirements Coverage Summary Table

Franchise Data Compromise Trends and Cardholder. December, 2010

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Global Partner Management Notice

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

FairWarning Mapping to PCI DSS 3.0, Requirement 10

INFORMATION SECURITY TRAINING CATALOG (2015)

PCI Data Security Standards (DSS)

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Did you know your security solution can help with PCI compliance too?

PCI Requirements Coverage Summary Table

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

What does it mean to be secure?

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Case Study: Fast Food Security Breach (Multiple Locations)

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Beyond PCI Checklists:

INCIDENT RESPONSE CHECKLIST

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Observations from the Trenches

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Securing OS Legacy Systems Alexander Rau

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Josiah Wilkinson Internal Security Assessor. Nationwide

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

EA-ISP-012-Network Management Policy

HOW TO PREPARE FOR A PCI DSS AUDIT

Cyber Security - What Would a Breach Really Mean for your Business?

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

March

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Transcription:

PCI DSS File Integrity Monitoring Explained Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2011 broadband testing and new net technologies www.nntws.com

Abstract...anti-virus defenses are typically only aware of 62% of the world s malware... h t t p : / / d o i. i e e e c o m p u t e r s o c i e t y. org/10.1109/mc.2010.187 Although FIM or File-Integrity Monitoring is only mentioned specifically in two subrequirements of the PCI DSS (10.5.5 and 11.5), it is actually one of the more important measures in securing business systems from card data theft. What is it, and why is it important? File Integrity monitoring systems are designed to protect card data from theft. The primary purpose of FIM is to detect changes to files and their associated attributes. However, this article provides the background to three different dimensions to file integrity monitoring, namely secure hash-based FIM, used predominantly for system file integrity monitoring file contents integrity monitoring, useful for configuration files from firewalls, routers and web servers file and/or folder access monitoring, vital for protecting sensitive data How far should FIM measures be taken? Start with System Files... As a starting point, it is essential to monitor the Windows/System32 or SysWOW64 folders, plus the main Card Data Processing Application Program Folders. For these locations, running a daily inventory of all system files will detect all additions, deletions and changes. Harnessed correctly, this data will provide an at a glance report from which potential security breaches can be identified. Additions and Deletions are relatively straightforward to evaluate, but how should changes be treated, and how do you assess the significance of a subtle change, such as a file attribute change? The answer is that ANY file change in these critical locations must be treated with equal importance. Most high-profile PCI DSS security breaches have been instigated via an inside man typically a trusted employee with privileged admin rights. For today s cybercrime there are no rules. The industry-acknowledged approach to FIM is to track all file attributes and to record a secure hash. Any change to the hash when the file-integrity check is re-run is a red alert situation using SHA1 or MD5, even a microscopic change to a system file will denote a clear change to the hash value. When using FIM to govern the security of key system files there should never be any unplanned or unexpected changes if there are, it could be a Trojan or backdoor-enabled version of a system file. This is why it also crucial to use FIM in conjunction with a closed loop change management system planned changes should be scheduled and the associated File Integrity changes logged and appended to the Planned Change record. www.nntws.com page 1

...For today s cybercrime there are no rules.. Secure Hash Based FIM Within a PCI DSS context, the main files of concern include System files e.g. anything that resides in the Windows/System32 or SysWOW64 folder, program files, or for Linux/Unix, key kernel files. The objective for any hash-based file integrity monitoring system as a security measure is to ensure that only expected, desirable and planned changes are made to in scope devices. The reason for doing this is to prevent card data theft via malware or program modifications. Imagine that a Trojan is installed onto a Card Transaction server the Trojan could be used to transfer card details off the server. Similarly, a packet sniffer program could be located onto an EPoS device to capture card data if it was disguised as a common Windows or Unix process with the same program and process names then it would be hard to detect. For a more sophisticated hack, what about implanting a backdoor into a key program file to allow access to card data? These are all examples of security incidents where File-Integrity monitoring is essential in identifying the threat. Remember that anti-virus defenses are typically only aware of 62% of the world s malware (see http://doi.ieeecomputersociety.org/10.1109/mc.2010.187 for a recent study) and an organization hit by a zero-day attack (zero-day marks the point in time when a new form of malware is first identified only then can a remediation or mitigation strategy be formulated but it can be days or weeks before all devices are updated to protect them. The diagram in Figure 1 shows how the SHA1 secure hash algorithm generates a distinctly different hash value even for the smallest change to the data within a file. This provides a unique means of verifying that the integrity of a file has been maintained. The quick brown fox jumps over the lazy dog 1b93eb12 SHA 1 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 Even a tiny change to the file in this example creates a significant change to the hash due to the avalanche effect of the algorithm. The SHA1 arrow denotes a SHA1 operation to generate the following hash. The quick brown fox jumps over the lazy cog 100db4b3 SHA 1 de9f2c7f d25e1b3a fad3e85a 0bd17d9b Figure 1 - Illustration of how a secure hash algorithm creates a unique hash based on the contents of a file www.nntws.com page2

File Content and Configuration File Integrity Monitoring Whilst a secure hash checksum is an infallible means of identifying system file changes, this does only tell us that a change has been made to the file, not what the actual detail of the change is. Sure, for a binary-format executable, this is the only meaningful way of conveying that a change has been made, but a more valuable means of file integrity monitoring for readable files is to keep a record of the file contents. This way, if a change is made to the file, the exact change made to the readable content can be reported. For instance, a web configuration file (php, aspnet, js or javascript, XML config) can be captured by the FIM system and recorded as readable text; thereafter changes will be detected and reported directly. Similarly, if a firewall access control list was edited to allow access to key servers, or a Cisco router startup config altered, then this could allow a hacker all the time needed to break into a card data server. Figure 2 - File Integrity Monitoring applied to a Firewall or Router not only provides a notification that a change has been made but should record exactly which configuration settings or attributes have changed. This example is taken from NNT Change Tracker showing side-by-side change history and a full audit trail of all changes made. One final point on file contents integrity monitoring - Within the Security Policy/Compliance arena, Windows Registry keys and values are often included under the heading of FIM. These need to be monitored for changes as many hacks involve modifying registry settings. Similarly, a number of common vulnerabilities can be identified by analysis of registry settings. www.nntws.com page 3

File and/or Folder Access Monitoring The final consideration for file integrity monitoring is how to handle other file types not suitable for secure hash value or contents tracking. For example, because a log file, database file etc will always be changing, both the contents and the hash will also be constantly changing. Good file integrity monitoring technology will allow these files to be excluded from any FIM template. However, card data can still be stolen without detection unless other measures are put in place. As an example scenario, in an EPoS retail system, a card transaction or reconciliation file is created and forwarded to a central payments server on a scheduled basis throughout the trading day. The file will always be changing maybe a new file is created every time with a time stamped name so everything about the file is always changing. Standard practise would be to place the file in a secure folder on the EPoS system to prevent user access to the contents. However, an inside man with Admin Rights to the folder could view the transaction file and copy the data without necessarily changing the file or its attributes. Therefore the final dimension for File Integrity Monitoring is to generate an alert when any access to these files or folders is detected, and to provide a full audit trail by account name of who has had access to the data. Much of PCI DSS Requirement 10 is concerned with recording audit trails to allow a forensic analysis of any breach after the event and establish the vector and perpetrator of any attack. 2011/03/13 21:30:00 6 seconds ago 192.168.1.221 auth (warning): Security 4663: Microsoft- Windows- Security- Auditing: Object: An attempt was made to access an object - An attempt was made to access an object. Subject: Security ID: S- 1-5- 21-137452079- 2713887879-3978310812- 1003 Account Name: mark Account Domain: NNTMKEDGLEY Logon ID: 0x4ecc1 Object: Object Server: Security Object Type: File Object Name: D: \ RESTRICTED ACCESS - Card Reconcilliation Folder Handle ID: 0xd68 Process Information: Process ID: 0xef4 Process Name: C: \ Windows\ explorer. exe Access Request Information: Accesses: % % 4423 Access Mask: 0x80 Details... Figure 3 - File Integrity Monitoring employed to protect secure files from unauthorized access. Whether you are protecting Card Holder Data for PCI DSS compliance or sensitive Financial Information for Sarbanes-Oxley compliance, you will need to log a full audit trail of access to the files and folders concerned. Here we use NNT Log Tracker to illustrate this in practise - note we have also logged the user and process accessing the protected folder. www.nntws.com page 4

Conclusion - The NNT View The PCI DSS is deliberately complex, the idea being that all security measures and technologies are overlaid to create the best chance of protecting cardholder data as is possible. Requirement 11.5 seems innocuous enough - it isn t even given a Requirement number to itself! But it is potentially the most important measure you can implement - without doubt, all of the most high-profile cases of carddata theft would have been identified earlier if FIM was used properly. NNT can help using NNT Change Tracker and Log Tracker will provide everything that a Payment Card merchant needs to become, and remain, PCI DSS compliant. NNT PCI DSS Compliance solutions cover the following About NNT configuration hardening change management event log correlation file integrity monitoring NNT is a leading provider of PCI DSS and general Security & Compliance solutions. As both a Software Manufacturer and Security Services Provider, we are firmly focused on helping organizations protect their sensitive data in an efficient and cost effective manner. NNT has unmatched expertise with PCI DSS compliance and General Information Protection across the retail, hospitality, government, utilities, healthcare and finance marketplaces. NNT solutions are easy to use and offer exceptional value for money, making it easy and affordable for you to achieve and retain compliance at all times. Each has the guidelines of the PCI DSS at its core, which can then be tailored to suit any internal best practice or external compliance initiative. NNT Change Tracker and Log Tracker Enterprise - Compliance Clarified Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured Compare Audited Settings Against Policy - Configuration settings are assessed for compliance with any policy or standard relevant to your organization and deviations highlighted Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint Attributes covered include File Integrity, File Content, Registry Key Settings and Values, Service States, Processes, User Accounts, Installed Programs and Vital Signs Change Management Process Underpinned - Authorized changes which have been approved via the formal change management process are reconciled with the original RFC to ensure the correct changes were implemented accurately The Change Management Safety Net - All unplanned changes are flagged up for review immediately to mitigate security integrity or service delivery performance www.nntws.com SIEM Event Log Correlation - Centralize and correlate event logs messages from all windows, unix/linux, firewall and IPS systems 2010 New Net Technologies UK Office - Spectrum House, Dunstable Road, Redbourn, AL3 7PR Tel: +44 8456 585 005 TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER, PLEASE CONTACT US AT info@nntws.com US Office - 5633 Strand Blvd, Suite 306, Naples Florida 34110 Tel: +1 239 592 9638 www.nntws.com page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information