The Ever-changing DLL Hunt – Why Do 'lsprst7.dll' And 'sysprs7.dll' Continually Change?

File Integrity Monitoring - What really happens on your server when you're not looking?

Once our customers start using file integrity monitoring technology as part of a PCI Compliance or other security governance initiative there is often a realization of ‘What the eye doesn't see, the heart doesn't grieve over’

For instance, who knew there were that many file changes associated with a windows update?

We have recently dealt with an interesting project for a Passenger Ferry Operator. After we had been running Change Tracker file integrity monitoring for a few days they noticed repeated, frequent but irregular changes being reported to a couple of DLL files - 'lsprst7.dll' and 'sysprs7.dll', with two associated files 'lsprst7.tgz' and 'sysprs7.tgz'. These reside within the Windows\System32 and/or the SysWOW64 folders

Our customer contact did some research via Google but, despite finding other records of searches for the identity of these files and the reason for the frequent changes (with the trail leading to an Adobe forum thread), no explanation could be found.

A process of elimination exercise to identify the role of the files was suggested – delete the files and see which application breaks, or progressively remove programs from the server and see which one removes the DLLs in question?

It is counterintuitive for DLL files to change and you would be rightly suspicious if you saw this happening on a server. Concerns over mutating malware and polymorphic viruses began to circle.

What's the Solution?

In this instance, thankfully there is a perfectly logical explanation. The files are License Server components for SafeNet ‘Solve’ software (Solve is supplied by The Logic Group, and it provides card holder data encryption for the EPoS software used by this customer) The DLLs are persistence files, used to help detect "Time Tempering" and they change every time the software is accessed and a license check is run.

There are other examples of license key files which regularly change that we are familiar with and although it is initially surprising and of concern to see system files changing, it is ultimately a positive thing.

How can you detect genuinely exceptional file changes if you don’t fully understand how your applications and servers behave under regular operating conditions? Only by employing forensic-level file integrity monitoring and analyzing the results can you begin to get intimate with what ‘good’ looks like, and in turn, what irregular – and potentially damaging - behavior looks like.

Want to analyze your server system file behaviors or implement PCI file integrity monitoring technology? Request a free trial or demonstration here

PCI Compliance Server Hardening doesn’t have to be Hard

Harden Server Configuration to remove Vulnerabilities

“PCI DSS Version 2.0 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters”

From the moment a server is powered up it becomes vulnerable to attack. Assuming that leaving your key application servers turned off is not an option it will be necessary to implement security measures advocated by the PCI DSS.

PCI Requirement 2 calls for configuration hardening of servers, EPoS PC’s and network devices. The headlines of the requirement call for removal of default usernames and passwords, and a need to stop any unnecessary services. However, beyond these initial measures there are a vast number of additional configuration setting changes recommended by ‘best practice’ authorities (such as SANS Institute, CIS and NIST) all of which help to mitigate security threats. If you haven’t already adopted a hardened configuration standard then any of these organizations can assist, although a good configuration auditing and config change tracking system will typically be pre-packed with a hardening checklist you can adopt. This type of system will automate not just the initial hardening assessment but will also do so on a continuous automatic basis so you can be alerted when any configuration drift occurs.

As with most elements of the PCI DSS Requirements, there are a number of checks and balances to provide evidence that adequate hardening measures have been applied. In common with the overall ethos of the PCI DSS, there is always a high degree of overlap to guarantee comprehensive coverage.

Similarly, event log management and file integrity monitoring measures will serve to provide additional checks to verify security measures have not been changed or compromised at all times.

Active Testing of PCI DSS Security Measures – Pen Testing and Vulnerability Scanning

PCI Requirement 11 covers Penetration Testing and Vulnerability Scanning – we’ll discuss these in turn.

Pen Testing / Penetration Testing

Any internet facing devices are exposed to somewhere in excess of 2 billion potential hackers (source: ITU website – ‘Key Facts’) and while firewalls and intrusion detection technologies help to allow good users in and keep bad traffic out, the fact remains that an ‘open’ website is always going to be vulnerable to attack. Penetration testing takes the form of an active assessment of whether the internet facing devices and servers can be compromised. Typically a ‘blended’ approach is used combining automated, scripted scans and tests for common hacking vectors with manually orchestrated hacking techniques.

Vulnerability Scanning / ASV Scans

Whereas a Pen Test is for externally accessible devices, internal network connected devices are tested using an ASV scan (ASV is a PCI Security Council term for any organization or individual who has been validated as an Approved Scanning Vendor). This kind of internal vulnerability assessment is known as a Vulnerability Scan.

This is typically a more intensive active assessment for devices than a Pen Test, assessing operating system and application patching levels. Again the ASV vulnerability scan can be either fully automated using an on-site appliance or take a blended approach, part-automatic-part-manually orchestrated.

PCI DSS Hardening Methodologies – How do I harden my Server?

For Windows servers, numerous security features and best practice measures are implemented via the server’s Local Security Policy. Group Policy can be used as a convenient way to update the Security Policy of multiple devices in bulk, but of course one common way to enhance security is to isolate servers from a domain to allow precise ‘hand-picked’ access permissions, in which case the Local Security Policy will need to be configured directly.

In addition, unnecessary services should be disabled, built-in accounts should be renamed and passwords changed from defaults, drive and folder permissions should be restricted – the list of actual and potential vulnerabilities is extensive and always growing.

It should be mentioned that there is a whole other area of vulnerability management relating to patches and application updates. Whilst these all carry the potential to be just as harmful as configuration-based vulnerabilities, patch or application-based vulnerabilities are inherently easier to manage, given that Windows Updates and major applications all have automated, self-updating capabilities. Furthermore, operating system and application-based vulnerabilities can be remediated – that is to say, eliminated permanently – as opposed to configuration-based vulnerabilities which can only ever be mitigated. In other words, configuration-based vulnerabilities can be just as easily re-introduced at any time as they are to remove in the first place.

Summary

In conclusion, this is yet another area of the PCI DSS that is ideally handled using intelligent, automated technology. The best products available combine comprehensive ‘best practice’ security policy and hardening checklists with continuous vulnerability assessments. Any configuration drift is identified immediately and alerted, while summary reports can be produced to give an ‘at a glance’ reassurance that nothing has changed.

The active role of a continuous configuration change tracking technology can also be used as a vantage point to implement file integrity monitoring too, guaranteeing system and application files do not change and that malware cannot be introduced onto the server without detection. Likewise, SIM, SIEM (Security Information and Event Management) or plain old Event Log Management technology also provides a full audit trail of security events for in scope devices.

The good news is you don’t need to turn off your servers just to keep them secure.

Documentation Of PCI Compliance Processes? No Thanks! How Logging And FIM technologies Can Augment (Or Replace) Process And Procedure

Small Company PCI Compliance

For many Merchants subject to the PCI DSS, September is always a significant deadline for proving that compliance with the security measures of the PCI DSS has been met.

Unless you are a Tier 1 merchant (transacting in excess of 6 million card sales each year) and being audited by a PCI Security Standards Council QSA (Qualified Security Assessor) then you will be using the Self-Assessment route. SAQ D is the most commonly used Self Assessment Questionnaire for medium to large scale merchants.

Regardless of which type of Merchant your organization is classified as, the issues are firstly to put measures in place to meet compliance with the requirements, (so either install some security technology, e.g. a file integrity monitor, or define and document security procedures), and secondly, to prove that the measures are effective.

For smaller merchants, processes are typically not documented because there has previously been no need to do so. It stands to reason that for a small-scale IT Department, processes are commensurately simple to explain and operate, and as such, wont have needed to be documented. This being the case, however, it could also be argued that the documentation of processes, and proving that they work, is also very simple.

For instance, the change management process may be as simple as ‘if any of us need to make a change, we discuss it or just send an email to the others for their information, then enter details onto a shared spreadsheet document’.

Clearly there is ample potential for human error in a process like this and for an ‘inside man’ hack to be perpetrated, even if the risk is low and the subsequent identification of the perpetrator straightforward.

So in this case, documenting the process is easy, but proving that it is infallible is another matter. There are too many scenarios where the process can fail, principally due to human error, but this also makes it inadequate as a means of ensuring changes cannot be made without detection. This is why many small companies lose sleep over PCI Compliance, worrying how far measures need to be taken and just how much security is enough?

Process Checks and Balances – Automated

PCI DSS Requirement 10 mandates the logging of all significant security events from the PCI estate, while PCI DSS Requirement 11.5 mandates the use of File-Integrity Monitoring technology. For many organizations taking a ‘checkbox’ approach to PCI Compliance, the implementation of both technologies is seen as just another hassle to get through for the sake of the PCI DSS.

However, take a step back and look at the PCI DSS as a whole. The emphasis is on good security measures with sound best practices. In other words, for each dimension of security advocated by the PCI DSS there is a need to document and test related processes.

It therefore becomes clear that logging and FIM are not just overlay technologies to plug gaps left by the firewalling, hardening and antivirus measures, but integral means of verifying that your net security stance is effective.

Any file change or configuration change reported should be investigated and verified then acknowledged as an approved change. The process is automated, but simple and robust.

Similarly, a new account or privilege being assigned will be reported via your log management system, prompting an investigation and ultimately a record of the acknowledgment.

As such, implementation of event log management and file integrity checker technologies can actually provide the processes needed for PCI DSS compliance. You could have a whole shelf full of change management processes and procedures, or alternatively, simply refer to your log management and FIM reporting system.

If you want to short-cut boring documentation of processes for PCI compliance then talk to us about how we can help - support@nntws.com

The PCI DSS is well thought out, utterly comprehensive but man - it’s big!

Where do you start with PCI Compliance?

It is a vast expanse of best practice security measures, not at all easy to understand, and even less easy to apply to your personal situation. The headlines are as follows

• 12 Requirements
• but 230 sub-requirements
• and some estimates of 650 detail points

The PCI DSS in 2011 still remains an ongoing challenge for the overwhelming majority of PCI Merchants. Feedback we have had from working with a number of casino resorts, theme parks, ferry services and call centers over the past few months makes interesting reading for any other PCI Merchant wanting advice about PCI compliance.

Typically, one in every two Tier 2 and Tier 3 Merchants admit they do not understand the requirements of the PCI DSS. If you are either still working on implementing compliance measures identified in pre-audit surveys, or are not compliant and doing nothing about it, or are leaving everything to the last minute, don’t be too hard on yourself - nine out of ten Merchants are at the same stage.

In fact, it is fine to have a phased, prioritized approach and the PCI DSS Council fully recommend this strategy, mindful that Rome wasn’t built in a day.

Prioritizing PCI Compliance Measures

With so much ground to cover, prioritizing measures is a must, and indeed the recently released ‘Prioritized Approach for PCI DSS Version 2.0’ from the PCI Security Standards council website is an essential document for anyone working out where to start with assessing

Although the PCI DSS is sectioned loosely around twelve headline Requirements in terms of technologies (Firewalling, Anti-Virus, Logging and Audit Trails, File Integrity Monitoring, Device Hardening and Card Data Encryption) - and procedures and processes (physical security, education of staff, development and testing procedures, change management), you soon realize that there are threads that run horizontally through all requirements.

If you consider Requirement 1 of the PCI DSS, this is oriented around the need for a firewall and a fundamentally secure network design. However, you quickly end up with a secondary list of questions and queries. Do we need a diagramming tool? Do we need to automate the monitoring of firewall rule changes? (Incidentally, this is a task easily done using a good file integrity monitoring product) What is our Change Management Process? Is it documented

In this respect there is potentially a good argument for the creation of other versions of the PCI DSS oriented around procedural dimensions, such as password policies for all disciplines and devices, or change management for all disciplines and devices, and so on. Whilst the Prioritized Approach gives a good framework for planning and measuring progress, it is strongly advised that you also look up at every step and see which other requirements can be taken care of by the same measure being implemented. For example, file integrity monitoring is only specifically mentioned in Requirement 11.5, however, good FIM software solutions will underpin Requirement 1, requirement 2, and requirements 3, 4,5,6,7,8,10, and 12.

The general advice is that, even though it is very daunting, if you can get ‘intimate’ with the PCI DSS, both in spirit and in detail, then as with everything else in life, the better informed you are, the more in control you will be, and the less money and sweat will be wasted.

Summary

The PCI DSS may well challenge your pre-conceptions about what an Information Security Policy comprises - but there is plenty of help to draw upon.

In summary

• Use vendor offers - a free trial of event log server software will allow you to see first-hand how much notice you are likely to be dealing with in your estate and how straightforward or otherwise an implementation might be before you spend any money
• Use the PCI Security Standards Council website - tools like the Prioritized Approach spreadsheet will help breakdown the full PCI DSS into a more manageable series of steps and priorities
• Look for quick wins and the best ‘bang for buck’ measures - implementing File Integrity Monitoring software for PCI compliance can take a big bite of the overall requirements and may be one of the simpler and affordable steps you take

What do you think? If you could give one piece of advice based on your own experience of PCI Compliance what would that be?

Retail Systems Forum Approaches - 'Complicated, Expensive and Time-Consuming – but the PCI DSS isn’t going away'

Just 2 weeks now until this year's Retail Systems Forum being held at Microsoft's UK HQ in Reading - see http://www.retailsystemsforum.co.uk/

NNT are presenting one of the sessions -'Complicated, Expensive and Time-Consuming – but the PCI DSS isn’t going away'

• The PCI DSS in 2011 – Attitudes and Opinions from Multi Channel retailers in the UK
• Strategies available – what is working and what are others getting away with?
• Common Sense or Technology?
• Are the goalposts moving (or going to move)?

I have only just finished the presentation for the deadline so at least it is topical and up to date!

I am talking about some of the feedback we have had from PCI DSS customers over the past few months, such as

- Duck it! “The future is too unclear to make any investment...”

- Paralysis! “We don’t want to make mistakes like xyz...”

- Ignore it! “We don’t need to bother – we’ve been OK so far and we view the risks as low...”

- Go Slow! “We have kept some updated procedural stuff back and if we drip-feed this to the Bank over the next two quarters then we are covered for the next few months...”

How much does it cost to procrastinate, delay and ignore the requirements of the PCI DSS? Wouldn't it be a better use of resources to embrace the PCI DSS, understand its intentions and methods, then apply these to your organization? You need a security policy, so why not take the 'off the shelf' option on offer in the knowledge that this is a well-thought out, widely implemented and tested standard that works?

In all the instances referenced above, we ended up delivering solutions to the various PCI DSS requirements

- File Integrity Monitoring (PCI Requirement 11.5) essentially, this requires the PCI Merchant to keep tabs on any changes made to the configuration of firewalls, switches and routers in the network, ensure that windows operating system files and program files on EPoS devices and servers don't change, and to track any access to Card Data files

- Device Hardening (PCI Requirements 2,6,8,10 and 11) a configuration and set-up process for all servers, EPoS devices, PCs and network devices, whereby the 'built-in' weaknesses and vulnerabilities present are removed or minimized.

- Centralized Event Log Management (PCI Requirement 10) gives both a pro-active security monitoring capability and a full, 'forensic' audit trail to use in the event of a breach

- Change Management (PCI Requirements 1,2,6,8,10 and 11) underpins all PCI DSS requirements, in as much as once your PCI Estate is secure, you need to ensure you keep it that way, so reducing changes and for those that are made, make sure they are planned, documented and approved. Change Tracker reconciles changes that are made with details of the intended change

The RSF format is to not get too technical nor be product-oriented, so the presentation will shy away from even this level of detail.

I hope the event can be recorded and published on www.nntws.com for anyone who can't make the event in person.

Implement Logging for PCI DSS – A How to Guide

Introduction

The PCI DSS Requirement 10 calls for a full audit trail of all activity for all devices and users, specifically requiring all event and audit logs to be gathered centrally and securely backed up.

The thinking here is twofold. Firstly, as a pro-active security measure, the PCI requirement that all logs are reviewed on a daily basis (yes – you did read that correctly – ALL logs DAILY - we shall return to this potentially overwhelming burden later...) requires the Security Team to become more intimate with the daily ‘business as usual’ workings of the network. This way, when a genuine security threat arises, it will be more easily detected through unusual events and activity patterns.

The second driver for logging all activity is to give a ‘black box’ recorded audit trail so that if a cybercrime is committed, a forensic analysis of the activity surrounding the security incident can be conducted. At best, the perpetrator and the extent of their wrongdoing can be identified and remediated. At worst – lessons can be learned from the attack so that procedures and/or technological security defenses can be improved.

Of course, if you are a PCI Merchant reading this, then your main driver is that this is a mandatory PCI DSS requirement – so we should get moving!

Which Devices are within scope of PCI Requirement 10?

Same answer as to which devices are within scope of the PCI DSS as a whole – anything involved with handling or with access to card data is within scope and we therefore need to capture an audit trail from each of them.

The most critical devices are the firewall, servers with settlement or transaction files and any Domain Controller for the PCI Estate, although all ‘in scope’ devices must be covered without exception.

How do we get Event Logs from ‘in scope’ PCI devices?

We’ll take them in turn –

Firewalls – the exact command set varies between manufacturers and firewall versions but you will need to enable ‘logging’ via either the Firewall Web interface or the Command Line.

Taking a typical example – a Cisco ASA – the CLI command sequence is as follows

logging on

no logging console

no logging monitor

logging a.b.c.d (where a.b.c.d is the address of your syslog server)

logging trap informational

This will ensure all ‘Informational’ level and above messages are forwarded to the syslog server and guarantee all logons/logoffs are captured.

Windows Servers – There are a few more steps required for Windows Servers and PCs/EPoS devices. First of all it is necessary to ensure that logons, logoffs, privilege use, policy change and depending on your application and how card data is handled, object access. You may also wish to enable System Event logging if you want to use your SIEM system to help troubleshoot and pre-empt system problems e.g. a failing disk can be pre-empted before complete failure by spotting disk errors.

Typically we will need Success and Failure to be logged for each Event –

Account Logon Events – Success and Failure

Account Management Events – Success and Failure

Directory Service Access Events – Failure *

Logon Events – Success and Failure

Object Access Events – Success and Failure **

Policy Change Events – Success and Failure

Privilege Use Events - Failure

Process Tracking – No Auditing ***

System Events – Success and Failure ****

* Directory Service Access Events available on a Domain Controller only

** Object Access – Used in conjunction with Folder and File Auditing. Auditing Failures reveals attempted access to forbidden secure objects which may be an attempted security breach. Auditing Success is used to provide an Audit Trail of all access to secured date, for example, card data in a settlement/transaction file/folder.

*** Process Tracking – not recommended as this will generate a large number of events. Better to use a specialized whitelisting/blacklisting technology such as NNT Remote Angel

**** System Events – Not required for PCI DSS compliance but often used to provided additional ‘added value’ from a PCI DSS initiative, providing early warning signs of problems with hardware and so pre-empt system failures.

Once events are being audited, they then need to be relayed back to your central syslog server. An agent program like the NNT Log Tracker Agent will automatically bind into the Windows Event logs and forward all events via syslog. The additional benefit of an agent like this is that events can be formatted into standard syslog severity and facility codes and also pre-filtered.

It is vital that events are forwarded to the secure syslog server in real-time to ensure they are backed up before there is any opportunity to clear the local server event log.

Unix/Linux Servers – Enable logging using the syslogd daemon which is a standard component of all UNIX and Linux Operating Systems such as Red Hat Enterprise Linux, CentOS and Ubuntu.

Edit the /etc/syslog.conf file and enter details of the syslog server.

For example, append the following line to the /etc/syslog.conf file

*.* @(a.b.c.d)

Or if using Solaris or other System 5-type UNIX

*.debug @a.b.c.d

*.info @ a.b.c.d

*.notice @ a.b.c.d

*.warning @ a.b.c.d

*.err @ a.b.c.d

*.crit @ a.b.c.d

*.alert @ a.b.c.d

*.emerg @ a.b.c.d

Where a.b.c.d is the IP address of the targeted syslog server.

If you need to collect logs from a third party application eg Oracle, then you may need to use specialized Unix Syslog agent which allows third party log files to be relayed via syslog.

Other Network Devices

Routers and Switches within the scope of PCI DSS will also need to be configured to forward events via syslog. As was detailed for firewalls earlier, syslog is an almost universally supported function for all network devices and appliances. However, in the rare case that syslog is not supported, SNMP traps can be used provided the syslog server being used can receive and interpret SNMP traps.

PCI DSS Requirement 10.6 “Review logs for all system components at least daily”

We have now covered how to get the right logs from all devices within scope of the PCI DSS but this is often the simpler part of handling Requirement 10.

The aspect of Requirement 10 which often concerns PCI Merchants the most is the additional workload they anticipate by now being responsible for analyzing and understanding a potentially huge volume of logs. There is often an ‘out of sight, out of mind’ philosophy, an ‘if we can’t see the logs, then we can’t be responsible for reviewing them’ mindset, whereas if logs are made visible and placed on the screen in front of the Merchant, there is no longer any excuse for ignoring them.

Tellingly, although the PCI DSS avoids being prescriptive about how to deliver against the 12 requirements, Requirement 10 specifically details “Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6”.

In practice it would be an extremely manpower-intensive task to review all event logs in even a small scale environment and an automated means of analyzing logs is essential. However, implemented correctly, rather than being simply a tool to help you cope with the inconvenient burden of the PCI DSS, an intelligent Security Information and Event Management system will be hugely beneficial. Such a system will allow potential problems to be identified and fixed before they affect business operations. From a security standpoint, by enabling you to become ‘intimate’ with the normal workings of your systems, you are then well-placed to spot truly unusual and potentially significant security incidents.

For an overview of NNT Log Tracker in action there is a 6 minute video here or get in touch with us via info@nntws.com

File Integrity Monitoring - PCI DSS Requirements 10, 10.5.5 and 11.5

Although FIM or File-Integrity Monitoring is only mentioned specifically in two sub-requirements of the PCI DSS (10.5.5 and 11.5), it is actually one of the more important measures in securing business systems from card data theft.

What is it, and why is it important?

File Integrity monitoring systems are designed to protect card data from theft. The primary purpose of FIM is to detect changes to files and their associated attributes. However, this article provides the background to three different dimensions to file integrity monitoring, namely

• secure hash-based FIM, used predominantly for system file integrity monitoring
• file contents integrity monitoring, useful for configuration files from firewalls, routers and web servers
• file and/or folder access monitoring, vital for protecting sensitive data

Secure Hash Based FIM

Within a PCI DSS context, the main files of concern include

• System files e.g. anything that resides in the Windows/System32 or SysWOW64 folder, program files, or for Linux/Unix key kernel files

The objective for any hash-based file integrity monitoring system as a security measure is to ensure that only expected, desirable and planned changes are made to in scope devices. The reason for doing this is to prevent card data theft via malware or program modifications.

Imagine that a Trojan is installed onto a Card Transaction server – the Trojan could be used to transfer card details off the server. Similarly, a packet sniffer program could be located onto an EPoS device to capture card data – if it was disguised as a common Windows or Unix process with the same program and process names then it would be hard to detect. For a more sophisticated hack, what about implanting a ‘backdoor’ into a key program file to allow access to card data??

These are all examples of security incidents where File-Integrity monitoring is essential in identifying the threat. Remember that anti-virus defenses are typically only aware of 70% of the world’s malware and an organization hit by a zero-day attack (zero-day marks the point in time when a new form of malware is first indentified – only then can a remediation or mitigation strategy be formulated but it can be days or weeks before all devices are updated to protect them.

How far should FIM measures be taken?

As a starting point, it is essential to monitor the Windows/System32 or SysWOW64 folders or equivalent Unix/Linux Kernel locations, plus the main Card Data Processing Application Program Folders. For these locations, running a daily inventory of all system files within these folders and identifying all additions, deletions and changes. Additions and Deletions are relatively straightforward to identify and evaluate, but how should changes be treated, and how do you assess the significance of a subtle change, such as a file attribute? The answer is that ANY file change in these critical locations must be treated with equal importance. Most high-profile PCI DSS security breaches have been instigated via an ‘inside man’ – typically a trusted employee with privileged admin rights. For today’s cybercrime there are no rules.

The industry-acknowledged approach to FIM is to track all file attributes and to record a secure hash. There is a whitepaper that explains the detail of the this technology here - 'File Integrity Monitoring - The Last Line of Defense in the PCI DSS'

Any change to the hash when the file-integrity check is re-run is a red alert situation – using SHA1 or MD5, even a microscopic change to a system file will denote a clear change to the hash value. When using FIM to govern the security of key system files there should never be any unplanned or unexpected changes – if there are, it could be a Trojan or backdoor-enabled version of a system file.

Which is why it also crucial to use FIM in conjunction with a ‘closed loop’ change management system – planned changes should be scheduled and the associated File Integrity changes logged and appended to the Planned Change record.

File Content/Config File Integrity Monitoring

Whilst a secure hash checksum is an infallible means of identifying any system file changes, this does only tell us that a change has been made to the file, not what that change is. Sure, for a binary-format executable this is the only meaningful way of conveying that a change has been made, but a more valuable means of file integrity monitoring for ‘readable’ files is to keep a record of the file contents. This way, if a change is made to the file, the exact change made to the readable content can be reported.

For instance, a web configuration file (php, aspnet, js or javascript, XML config) can be captured by the FIM system and recorded as readable text; thereafter changes will be detected and reported directly.

Similarly, if a firewall access control list was edited to allow access to key servers, or a Cisco router startup config altered, then this could allow a hacker all the time needed to break into a card data server

One final point on file contents integrity monitoring - Within the Security Policy/Compliance arena, Windows Registry keys and values are often included under the heading of FIM. These need to be monitored for changes as many hacks involve modifying registry settings. Similarly, a number of common vulnerabilities can be identified by analysis of registry settings.

File and/or Folder Access Monitoring

The final consideration for file integrity monitoring is how to handle other file types not suitable for secure hash value or contents tracking. For example, because a log file, database file etc will always be changing, both the contents and the hash will also be constantly changing. Good file integrity monitoring technology will allow these files to be excluded from any FIM template.

However, card data can still be stolen without detection unless other measures are put in place. As an example scenario, in an EPoS retail system, a card transaction or reconciliation file is created and forwarded to a central payments server on a scheduled basis throughout the trading day. The file will always be changing – maybe a new file is created every time with a time stamped name so everything about the file is always changing.

The file would be stored on an EPoS device in a secure folder to prevent user access to the contents. However, an ‘inside man’ with Admin Rights to the folder could view the transaction file and copy the data without necessarily changing the file or its attributes. Therefore the final dimension for File Integrity Monitoring is to generate an alert when any access to these files or folders is detected, and to provide a full audit trail by account name of who has had access to the data. Much of PCI DSS Requirement 10 is concerned with recording audit trails to allow a forensic analysis of any breach after the event and establish the vector and perpetrator of any attack. Much more detail on this requirement can be found here - 'Event Log Monitoring and the PCI DSS'

If you are reading this and want to learn more about the PCI DSS and just what it takes to tackle the FIM requirements, you can view a couple of video overviews here and trial compliance software can be downloaded here

For more information go to www.newnettechnologies.com

All material is copyright New Net Technologies