PCI DSS Section 11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files - what the?!

As a mandated dimension of the PCI DSS, FIM verifies that program and operating system files have not been compromised (see section 11.5 of the PCI DSS)

"11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly"

Why is this important? The principal benefit of using FIM technology is to ensure that malicious code has not been embedded within critical application and operating system files. The insertion of a ‘backdoor’ or Trojan into core program files is one of the more audacious and elegant forms of hacking, and also one of the most dangerous.

The PCI DSS (Payment Card Industry Data Security Standard) specifies the following “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly” and also that for log files “Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”.

Contemporary compliance management technology will provide pre-defined templates for all folders and files that should be tracked for File-Integrity, also allowing you to specify additional program folders and files unique to your environment, for instance, your core business applications.

File Integrity Monitoring technology conducts an initial inventory of all filesystems specified and ‘fingerprints’ all files using secure hashing technology, generating a unique checksum for each file. The system will then audit all files being tracked on a scheduled basis every 24 hours (even though the PCI DSS calls only for weekly checks) with any changes, additions, deletions or modifications being reported to you.

The latest generation of File Integrity Monitoring software also operate in a ‘live tracking’ mode for ultra-secure environments where file changes are detected and reported in real-time.

Other options to consider are to track and identify actual changes to file contents, useful when tracking configuration files to provide you with a complete audit trail of change history. The latest version of NNT Change Tracker includes a File Content Tracker – this can be applied to any form of files such as text, xml, php, javascript, aspnet etc

It's easy to set up and you can get results within minutes of downloading a trial version - here