File Integrity Monitoring on NonStop
File Integrity Monitoring (FIM) is an important requirement of the PCI data security standard for maintaining confidential (e.g. cardholder) information, and is considered a crucial part of protecting business assets.
NonStop systems are now being used in far more dynamic situations and have more external connections than ever before. The ubiquity of payment cards for personal electronic transactions has changed the security equation in a fundamental way.
Any compromise in security is likely to have far reaching consequences, both for the immediate damage that may be done in terms of financial loss, and for the wider damage done to a merchant’s reputation. The security of personal cardholder information has become paramount.
In this context, FIM should be considered an important security necessity, not just for PCI systems, but for all NonStop systems.
FIM and PCI DSS
PCI DSS Requirement 11.5 stipulates that members must “ Deploy a change-detection mechanism (for example file-integrity monitoring tools) to alert personnel of unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform the critical file comparisons at least weekly.”
In version 2.0 of the security standard, in a clarification to Requirement 11.5.b, it was further specified that it is an audit requirement to “Verify that tools are configured to alert personnel to unauthorized modification of critical files.”
PCI DSS Requirement 11.5 version 3.1 further clarifies that unauthorized modifications include changes, additions, and deletions of critical systems files. It is clear from these excerpts that FIM is a key requirement of PCI DSS, and therefore a FIM solution must be implemented on any system that handles cardholder information.
What is FIM?
FIM includes any technology that monitors files for changes. Assuming that at least some file change is expected on a system, then FIM’s primary purpose should be to identify possible “bad” changes so that they can be rolled back or remediated in some way. A “bad change” is any change that is undesirable. This is not the same as an unplanned, unauthorized or suspect change.
An unplanned change is not necessarily a “bad” change. Most system administrators have found it necessary to intervene on occasion to remedy a problem. Their actions might include changing a configuration parameter, or perhaps changing the security of a file due to an oversight.
In both cases, the change is both unplanned and unauthorized. Regardless, the change must be appropriately recorded and reported, then reviewed and either made permanent or modified.
Of course other changes that may be unplanned and unauthorized can be part of an active security threat, in which case FIM may provide the first notice that the system has been compromised.
Accidental change represents no less of an issue and is probably the most likely source of unplanned and unauthorized change. FIM can also be used as part of a change control regime, whereby planned changes are detected and recorded to have occurred as expected
Components of FIM
Basic FIM functionality should allow the administrator to:
1. Create and store a baseline for specified files and their attributes of interest
2. Update the baseline to take into account planned or allowable change
3. Run periodic checks and report the results
4. Store the results of each check
Conclusion
FIM is a critical requirement for security, and key to PCI DSS compliance.
However, the detection of any particular change is just the start of the process. To be effective, FIM solutions must differentiate low-risk from high-risk change; integrate with other security solutions for log and security event management (including real-time alerts) and support a fully-managed history database of changes.
CSP’s File Integrity Checker (FIC) is widely used by financial institutions to deliver FIM in NonStop Guardian and OSS environments, and is tightly integrated with CSP’s other solutions for audit, compliance and Safeguard, EMS and Base24 OMF real-time event monitoring. FIC’s new “Guardian Fileset Compare” feature permits the attributes of any two file sets on any two systems to be compared against each other.
No comments:
Post a Comment