WIXLIB

PCI X-Ray: File Integrity MonitoringFor Security & Risk ProfessionalsFigure 2 PCI X-Ray File Integrity Monitoring Checklist: Defining PCI CompliancePCI requirementDefine10.5.5 Use file-integrity monitoring orchange-detection software on logs toensure that existing log data cannot bechanged without generating alerts(although new data being added shouldnot cause an alert).This requirement ensures that the logs specified in Requirement10 are not changeable. Logs are used for alerting and forensicinvestigations and must, therefore, be accurate.10.6 Review logs for all systemcomponents at least daily. Log reviewsmust include those servers that performsecurity functions like intrusion-detectionsystem (IDS) and authentication,authorization, and accounting protocol(AAA) servers (for example, RADIUS).Note: Log harvesting, parsing, and alertingtools may be used to meet compliancewith Requirement 10.6.Because Requirement 12.9.5 specifies that by policy, file integritymonitoring is grouped together with IDS and IPS solutions, it isa best practice that FIM tools be sent to the log server andreviewed daily.11.5 Deploy file-integrity monitoringsoftware to alert personnel to unauthorizedmodification of critical system files,configuration files, or content files; andconfigure the software to perform criticalfile comparisons at least weekly.Note: For file-integrity monitoring purposes,critical files are usually those that do notregularly change, but the modification ofwhich could indicate a system compromise orrisk of compromise. File-integrity monitoringproducts usually come pre-configured withcritical files for the related operating system.Other critical files, such as those for customapplications, must be evaluated and definedby the entity (that is, the merchant or serviceprovider).File integrity monitoring tools should be deployed on resources,typically servers, within the cardholder data network to monitorvarious files for unauthorized changes. The intent is to providean alerting mechanism if files are changed by malicious insidersor outsiders.12.9.5 Include alerts from intrusiondetection, intrusion-prevention, and fileintegrity monitoring systems.Incident response policy must include a provision to monitorand respond to alerts from FIM tools.53859Source: Forrester Research, Inc.· Policy: Does the proposed system change fall within written policy? This policy must also becompliant with the PCI DSS. Any out-of-policy changes should trigger an alert and be denied, ifpossible.· Authorization: Is the proposed system change authorized? Answering this question mayrequire information from your help desk or change management systems. Alerts from FIMmust tie into a global view of the proposed change so that it can be stopped or investigatedif needed, although purpose-built FIM software may have integrated this functionality into 2009, Forrester Research, Inc. Reproduction ProhibitedOctober 26, 20095

6PCI X-Ray: File Integrity MonitoringFor Security & Risk Professionalsits management console. Additionally, some tools with FIM functionality such as HIPS orwhitelisting software may, by default, deny changes that have not been pre-authorized.· Compliance: Is the proposed change compliant with PCI or other compliance obligations?You’ll need to deploy a system capable of cross-referencing PCI and other compliance initiativesto automatically determine if a proposed state change is compliant. This may be built into theFIM tool or may require feeding FIM data into a SIM or governance, risk, and compliance(GRC) tool.FIM allows enterprises to track deviations from their “golden image.” This is the initial, approvedsoftware build that has been approved for deployment within an organization. By using FIM,you will always be able to know the state of the deployed software and be able to ensure that it iscompliant with PCI at all times. Should an unauthorized attempt to deviate from this compliantstate be made, the organization can quickly identify the attempt and remediate against it.Diagnose: How Would You Know If An Attacker Had Installed Malicious Software?The landmark Heartland Payment Systems breach begs the question, “Would you know if custommalware had been installed in your organization?” (see Figure 3). According to the Department ofJustice indictment of the Heartland hacker Albert Gonzalez:“On or about November 6, 2007, GONZALEZ transferred a computer file to the UkrainianServer named ‘injector.exe’ that matched malware placed on both Heartland and CompanyA’s servers during the hacks of those companies.”5Based on information from Heartland Payment, it was not aware of the breach until the week ofJanuary 12, 2009.6 Heartland Payment was in a breach condition for at least 18 months and did notdiscover the breach on its own. This underscores the criticality of FIM tools deployed within theCHDN.Treat: Deploying FIM Is Critical In Today’s Threat EnvironmentSince PCI requires FIM deployment, companies falling under PCI have no choice but to complyand install some type of solution to ensure the integrity of their CHDN resources (see Figure 4).Unfortunately, many companies don’t understand FIM and think that this functionality is built intotheir antivirus (AV) software. Avoid the most common pitfalls of:· Overreacting and replacing your AV vendor. When a client is hit with a custom softwareattack, their first reaction is to be angry with their antivirus provider. Forrester recently spokewith an organization that suffered this type of malware attack. They reacted predictably, blamingtheir AV vendor and threatening to replace that vendor’s software with a competitor’s. They gavethe offending malware to the AV vendor and were shocked that the vendor had not seen thatparticular strain of malware before this attack. Custom malware writers are often subscribers toOctober 26, 2009 2009, Forrester Research, Inc. Reproduction Prohibited

PCI X-Ray: File Integrity MonitoringFor Security & Risk Professionalsmany AV vendors’ solutions so they can test their malware against known antimalware agents.FIM is frequently the only way to detect this type of sophisticated attack.· Failing to look at currently deployed technologies to see if they support FIM. Companieswithout any type of FIM capability should immediately deploy a PCI compliant FIM tool. Ifyou’re unsure if you have FIM capability in your environment, you should inventory anycontrol that may potentially have this function, such as patch management or configurationmanagement systems, and check with the vendor to see if the existing solution can supportFIM for PCI. If so, make certain this feature is enabled and configured to meet all of the PCIrequirements regarding FIM for PCI.Figure 3 PCI X-Ray File Integrity Monitoring Checklist: Diagnosing PCI CompliancePCI requirementDiagnose10.5.5 Use file-integrity monitoring orchange-detection software on logs toensure that existing log data cannot bechanged without generating alerts(although new data being added shouldnot cause an alert).This requirement should not demand a separate product butshould be built into any PCI compliant log managementsolution deployed in your organization. Review productinformation from your chosen log management solution todetermine if it meets this requirement.10.6 Review logs for all systemcomponents at least daily. Log reviewsmust include those servers that performsecurity functions like intrusion-detectionsystem (IDS) and authentication,authorization, and accounting protocol(AAA) servers (for example, RADIUS).Note: Log harvesting, parsing, and alertingtools may be used to meet compliancewith Requirement 10.6.Review FIM configurations to determine if alerts from thesystems are being forwarded to log management tools.11.5 Deploy file-integrity monitoringsoftware to alert personnel to unauthorizedmodification of critical system files,configuration files, or content files; andconfigure the software to perform criticalfile comparisons at least weekly.Note: For file-integrity monitoring purposes,critical files are usually those that do notregularly change, but the modification ofwhich could indicate a system compromise orrisk of compromise. File-integrity monitoringproducts usually come pre-configured withcritical files for the related operating system.Other critical files, such as those for customapplications, must be evaluated and definedby the entity (that is, the merchant or serviceprovider).Determine if FIM tools have been deployed on resources withinthe cardholder data network. Ensure that these tools are set upto alert if unauthorized changes to files are made. FIM tools mayinclude specialized change detection software or othersolutions that have the ability to monitor for changes, such assome log management solutions, patch management solutions,or configuration management solutions.12.9.5 Include alerts from intrusiondetection, intrusion-prevention, and fileintegrity monitoring systems.Review incident response policy documentation to ensure thatfile integrity monitoring alerts are specified in the policy.53859 2009, Forrester Research, Inc. Reproduction ProhibitedSource: Forrester Research, Inc.October 26, 20097

8PCI X-Ray: File Integrity MonitoringFor Security & Risk ProfessionalsFigure 4 PCI X-Ray File Integrity Monitoring Checklist: Treating PCI CompliancePCI requirementTreat10.5.5 Use file-integrity monitoring orchange-detection software on logs toensure that existing log data cannot bechanged without generating alerts(although new data being added shouldnot cause an alert).The only treatment is to deploy a PCI compliant logmanagement solution.10.6 Review logs for all systemcomponents at least daily. Log reviewsmust include those servers that performsecurity functions like intrusion-detectionsystem (IDS) and authentication,authorization, and accounting protocol(AAA) servers (for example, RADIUS).Note: Log harvesting, parsing, and alertingtools may be used to meet compliancewith Requirement 10.6.Configure FIM tools to send alerts and other pertinentinformation to logging systems. Verify that the log managementsolution is correctly receiving and parsing the FIM log data.11.5 Deploy file-integrity monitoringDeploy appropriate FIM tools on resources that fall within thesoftware to alert personnel to unauthorized scope of your PCI obligation.modification of critical system files,configuration files, or content files; andconfigure the software to perform criticalfile comparisons at least weekly.Note: For file-integrity monitoring purposes,critical files are usually those that do notregularly change, but the modification ofwhich could indicate a system compromise orrisk of compromise. File-integrity monitoringproducts usually come pre-configured withcritical files for the related operating system.Other critical files, such as those for customapplications, must be evaluated and definedby the entity (that is, the merchant or serviceprovider).12.9.5 Include alerts from intrusiondetection, intrusion-prevention, and fileintegrity monitoring systems.53859Add the review of FIM alerts if it is not included in the policydocumentation.Source: Forrester Research, Inc.Follow Up: Diligence Is Demanded By This Ever-Changing Threat EnvironmentPCI requires constant vigilance. It’s easy to let compliance slip. One of the benefits of FIM is thatit helps maintain a constant state of compliance. One of the myths of PCI is that many of theorganizations that have suffered breaches were PCI-compliant and therefore there’s somethingwrong with PCI. The truth, however, is that no company that has ever been breached was compliantat the time of the breach. As part of the ongoing PCI hygiene, you should:October 26, 2009 2009, Forrester Research, Inc. Reproduction Prohibited

PCI X-Ray: File Integrity MonitoringFor Security & Risk Professionals· Ensure FIM is running, but don’t use it as a PCI crutch. Clearly, several breaches occurredbecause the company had not properly deployed FIM and was therefore unaware of theinstallation of malicious software. FIM could have foiled some of the most noteworthybreaches in recent memory. PCI is merely a minimum baseline, and companies should protectthemselves based upon current threats, which are ever-changing.· Don’t fall victim to the “checkbox” mentality; review and update FIM policy regularly. It’simportant to maintain your FIM solution. Too many organizations configure these tools onceand then never check up on them again. In their mind, they checked a box and it’s time to moveon. Don’t let this checkbox mentality invade your organization. Make sure you reassess yourFIM tool policies on a regular basis. Given the criticality of FIM in today’s threat environment,reviewing your FIM policy on a quarterly basis in conjunction with your approved scanningvendor (ASV) scans is a good idea.R ecomme n d a t io n sfile integrity monitoring is a critical last line of defenseThe companies breached in the Gonzalez attacks provide an object lesson to all organizations thatstore, process, or transmit credit card data. These threats are real, costly, and constantly evolving.FIM may well be your last line of defense. When attackers have bypassed other controls withinyour infrastructure, FIM can save you from a damaging data breach. Make your FIM investmentpay off by:· Leveraging existing controls to provide FIM functionality. You may already have a FIMtool in place. Look at solutions that handle configuration information to see if they mightmeet the FIM requirements stated in the PCI DSS. Patch management, HIPS, and whitelistingsoftware are the most logical starting points.· Taking FIM alerts seriously. It’s easy to ignore alerts. FIM alerts should be configured so thatthey only fire when something potentially dangerous is happening. Don’t leave the tool inits default configuration, but spend the requisite amount by allocating a security analyst toconsistently review the FIM configuration for at least the first six months of the deploymentto properly configure the tool. Nothing is more damaging than a breach alert that is ignored.· Remembering to include FIM in incident response. Many companies just assume (orhope) they will never be breached. But let’s be clear: You will not jinx yourself if you plan forresponding to a breach in advance. It should never be a surprise when a breach occurs. Planfor failure and have a worst-case scenario practiced and ready. If they aren’t already, makesure FIM alerts are part of your formal incident response policy documentation. Reviewthis annually with business, IT, compliance, legal, and PR executives so they understand thecorrect incident escalation steps. 2009, Forrester Research, Inc. Reproduction ProhibitedOctober 26, 20099

10PCI X-Ray: File Integrity MonitoringFor Security & Risk ProfessionalsEndnotes1Source: Visa (http://usa.visa.com/download/merchants/cpp fraud overview.pdf).2According to Heartland Payment Systems, it was unaware of the breach until notified by Visa andMasterCard that a breach had occurred. Source: “Heartland Payment Systems Uncovers MaliciousSoftware In Its Processing System,” Heartland Payment Systems press release, January 20, 2009 ).3In the early years of credit card security, the card brands put significant effort into determining the attackvectors of credit card breaches. There was very little log data available to use in reconstructing the crime.Therefore, the brands introduced requirements for logging in to their individual cardholder protectionefforts so that they could find out what happened if there was a breach. Eventually these requirementsfound their way into the PCI DSS. The logging requirements’ true purpose is to provide forensic data forbreach investigation. See the October 20, 2008, “PCI X-Ray: Log Management” report.4Requirement 10 of the PCI DSS mandates that all access to network resources and cardholder data mustbe tracked and monitored. According to the PCI DSS v1.2, “Logging mechanisms and the ability to trackuser activities are critical in preventing, detecting, or minimizing the impact of a data compromise.” See theApril 30, 2009, “Market Overview: Security Information Management (SIM)” report.5Source: US Department of Justice ffiles/GonzIndictment.pdf).6Source: Heartland Payment Systems er 26, 2009 2009, Forrester Research, Inc. Reproduction Prohibited

Making Leaders Successful Every DayHeadquartersResearch and Sales OfficesForrester Research, Inc.AustraliaIsrael400 Technology SquareBrazilJapanCambridge, MA 02139 USACanadaKoreaTel: 1 617.613.6000DenmarkThe NetherlandsFax: 1 617.613.5000FranceSwitzerlandEmail: forrester@forrester.comGermanyUnited KingdomNasdaq symbol: FORRHong KongUnited Stateswww.forrester.comIndiaFor a complete list of worldwide locations,visit www.forrester.com/about.For information on hard-copy or electronic reprints, please contact Client Supportat 1 866.367.7378, 1 617.613.5730, or clientsupport@forrester.com.We offer quantity discounts and special pricing for academic and nonprofit institutions.Forrester Research, Inc. (Nasdaq: FORR)is an independent research companythat provides pragmatic and forwardthinking advice to global leaders inbusiness and technology. Forresterworks with professionals in 20 key rolesat major companies providingproprietary research, customer insight,consulting, events, and peer-to-peerexecutive programs. For more than 26years, Forrester has been making IT,marketing, and technology industryleaders successful every day. For moreinformation, visit www.forrester.com.53859

PCI X-Ray: File Integrity Monitoring For Security & Risk Professionals 5 Figure 2 PCI X-Ray File Integrity Monitoring Checklist: Defining PCI Compliance · Policy: Does the proposed system change fall within written policy? This policy must also be compliant with the PCI DSS. Any out-of-policy changes should trigger an alert and be denied, if .