Achieving PCI-DSS with File Integrity Monitoring
Has there ever been a more confusing data security standard than the PCI-DSS? Even now, thirteen years on from its initial release, a clear understanding of what you need to achieve to be compliant may still be a challenge.
Tier 1 Payment Card Merchants will now be well into their third cycle of building a PCI DSS solution and reviewing any investment in monitoring tools they may have when they first became subject to the data security standard.
Tier 2 Payment Card Merchants are self-certified but many will be contemplating their initial external QSA audit as they mature in their PCI-DSS compliance journey.
What is FIM and How Does it Help?
The importance and understanding of why FIM (File Integrity Monitoring) is a vital component for securing payment card and card holder details, has come into focus following well-publicised security breaches.
FIM checks and verifies whether an application and/or operating system files have not been compromised.
But why is this important? The major benefit of using FIM as a solution type is to ensure that unauthorised changes are detected. For example, whether malicious code has been embedded within critical applications and operating system files. The insertion into core program files is one of the more audacious and sophisticated forms of hijacking, and also one of the most popular.
In a similar manner, those configuration files that govern the security and function of a system will also need to be tracked for any changes. This includes but is not limited to firewall rules, router configurations, and significant operating system files such the hosts file.
Executed successfully, payment card details can be siphoned off using embedded code in critical applications and files. The Albert Gonzalez case against TJ Maxx and others, is the most high-profile, but by no means unique.
How Does this Relate to PCI-DSS?
The PCI-DSS mandates the following:
Requirement 11.5 says "Use file-integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)".
Requirement 1 specifies “maintain a firewall configuration to protect cardholder data”;
Requirement 2 “Do not use vendor-supplied defaults for system passwords and other security parameters”;
Requirement 6 “Develop and maintain secure systems and applications”.
...and in fact the need to track changes and assess the impact on the wider IT network security posture is at the core of any Security Standard or Policy, such as the PCI DSS.
When properly configured and deployed, a FIM solution is a powerful addition to the layers which defend your infrastructure, in depth.
At a minimum, any Windows based devices interacting cardholder data, including EPoS terminals and equipment, the System32 and/or the SysWOW64 folder should be monitored, as well as critical application program folders.
It is important to verify all additions, changes, and delete actions of files,as any change may be significant in compromising the security of said host. Changes to look out for should be any changes to file attributes and the size of the file. Note that trojans are designed to impersonate existing system files and will always appear and usually behave like the original executable, dynamic link library or driver file, albeit with some unwanted additions!
Similarly, for Linux and Unix alike, the /etc/ and /usr/bin/ locations; and their constituent files must be monitored for integrity together with all relevant application configuration files.
How Can NNT Change Tracker Help?
As the familiarity and understanding of the PCI-DSS increases, so will the expectation levels for all payment card merchants of all sizes to implement state-of-the-art technological security measures.
Delivering a pragmatic response to the need for file integrity monitoring across all platforms that is effective, easy to deploy and manage and, above all, affordable, will continue to pose a challenge.
NNT can help!
Using the NNT Change Tracker Enterprise solution and their Log Tracker Enterprise solution set, you will benefit from:
- FIM changes reported in real-time and delivered via daily summary reports.
- Full auditability showing who made those changes.
- Options to view both a simplified summary of the file changes and a forensic report.
- Side-by-side comparisons of files, pre and post-change.
- Security Incidents and Key Events correlated and alerted on.
- Any breach of compliance rules reported. This includes file integrity changes.
- All platforms and environments supported.
- Detection of planned changes and any unplanned changes.
- Device hardening templates which can be applied to a variety of operating systems and device types.
...everything that a Payment Card merchant needs to become, and remain, PCI DSS compliant.