Preserving the Integrity
of Critical Files

by Heather Randall

   There are three principals of information security: Confidentiality, Integrity, and Availability. These are sometimes referred to as the Triad or, more plainly, CIA. Confidentiality refers to maintaining access control over data and systems. This means that only those that are authorized will have access to a company’s computing resources or the data contained therein. Confidentiality can be addressed with a number of controls including detailed data classifications and access controls (logical and physical), and encryption. A secure environment must also offer assurance of integrity, meaning that the data and the systems are only modified by authorized individuals. Like confidentiality, integrity issues can be addressed through strong authentication methods, data access profiles and encryption. The last component of the Triad is availability. Availability refers to the ability of authorized users to access the data and the resources whenever needed in order to perform their duties. In creating an information security program, it is imperative to address each component of the Triad.
   The security regulations surrounding the electronic payments industry are aimed at preserving the Confidentiality, Integrity and Availability of customer data. On the surface it sounds straightforward. Sensitive data and the systems on which those data reside should be available only to those authorized and authenticated (confidentiality). There should be assurance that the systems have not been breached nor the data resident on the systems altered (integrity), and that the data and the systems are available for use (availability). Gramm-Leach-Bliley, California’s SB1386 and the Fair and Accurate Credit Transaction Act all address issues of confidentiality and availability. Data integrity, though, tends to be overlooked in the rush to protect confidentiality and preserve availability.
   Sarbanes-Oxley (SOX) is one of the few government regulatory requirements that deals specifically with the issue of integrity. Specifically, the final rule for Section 404 of the regulation states that companies must put in place policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of … assets that could have a material effect on the financial statements.” Further, Section 302 of the regulation requires the Chief Executive Officer and the Chief Financial Officer to sign attestation a to the adequacy of the controls in place and the accuracy of the data reported. Though the SOX requirement pertains only to the financial reporting of public companies, the card association data security requirements also address unauthorized modifications to sensitive data. One of the most effective ways to protect the integrity of this data is to deploy a File Integrity Monitoring (FIM) or System Change Detection solution.
   File integrity and system change detection solutions monitor specific, user-defined files and directories and assess the file for changes. In file integrity solutions, this is accomplished by comparing a series of Cyclic Redundancy Checks (CRC) against the file or directory. A CRC is a type of hash function that produces an integer from a block of data. If the outcome of the calculation differs from that of the previously conducted calculation, then the file has been changed. In such a case, the program would send a notification to designated personnel to alert them to the change. For example, upon implementing a FIM solution, the administrator may define a system file as a “critical file” to be monitored. The FIM would begin conducting scheduled checksum calculations against it. Suppose now a hacker has decided to infiltrate the system. It is extremely difficult to compromise a system without making some modification to a system file. Should one of the calculations performed against the system files return a result that is inconsistent, then it is determined that the system file has been changed and an alert would be sent to the IT staff. The staff could then take appropriate corrective actions.
   The manner in which the integrity check is conducted will vary from vendor to vendor. Depending on a particular company’s compliance situation, the sensitivity of the data that the company handles, and the preference of the security organization within the company, one solution may fit better than the other. Most solutions allow IT/Security managers to determine when the checks are to be conducted; hourly, daily, weekly and so on. Other companies offer solutions that provide real-time detection, performing constant checksum calculations against the files to determine if they have changed. There are also a number of open-source tools available to conduct file integrity checking. While these tools are useful, they require technical resources that may be beyond the reach of most businesses.
   System change detection takes the file integrity concept one step further. In addition to the ability to determine whether data or system files have been changed, system change detection is integrated with the Windows and UNIX systems to provide information about Users, Groups, and security settings. System change detection reports changes to the systems and provides an overall view of the system, including hardware devices. For example, system change detection can alert administrators if a user has changed a security parameter, a password policy for instance, on a system or device. Any change in a system file or security parameter may be evidence of malicious intent.
   These system change solutions also establish a baseline of optimal behaviors and settings for the system. The system is then constantly checked against that database to ensure that the system is operating in accordance with those settings. The checks are conducted against registry and system files as well as the security settings and options for all devices within the system to provide administrators with a “birds-eye” view of the complete environment. For this reason, system change detection is ideal for complex environments containing devices such as workstations, web servers, database servers, transaction servers, email servers, firewalls and file servers.
   Often, system change detection offers users more than just the knowledge that a specific file or setting has been altered. When a change occurs, system change detection solutions will notify an administrator of the change and detail exactly what data was altered, as well as when and how that access was achieved. Some system change detection solutions provide users with a “recovery” function. In these cases, not only will the solution provide information about the change, but it will allow the administrator to “roll-back” the change, restoring the system to its optimal state.
   In determining which product or solution to implement, one of the most important features to consider is the reporting functionality. All of the products that fall into this particular category will offer some level of reporting, but in order to gather comprehensive information in reference to an environment’s security settings, the solution should offer robust reporting options. Ideally, the solution chosen would be able to leverage the company’s existing database structures, be they ODBC, Microsoft SQL or Oracle or DB2, and would offer trend reporting and analysis. Fully customizable reports are also beneficial in that the administrator can quickly locate and evaluate suspected integrity violations. Some solutions will also offer the ability to export reports in variety of formats, including PDF or Microsoft Word. A robust reporting functionality allows the administrator or security professional to quickly peruse the security settings and parameters and the changes that were made. This allows the security group to identify and remediate possible vulnerabilities within the system in a timely and efficient manner.
   In conjunction with the robust reporting features and centralized database, the solution should be tested for ease of use. For example, a solution that offers a central management console may be easier to use and manage than a solution in which there is no central management function. Through a central console, system administrators can perform the change detection operations for the whole system or number of systems. Along with these features, the solution should be evaluated for the ease of installation and configuration. There are solutions that offer auto-configuration, in which the solution goes into a “learning” mode, during which it creates the baseline behaviors against which the system will be checked. After the learning cycle, an administrator can edit the configuration file as needed to meet the specific environment.
   An additional consideration in determining which product to use is the computing resource that is necessary for the application. Both FIM and system change detection solutions require an agent to be installed on the system to be checked. Also, as mentioned earlier, some solutions offer real time change detection, while others conduct checks on a predetermined schedule. Ideally, the solution chosen would allow the organization the flexibility to determine whether or not real-time checks or scheduled checks should be conducted. Some solutions will conduct checks via sampling as opposed to using a more thorough check of the entire system.
   Both compliance and security require constant vigilance. Maintaining manual oversight is an onerous and, often unnecessary task. Through the automation of some of these security tasks, using appropriate and properly configured solutions, organizations can maintain a constant and more reliable eye on the security posture of the company.