File integrity monitoring
File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file.{{cite web |url= http://www.ionx.co.uk/products/verisys/how-it-works |title= Verisys - How it Works |publisher= Ionx|accessdate=2012-09-21}} Other file attributes can also be used to monitor integrity.{{cite web|url=http://www.ncircle.com/index.php?s=products_ccm_file-integrity-monitoring|title=File Integrity Monitoring|publisher=nCircle|accessdate=2012-04-18|archive-url=https://web.archive.org/web/20120410044335/http://www.ncircle.com/index.php?s=products_ccm_file-integrity-monitoring|archive-date=2012-04-10|url-status=dead}}
Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process. Such monitoring can be performed randomly, at a defined polling interval, or in real-time.
Security objectives
Changes to configurations, files and file attributes across the IT infrastructure are common, but hidden within a large volume of daily changes can be the few that impact file or configuration integrity. These changes can also reduce security posture and in some cases may be leading indicators of a breach in progress. Values monitored for unexpected changes to files or configuration items include:
- Credentials
- Privileges and security settings
- Content
- Core attributes and size
- Hash values
- Configuration values
==Compliance objectives==
Multiple compliance objectives indicate file integrity monitoring as a requirement. Several examples of compliance objectives with the requirement for file integrity monitoring include:
- PCI DSS - Payment Card Industry Data Security Standard (Requirement 11.5){{cite web|url=https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf|title=Payment Card Industry Data Security Standard|publisher=PCI Security Council |accessdate= 2011-10-11}}
- SOX - Sarbanes-Oxley Act (Section 404){{cite web|url=https://www.sec.gov/rules/proposed/s74002/card941503.pdf|title=Sarbanes-Oxley Sections 302 & 404 - A White Paper Proposing Practival, Cost Effective Compliance Strategies|publisher=Card Decisions, Inc.|accessdate= 2011-10-11}}
- NERC CIP - NERC CIP Standard (CIP-010-2){{cite web|url=http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-010-2&title=Cyber%20Security%20-%20Configuration%20Change%20Management%20and%20Vulnerability%20Assessments&jurisdiction=null|title=Standard CIP-010-2 - Security Configuration, Change Management and Vulnerability Assessments |publisher=North American Electric Reliability Corporation (NERC)|accessdate= 2016-06-06}}
- FISMA - Federal Information Security Management Act (NIST SP800-53 Rev3){{cite web|url=http://csrc.nist.gov/groups/SMA/fisma/ics/documents/papers/Apply-SP-800-53-ICS-final-22Aug06.pdf|title=Applying NIST SP 800-53 to Industrial Control Systems|publisher=National Institute of Standards and Technology (NIST)|accessdate= 2011-10-11}}
- HIPAA - Health Insurance Portability and Accountability Act of 1996 (NIST Publication 800-66){{cite journal|url=http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf|title=An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule|year=2008|publisher=National Institute of Standards and Technology|doi=10.6028/NIST.SP.800-66r1|accessdate= 2011-10-11|last1=Scholl|first1=M. A.|last2=Stine|first2=K. M.|last3=Hash|first3=J.|last4=Bowen|first4=P.|last5=Johnson|first5=L. A.|last6=Smith|first6=C. D.|last7=Steinberg|first7=D. I.}}
- SANS Critical Security Controls (Control 3){{cite web|url=http://www.sans.org/critical-security-controls/control.php?id=3|title=Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers|publisher=SANS Institute|accessdate=2012-11-19|archive-url=https://web.archive.org/web/20130108075607/http://www.sans.org/critical-security-controls/control.php?id=3|archive-date=2013-01-08|url-status=dead}}
See also
Procedures and algorithms:
- Checksum
- File verification
Applications, some examples (where FIM is used) include:
- Advanced Intrusion Detection Environment
- Another File Integrity ChecKer{{Cite web|title=AFICK (Another File Integrity ChecKer)|url=http://afick.sourceforge.net/|access-date=2020-01-19|website=afick.sourceforge.net/|language=en-US}}
- BeyondTrust
- [https://www.cimcor.com/cimtrak-integrity-suite CimTrak]{{Cite web |title=CimTrak Integrity Suite {{!}} Cimcor |url=https://www.cimcor.com/cimtrak-integrity-suite |access-date=2022-07-21 |website=www.cimcor.com |language=en-us}}
- CloudPassage
- Evolven
- [https://harfanglab.io/ HarfangLab]{{Cite web |title=HarfangLab plans |url=https://harfanglab.io/plans/ |access-date=2025-03-18 |website=harfanglab.io |language=en-us}}
- Kaspersky Lab Hybrid Cloud Security, Embedded Security, Security for Linux, Security for Windows Server
- LimaCharlie
- Lockpath Blacklight{{Cite web|url=https://finance.yahoo.com/news/lockpath-announces-significant-updates-blacklight-130000555.html|title=Lockpath Announces Significant Updates to Blacklight Platform|website=finance.yahoo.com|language=en-US|access-date=2019-07-16}}
- LogRhythm
- McAfee Change Control
- [https://www.netwrix.com/security_configuration_management_software.html Netwrix Change Tracker]{{Cite web |title=Netwrix Change Tracker |url=https://www.netwrix.com/security_configuration_management_software.html |access-date=2024-12-03 |website=www.netwrix.com |language=en-us}}
- OSSEC
- Qualys
- Samhain
- Splunk
- System File Checker (provided with Windows)
- Tanium Integrity Monitor
- Trend Micro Deep Security
- Logsign USO Platform
- Tripwire products
- Trustwave