Your organization's ability to make data-driven decisions about information security is only as good as your data. If your security objectives involve smarter change monitoring and change management, high-quality intelligence is crucial.
Incorrectly implemented or configured security tools may not improve your risk management status. In some cases, a file integrity monitoring or intrusion detection tool not operating properly can lead to knowledge gaps or even decrease your security. In this blog, you'll learn about some common configuration issues that can occur during file integrity monitoring implementation and how to avoid them.
How to Avoid File Integrity Monitoring Configuration Mistakes
Are all file integrity monitoring solutions difficult-to-implement and prone to configuration errors? The short answer is "no."
Your risk of configuration mistakes depends on the type of file integrity monitoring solution you implement. It also depends, to a lesser extent, on the complexity of your network and IT staff expertise.
When it comes to built-in security and ease-of-configuration for file integrity monitoring options available, your mileage can vary significantly. The risks outlined in this blog could be unlikely, or even impossible, depending on the brand of integrity monitoring software you select.
To learn more specific details about how the type of file integrity monitoring software you select can affect inherent security and risks, we recommend Is Open Source File Integrity Monitoring Too Risky?
1. Network Coverage
Not every FIM solution is a natural fit for a company's network. With complex or large company networks, poor fit and coverage configuration issues can present an enormous risk. Common configuration mistakes when it comes to FIM network coverage can include:
- Not monitoring all hosts,
- Insufficient coverage for multiple or segregated networks, and
- Not monitoring all files and/or kernels.
2. Access Governance
Some file integrity monitoring options do not accommodate multiple administrators or built-in accountability around admins. This can be particularly common with open source options.
Even if your organization only has the staffing resources for a single administrator, there are inherent risks with configuring your software to support a single "super admin". Allowing a single administrative user to have unchecked power, including the ability to modify logs or "turn off" file integrity monitoring, can increase risk and may even move your organization out of compliance.
To learn more about access governance and insider risks, we recommend Can File Integrity Monitoring Catch Internal Threats?
3. Audit Logging
Investigating off-the-shelf configurations for audit logging can be crucial to the security impact of your FIM. Audit integrity is specifically mentioned in PCI compliance guidelines, as well as in other regulatory requirements. If your audits do not represent the "whole truth" about actions taken, you could miss critical security incidents or risk non-compliance.
Common configuration mistakes and issues that can occur with audit logging include:
- Unencrypted audit logs,
- Editable audit logs, and
- The ability to "turn off" audit logs for a period of time.
4. Poor-Quality Baseline Scan
Polling-based file integrity monitoring software works by checking file attributes at designated intervals. The files' status is converted into hashes, which is compared against a baseline scan of critical system files. This baseline scan is completed at the time of file integrity monitoring implementation.
If your files are corrupted with malicious code or other inherent issues at the time of implementation, you lack a "safe" comparison for future polling. This diminishes the quality of your future file integrity monitoring results and can allow existing compromise to go undetected. While unique needs vary, many organizations with large or complex networks should consider real-time change detection-based file integrity monitoring software instead of a solution that relies primarily on polling.
Read More: Real Time Change Detection vs. Polling
5. OS Compatibility
Not all file integrity monitoring solutions work optimally with every type of operating system. *Nix operating systems are the most commonly supported options with open source file integrity monitoring, while Windows and Mac are rarer.
However, even officially supported operating systems can have unique security gaps. Ultimately, if you are using an open source solution or a solution for an operating system that is not "officially supported", research and formal evaluation of risks are critical.
6. Unsecured Communications
Your network and file integrity monitoring solution can shape the type and volume of communications that occur between monitored infrastructure elements and the software. Depending on whether you select an agentless or agent-based FIM solution, you may have data that is communicated between a master repository, monitored network elements, and the administrative console. If these communications are not sufficiently encrypted, it can introduce risk.
7. Hash Storage
Many open source file integrity monitoring solutions require users to self-design a storage solution for the hashes describing your baseline scan and future polling results. If you store these hashes in an unencrypted database, it can reveal the status and details of your critical system files.
How to Avoid These Common File Integrity Monitoring Configuration Issues
The most effective way to avoid a poorly-configured, risky file integrity monitoring implementation is to keep the following factors in mind when evaluating solutions:
- Inherent security,
- Ease-of-use, and
- Access governance.
By understanding the 7 most common configuration risks prior to software acquisition, organizations can avoid an implementation that doesn't improve the security status quo.
CimTrak offers unique ease-of-use and implementation, including intelligent design against common file integrity monitoring security flaws. CimTrak users can benefit from smarter access governance, built-in protection against insider risks, and total operating system compatibility. Download the Definitive Guide to File Integrity Monitoring to learn how FIM can help your organization today.
July 28, 2016