Implementing File Integrity Management (FIM)

Thursday, March 17, 2011

Ron Lepofsky


Why have I not yet implemented File Integrity Management (FIM)?

If you have not yet deployed FIM perhaps now is a good time to ask "why not".

If your organization is now addressing data loss prevention (DLP) by minimizing the risk of damage by malicious code and by enforcing strict access controls to mitigate unauthorized access, then FIM is something you might also want to consider.

FIM is essentially monitoring all aspects of changes to key files to quickly detect any attempted or successful unauthorized changes, in order to take quick mitigation steps.

In the terms of reference of this blog, the main concern addressed by deploying FIM is to ensure that malicious code has not been embedded within critical applications and operating system files.

Current concerns are for botnet or other large scale intrusion attempts to install Trojans including rootkits.

Just to be thorough, file integrity breaches can be caused by all manner of problems within file management lifecycle, such as transmission errors, software bugs, storage errors, write errors, and by incorrect change management procedures.

The important changes integrity monitoring should discover relate to:

  • File size, Version
  • When it was created, hen it was modified
  • The login name of any usewr who modifies the file
  • Its attributes (e.g., Read-Only, Hidden, System, etc.)
  • When group ownership of files is changed
  • Improper user access or attempted access of confidential files
  • Changes to security access permissions for files, including new permissions, deleted permissions, and changes to permissions.
  • Changes to directories Files and folders that removed and added

The types of files of concern include:

  • Web files
  • Database files
  • Video and audio files
  • Key data files (Typically stored as alphanumeric and special symbols as ASCII files.)
  • System binaries (These are typically executable versions of programs stored in machine readable format consisting of "0"s and "1"s
  • Configuration files (When a program executes, it refers to the configuration file what settings are in effect. These files are sometimes stored in the systems registry, which is part of the guts of an operating system. The registry is essentially a database used by the operating system to store configuration details)

Delving into more technical detail on the registry subject, the following other types of changes could / should be monitored with regard to registry values, keys, and subkeys are:

  • new registry keys and subkeys
  • removed registry keys and subkeys
  • changed registry values.

This detection ability includes changes to normally hidden registry keys such as the SAM and SECURITY keys.

FIM Compliance with IT Security Standards

Several security standards also require a file integrity monitoring and management program in order to achieve compliance. Some of these standards are:


  • Table R15 15. 1 Limit propagation of malicious code
  • Table R15 15.2 Detect and respond to the introduction of malicious code
  • Table R15 15.3 Implement processes to test and update malicious code protections.


  • SI-4 Information System Monitoring
  • SI-7Software and Information Integrity

PCI -Data Security Standard

  • 10.5.5 Use file-integrity monitoring
  • 11.5 Deploy file-integrity monitoring software

SANS Consensus Audit Guidelines (CAG)

  • 3.5 integrity checking tools and change management
  • 3.7 integrity checking tools

So the bottom line of FIM is to ensure that during the course of regular business which includes changes to files, the files always remain in a known and trusted state.

I've run out of space for today. Next blog I'll cover how FIM works and where to search for vendors that provide related tools.

Have a secure week.     

Ron Lepofsky CISSP, CISM, B.A.SC (Mech Eng)

Possibly Related Articles:
Compliance Data Loss Prevention Database Activity Monitoring File Integrity Management FIM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.