Investigation of Unexpected Changes

If the integrity control system detects any modifications that can not be classified as authorized changes (for example, missing files or newly created files), it is necessary to immediately start incident response procedures. The security policy adopted in the organization must contain strict definitions of the duties and authorities of security administrators for the integrity control of the file structure of your system. Ordinary users must be informed of these authorities. When informing users of the basic principles of the organization's security policy, instruct them to immediately inform the security administrator about any changes in the file structure that they might notice.

Do not forget that after any authorized modification introduced into the protected files, it is necessary to update the attributes of each file or directory (date, time, size, checksum, etc.). A similar requirement is also applicable to the hardware. If any device appears unexpectedly, this must be investigated. After any such incident, it is necessary to update the network map according to the actions performed as a result of the investigation.

As I already mentioned, some files change frequently, sometimes several times per second. Besides log files, the list of such files includes transaction logs of databases or user applications. Temporary files (such as paging files) are a special case. It is certainly rather difficult to trace such changes and react to them. In this case, methods of the content analysis of such files (transactions, log-file records, etc.) prove to be more efficient.