15:5

INTRUSION DETECTION SYSTEMS

element of securing networks and complements firewall implementations.

works with routers and firewalls by monitoring network usage anomalies.

operates continuously on the system,running in the background

notifying administrators when it detects a perceived threat.

Categories

Network-based IDSs

identify attacks within the monitored
network

placed between the Internet and the firewall,

detect all the attack attempts, whether or not they enter the firewall

If it is placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (it will detect intruders).

Host-based IDSs

configured for a specific environment

monitor various internal resources of the OS to warn of a possible attack.

detect the modification of executable programs,

detect the deletion of files

issue a warning when an attempt is made to use a privileged command

Components of an IDS are:

Sensors that are responsible for collecting data, such as network packets, log files and system call traces

Analyzers that receive input from sensors and determine intrusive activity

• Administration console

• User interface

Types of IDSs include:

• Signature-based

protect against detected intrusion patterns. Identified intrusive patterns are stored as signatures.

Statistical-based

need a comprehensive definition of the
known and expected behavior of systems.

Neural networks

feature monitors the general patterns of activity and traffic on the network and creates a database

similar to the statistical model but with added self-learning functionality

cannot detect all types of intrusions due to the
limitations of the detection rules

may report many events outside of the defined normal activity but which are normal activities on the network.

Features

• Intrusion detection

Gathering evidence on intrusive activity

• Automated response (i.e., termination of connection, alarm messaging)

• Security policy

• Interface with system tools

• Security policy management

Limitations

• Weaknesses in the policy definition

• Application-level vulnerabilities

• Back doors into applications

• Weaknesses in identification and authentication schemes

Actions in case of intrusion detection

Terminate the access

significant risk to the organization’s
data or systems, immediate termination is the usual procedure

Trace the access

risk to the data is low, the activity is not immediately threatening, or analysis of the entry point and attack method is desirable,

IDS can be used to trace the origin of the intrusion.

used to determine and correct any system weaknesses and to collect evidence of the attack which may be used in a subsequent court action

the action required should be determined by management in advance and incorporated in a policy. . #

This will save time when an intrusion is detected and may impact the possible data loss

INTRUSION PREVENTION SYSTEMS

IPSs can also reconfigure other security controls, such as a firewall or router, to block an attack.

IPS can disconnect an originating network or user session by blocking access to the target from the originating user account and/or IP address.

Whereas an IDS alerts or warns of an attack, requiring security personnel to
act, an IPS will try to stop the attack

can be effective in limiting damage or
disruption to systems that are attacked.

must be properly configured

Threshold settings that are too high or too low will lead to limited effectiveness of the IPS.

a clever attacker could send commands to many hosts protected by an IPS to cause them to become dysfunctional.

Honeypots and Honeynets

Honeypots

honeypot is a software application that pretends to be

vulnerable server on the Internet and is not set up to actively protect against break-ins

more a honeypot is targeted by an intruder, the more valuable it becomes.

two basic types

• High-interaction—Give hackers a real environment to attack

• Low-interaction—Emulate production environments and provide limited information

acts as a decoy system that lures hackers.

technically related to IDSs and firewalls, it has no real production value as an active sentinel of networks.

Honeynets

set of multiple, linked honeypots that simulate a larger
network installation.

Hackers infiltrate the honeynet, which allows investigators to observe the hackers’ actions using a combination of surveillance technologies.

traffic on honeypots or honeynets are assumed to be suspicious because the systems are not meant for internal use.

risk that external monitoring services that create lists of untrusted sites may report the organization’s system as vulnerable,

without knowing that the vulnerabilities belong to the honeypot and not to the system itself.

Full Network Assessment Reviews

following
reviews should occur:

logical access controls

network and firewall configuration

designed to support the security of the services being provided (e.g., screening routers, dual/multihomed host, screened subnet and DMZ proxy servers).

Security policy and procedures

to determine good
practices are in place

evaluated to ensure that they support SoD (e.g., development vs. operation, security administration vs. audit)

Networks

segmented by trust levels, using appropriately
configured routers.

• Determine:

– Intrusion detection software is in place.

– Filtering is being performed.

– Encryption is being used (consider VPNs/tunneling, digital signatures for email).

Strong forms of authentication are being used

firewalls have been configured properly

(consider removal of all unnecessary software, addition of security and auditing software, removal of unnecessary logon IDs, disabling of unused services).

application- or circuit-level gateways in use are running proxy servers for all legitimate services (e.g., teletype network [Telnet], HTTP and FTP).

Virus scanning is being used

Periodic penetration testing is being completed.

Audit logging is undertaken for all key systems (e.g., firewalls, application gateways and routers) and audit logs are copied to secure file systems (consider the use of SIEM software).

security administrators are keeping up to date with the latest known vulnerabilities

organizations’ vendors, their local and international CERT, and vulnerability databases (e.g., the National Vulnerability Database operated by the NIST)

SECURITY INFORMATION AND EVENT
MANAGEMENT

SEM systems automatically aggregate and correlate security event log data across multiple security devices.

allows security analysts to focus on a manageable list of critical
events.

These systems use either or

statistical correlation.

rule-based

create situation-specific rules that establish a pattern of events.

uses algorithms to calculate threat levels incurred by relevant events on various IT assets.

Advantages/uses

provide real-time monitoring, correlation of events, notifications and console views.

take the SEM capabilities and combine them with the historical analysis and reporting features of security information management (SIM) systems

Information security teams should periodically analyze the trends found from SEM or SIEM systems

allows the organization to investigate incidents as well as allocate appropriate resources to prevent future incidents.

security operations center (SOC).

organized team created to improve the security posture of an organization and to respond to cybersecurity incidents.

uses SIEM for monitoring and
detection

(consider use of smart cards, biometrics, for authentication to firewalls, to internal software/hardware within the network, and to external hardware/software).

This attack could be catastrophic in environments where continuity of service is critical