| DETECTION: Discusses intrusion detection systems, and using these
tools as the detection component of an institution’s information security program. INTRUSION
DETECTION SYSTEMS
Vulnerability assessments and penetration analyses help ensure that appropriate
security precautions have been implemented and that system security configurations are
appropriate. The next step is to monitor the system for intrusions and unusual activities.
Intrusion detection systems (IDSs) may be useful because they act as a burglar alarm,
reporting potential intrusions to appropriate personnel. By analyzing the information
generated by the systems being guarded, IDSs help determine if necessary safeguards are in
place and are protecting the system as intended. In addition, they can be configured to
automatically respond to intrusions.
Computer system components or applications can generate detailed, lengthy logs or audit
trails that system administrators can manually review for unusual events. IDSs automate
the review of logs and audit data, which increases the review’s overall efficiency by
reducing costs and the time and level of skill necessary to review the logs.
Typically, there are three components to an IDS. First is an agent, which is the
component that actually collects the information. Second is a manager, which processes the
information collected by the agents. Third is a console, which allows authorized
information systems personnel to remotely install and upgrade agents, define intrusion
detection scenarios across agents, and track intrusions as they occur. Depending on the
complexity of the IDS, there can be multiple agent and manager components.
Generally, IDS products use three different methods to detect intrusions. First, they
can look for identified attack signatures, which are streams or patterns of data
previously identified as an attack. Second, they can look for system misuse such as
unauthorized attempts to access files or disallowed traffic inside the firewall. Third,
they can look for activities that are different from the user’s or system’s
normal pattern. These "anomaly-based" products (which use artificial
intelligence) are designed to detect subtle changes or new attack patterns, and then
notify appropriate personnel that an intrusion may be occurring. Some anomaly-based
products are created to update normal use patterns on a regular basis. Poorly designed
anomaly-based products can trigger frequent false-positive responses.
Although IDSs may be an integral part of an institution’s overall system security,
they will not protect a system from previously unknown threats or vulnerabilities. They
are not self-sufficient and do not compensate for weak authentication procedures (e.g.,
when an intruder already knows a password to access the system). Also, IDSs often have
overlapping features with other security products, such as firewalls. IDSs provide
additional protections by helping to determine if the firewall programs are working
properly and by helping to detect internal abuses. Both firewalls and IDSs need to be
properly configured and updated to combat new types of attacks. In addition, management
should be aware that the state of these products is highly dynamic and IDS capabilities
are evolving.
IDS tools can generate both technical and management reports, including text, charts,
and graphs. The IDS reports can provide background information on the type of attack and
recommend courses of action. When an intrusion is detected, the IDS can automatically
begin to collect additional information on the attacker, which may be needed later for
documentation purposes.
As with vulnerability assessment
tools, there are generally two types of IDS products:
host-based and network-based. A third product category is sometimes used for IDSs that
look for unusual application events (application-based) on a host. Both network- and
host-based tools offer valuable features, and the risk assessment process should help
institutions determine if either, or a combination of both, is best for their needs.
Host-based IDSs are also known as audit trail analysis tools or server-based IDSs
(often placed on servers). A host-based IDS will look for potential intrusions or patterns
of misuse by monitoring host event activities, audit logs, and other security-related
activities. The tools will track audit trails from operating systems, applications, Web
servers, routers, and firewalls, as well as monitor critical files for Trojan horses and
unauthorized changes. This can provide valuable evidence of a break-in and can assist in
assessing damage because the intruder’s actions are logged on the specific hosts. If
done in real-time, the IDS can promptly notify the bank of unauthorized attempts to gain
system administrator (root) controls, access or change critical files, or replace log-in
programs.
An important benefit of host-based IDSs is that they are effective in detecting insider
misuse because they monitor activities on the specific hosts. For example, they can
monitor a user’s attempt to access a restricted file, or an attempt to execute a
system administrator’s command. In addition, they can monitor encrypted transmissions
as the data is generally decrypted before it is logged at the host.
A problem with host-based systems is that notification of the attack is delayed if an
agent does not examine the audit trail in real-time. This problem relates to the
relatively large consumption of computer processing speed and disk space that is required
to run these programs in real-time. If not run in real-time, they still allow a bank to
identify larger trends and problems with system security.
With network-based IDSs, software or sniffers are placed on one or multiple points
across the network. The sniffer agent analyzes packets of information moving across the
network for potential intrusions. Network packets contain data, including the message and
headers that identify the sending and receiving parties. Network-based IDSs look for
patterns of misuse, specific types of attacks, and unusual activity such as unexpected
volume and types of network traffic. Compared to host-based IDSs, certain types of
network-orientated attacks such as IP spoofing, packet floods, and denial of service, are
best detected through packet examination.
Network-based IDSs can detect potential intrusions in real-time, and offer concurrent
notification and response capabilities to potential intrusions. The software does not need
to be put on the various hosts throughout the network, thus it is generally easier to
monitor and may be less expensive than host-based IDSs.
Network-based IDSs sometimes mistakenly identify normal traffic as an intrusion
("false positives") and vice versa ("false negatives"). They can have
difficulties detecting slow attacks and experience problems with busy networks.
Network-based IDSs cannot monitor encrypted transmissions (only detect that data is being
transferred across the network), and are less effective at detecting insider misuse
because network packet analysis does not monitor the activities on specific hosts.
Factors to Consider in Evaluating IDSs
Once it is determined that an IDS is necessary to detect possible security breaches,
several factors should be considered in evaluating IDSs, including:
? The comprehensiveness of the attack signature
database, including the frequency of updates that incorporate newly identified concerns.
Most products rely on vendor updates, so banks need to assess the timeliness of the IDS
vendor’s updates. Products can be updated through Internet downloads, CD-ROM or
floppy disk updates, or even manually if the user has a sufficient degree of technical
knowledge.
? The effectiveness of the IDS in protecting an
institution from both internal and external threats to a computer system. The IDS
should limit the number of false positives (incorrectly identifying an attack when none
has occurred) and false negatives (not identifying an attack when one has occurred).
? The impact on performance of the network and/or
host(s). Generally, IDSs work on a real-time basis. Real-time analysis provides
quicker notification of potential intrusions; however, it can reduce system performance
due to the additional memory and processing requirements. Non-real-time analysis generally
consumes fewer resources, but has the disadvantage that the potential intrusion has
already occurred. Knowledgeable intruders, moreover, can manipulate audit trails, making
the after-the-fact analysis useless in detecting these particular intruders.
? The security of the IDS itself and how secure the
update process is, especially if updated remotely.
The reporting and automated response capabilities. IDSs will sometimes generate
more information than can be reviewed by present qualified staff. Also, for privacy
reasons, management should consider informing all affected system users about the scope
and type of monitoring being conducted.
Other things to consider include training and support from the vendor, cost of
hardware, software, and maintenance agreements, integration with vulnerability assessment
tools, and configuration capabilities.
An institution’s risk assessment process should first determine whether an IDS is
necessary. Next, the type or placement of an IDS depends on the priority of identified
threats or vulnerabilities. If one or a few hosts contain information that management
views as critical, a host-based IDS may be warranted. If the information is less
essential, other controls such as a firewall and/or filtering routers may be sufficient to
protect the information. If an institution is primarily concerned with attacks from the
outside or views the entire network system as critical, a network-based product may be
appropriate. A combination of host- and network-based IDSs may also be appropriate for
effective system security. Management should be aware that even after an IDS is in place,
there may be other access points to the bank’s systems that are not being monitored.
Management should determine what types of security precautions are needed for the other
access points.
The placement of the IDS within the institution’s system architecture should be
carefully considered. The primary benefit of placing an IDS inside a firewall is the
detection of attacks that penetrate the firewall as well as insider abuses. The primary
benefit of placing an IDS outside of a firewall is the ability to detect such activities
as sweeping, which can be the first sign of attack; repeated failed log-in attempts; and
attempted denial of service and spoofing attacks. Placing an IDS outside the firewall will
also allow the monitoring of traffic that the firewall stops. |
