IT Governance, Risk, and Compliance » Hackers

Network Infrastructure Security: Intrusion Detection Systems – Part V

Robert Davis — Wed, 05 Dec 2012 23:32:19 +0000

Anomaly intrusion detection monitors network segments to compare the current state to the previously determined normal baseline and indicate unusual situations. Anomaly based detection can focus solely on protocols. Under this circumstance, protocol anomalies analysis exposes attacks a signature-based IDS is likely to overlook; however the false-assessment rate is often higher than other intrusion detection approaches. Statistical patterns or profiles are frequently the better means to detect insider IT attacks. However, cunning users can intentionally modify their statistical patterns or profiles to masquerade malicious activities. Additionally, a large amount of processing capacity is usually required for anomaly intrusion detection.

Host-based intrusion detection generally provides passive individual IT activity examinations. The Host-based IDS can employ system log data, resource utilization, modification or deletion of files, abnormal privilege escalation, as well as other indicators to note potential attacks for a particular IT.

Source:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.

Network Infrastructure Security: Intrusion Detection Systems – Part IV

Robert Davis — Sat, 01 Dec 2012 00:09:39 +0000

As suggested in the aforementioned paragraph, depending on the developer, an entity deployed IDS can have a variety of components and features. However, IDS functionality commonly includes sensors for detecting data, analyzers for evaluating data, panels for monitoring activities as well as user-interfaces for manipulating configuration settings. Collected IDS items can be in the form of packets, system audit records, computed hash values as well as other data formats. Procedurally, analyzers receive input from sensors and determine intrusive activity.

The misuse detection model is based on the hypothesis that known exploits of vulnerabilities can be described by attack signatures or patterns, therefore IT attacks can be revealed through identifiable patterns. Malicious misuse encompasses reading, modification, and destruction of data. Misuse detection systems normally compare gathered information to large databases of attack signatures for internal perpetrator identification. There is typically a high-degree of certainty that signature-based intrusion detection models will recognize exact attack pattern replications; however slight variations in a data-based attack pattern may escape discovery.

Source:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.

Network Infrastructure Security: Intrusion Detection Systems – Part III

Robert Davis — Thu, 29 Nov 2012 01:41:43 +0000

Deployed intrusion detection solutions are not a substitute for firewalls; although they usually complement the function of firewalls. Commonly, a deployed IDS inspects computer activity to identify suspicious patterns that may indicate an attack from hackers or crackers utilizing vulnerability assessment software. There are several categories for IDS inspection including misuse, anomaly, host-based, and network-based detection. Each IDS classification relies on analytical information to determine reportable conditions, such as signatures, protocols, profiles, and/or statistical patterns.

Generally, intrusion detection systems have passive and active components. Passive procedures normally encompass: inspection of system configuration files to expose inadvisable settings; inspection of password files to indicate imprudent pass-codes; and inspection of other system areas to detect policy violations. Whereas, active procedures usually accommodate: mechanisms to ascertain known methods of attack; mechanisms to log-off users; mechanisms to reprogram the firewall; and mechanisms to log system responses.

Source:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.

Network Infrastructure Security: Intrusion Detection Systems – Part II

Robert Davis — Sat, 24 Nov 2012 00:12:33 +0000

Intrusion detection aids in reacting to network infrastructure incursions. Derivatively, the main value of intrusion detection is early incident or event awareness and subsequent, timely intervention resulting in a loss experience that is less than what might otherwise ensue from a security breach. “After all of the access control rules are implemented and the software is updated and patched, an IDS should provide the ability to determine if and when security controls have been bypassed.” Consequently, the primary IDS purpose is to provide the ability to view IT activity in real time and to identify unauthorized IT activity.

Source:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.

Network Infrastructure Security: Intrusion Detection Systems – Part I

Robert Davis — Wed, 21 Nov 2012 18:28:59 +0000

IT decentralization clearly has increased the need for effective network security. In response, entities typically deploy several layers of information security technologies. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale.

Network monitoring of packets to identify malformed packets and known attacks should be an entity’s Threat Management control objective. “Unauthorized access incidents are often preceded by reconnaissance activity to map hosts and services and to identify vulnerabilities.” Precursor exploits may include port scans, host scans, vulnerability scans, pings, trace-routes, DNS zone transfers, Operating System fingerprinting, and banner grabbing. Such unethical, if not unlawful, activities are discovered primarily through Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) software and secondarily through log analysis.

Source:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.

Biometric Technology – Part IV

Robert Davis — Mon, 20 Jul 2009 19:28:19 +0000

Technology attacks and attendant security compromises are never easily managed. Parallel to the ingenuity of attackers and proportional to the value placed on entrusted information assets, effective security access controls are imperative. Given the current accuracy of automated user identification and authentication processes, no single security system should ever be promoted as infallible. However, there is sufficient merit in most available biometric systems to warrant deployment consideration for information assets protection. Coupled with other access restriction techniques, biometric technology systems can be a formidable deterrent to unauthorized activities that may disable an entity’s information security infrastructure.

“View Part I of the Biometric Technology series here“

Biometric Technology – Part III

Robert Davis — Thu, 16 Jul 2009 20:31:29 +0000

Through the identification or authentication process, decisions are made regarding access. Typically, biometric identification supports physical access controls, while biometric authentication supports logical access controls. With reliance on biometrics for asset protection, security managers must accept humanness features are dynamic, yet reproducible. Consequently, it is difficult to find a single perfect access security system employing physical and/or behavioral traits.

Voices change over time or under abnormal conditions and can be modulated. Handprints can be altered — by a cut or bruise — as well as replicated. Even eyes and ears can undergo biological transformation from one day to the next. Furthermore, behaviors can be affected by emotional or fatigue states. Thus, biometric systems developed for identifying and/or authenticating authorized users that eliminate all potential errors can be prohibitively time-consuming and expensive, especially in high-traffic areas.

“View Part I of the Biometric Technology series here“

Biometric Technology – Part II

Robert Davis — Mon, 13 Jul 2009 18:25:16 +0000

Most information security practitioners accept biometrics as the science employing distinctive human attributes to discern access right validity. Specifically, imparting the Information Systems Audit and Control Association’s definition, biometrics is the process for identifying or authenticating a living person’s identity based on physiological or behavioral characteristics. Delineated, biometrics identification usually involves a one-to-many individual characteristics search utilizing linked data repositories; whereas biometric authentication entails establishing a one-to-one relationship verifying the claim to an identity made by an individual.

“View Part I of the Biometric Technology series here“

Biometric Technology – Part I

Robert Davis — Thu, 09 Jul 2009 20:20:23 +0000

As technological advancements are increasingly immersed in routine human endeavors, few security professionals doubt the criticality for parallel and proportional achievements in information asset protection mechanisms to defend against threats from individuals or groups chasing infamy dreams. Contextually, those engaged in nefarious IT activities vigorously pursue stardom elevation by orchestrating information security attacks that render barriers to obtaining or affecting a targeted object impotent. When an information asset is deemed valuable, authorization through a single access scheme appears woefully inadequate compared to the estimated number of ‘hackers’ or ‘crackers’ probing IT operational defenses. Predictively, considering published organizational information security incidents, two or more authentication factors will inevitably become the security deployment norm, with one architectural authentication factor relying on a biometrically based process; unless superior alternative access control remedies are devised.