Information Security and IDPS

Understanding Security Goals and Objectives

• Security goals and objectives include determining organizational requirements and constraints
• Identifying existing security policies and requirements levied from outside the organization
• Considering resource constraints and selecting IDPS approaches and products

Strengths and Limitations of IDPSs

• Strengths:
  • Monitoring and analyzing system events and user behaviors
  • Testing security states of system configurations
  • Baselining security states of systems and tracking changes
  • Recognizing system event patterns matching known attacks
  • Recognizing activity patterns that vary from normal activity
  • Managing OS audit and logging mechanisms and data
  • Alerting staff when attacks are detected
  • Measuring enforcement of security policies
  • Providing default information security policies
  • Allowing non-security experts to perform security monitoring
• Limitations:
  • Not compensating for weak/missing security mechanisms
  • Not detecting new attacks or variants of existing attacks
  • Not responding to attacks by sophisticated attackers
  • Not investigating attacks without human intervention
  • Not resisting attacks intended to defeat or circumvent them
  • Not dealing with problems with fidelity of data sources
  • Not effectively handling switched networks

Deployment and Implementation of IDPS

• Three basic control strategies:
  • Centralized: all IDPS control functions are implemented and managed in a central location
  • Fully distributed: all control functions are applied at the physical location of each IDPS component
  • Partially distributed: combines centralized and fully distributed approaches
• Deployment strategies:
  • Network-based IDPS (NIDPS): monitors network traffic
  • Host-based IDPS (HIDPS): monitors activity on a particular computer or server
  • NIDPS and HIDPS can be used in tandem to cover both individual systems and networks

Measuring the Effectiveness of IDPSs

• Evaluation metrics:
  • Thresholds
  • Blacklists and whitelists
  • Alert settings
  • Code viewing and editing
• Vendors provide testing mechanisms to verify system performance
• Testing processes:
  • Recording and retransmitting packets from real virus or worm scans
  • Conducting real virus or worm scans against an invulnerable system

Honeypots, Honeynets, and Padded Cell Systems

• Honeypots: decoy systems designed to lure potential attackers away from critical systems
• Honeynets: collections of honeypots connecting several systems on a subnet
• Padded cells: protected honeypots that cannot be easily compromised
• Advantages:
  • Attracting and diverting attackers
  • Collecting information about attacker activity
  • Encouraging attackers to stay on the system long enough for administrators to respond
• Disadvantages:
  • Legal implications of using honeypots and padded cells
  • Not yet proven to be generally useful security technologies
  • Expert attackers may become angry and launch a more hostile attack
  • Require high-level expertise to use effectively

Trap and Trace Systems

• Use a combination of techniques to detect an intrusion and trace it back to its source
• Trap: a honeypot or padded cell with an alarm
• Legal implications: enticement is legal and ethical, but entrapment is not
• Active countermeasures: stopping attacks
• LaBrea: a tool that takes up unused IP address space to pretend to be a computer and allow attackers to complete a connection request

Scanning and Analysis Tools

• Footprinting: researching Internet addresses owned or controlled by a target organization
• Fingerprinting: surveying a target organization's Internet addresses to reveal internal structure and operational nature
• Port scanners: tools used to identify computers active on a network
• Firewalls: several tools automate remote discovery of firewall rules and assist in analyzing them
• Operating system detection tools: detect a target computer's operating system
• Vulnerability scanners: active and passive scanners that identify vulnerabilities
• Packet sniffers: tools that collect and analyze network packets
• Wireless security tools: assess the risk of wireless networks
• Biometric access control: uses measurable human characteristics to authenticate identity

Biometric Access Control

• Relies on recognition

• Includes fingerprint comparison, palm print comparison, hand geometry, facial recognition, retinal print, and iris pattern

• Characteristics considered truly unique: fingerprints, retina, and iris

• Evaluation criteria:

  • False reject rate
  • False accept rate
  • Crossover error rate (CER)

• Acceptability: balancing security and user acceptance

• Ranking of biometric effectiveness and acceptance: various biometric systems ranked by effectiveness and acceptance### Intrusion Detection and Prevention Systems

• An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, usually with the intent to do harm.

• Intrusion prevention involves activities that seek to deter an intrusion from occurring.

• Intrusion detection consists of procedures and systems created and operated to detect system intrusions.

• Intrusion reaction encompasses actions an organization undertakes when an intrusion event is detected.

• Intrusion correction activities finalize restoration of operations to a normal state.

IDPS Terminology

• Site policy refers to the set of rules and guidelines for an organization's security posture.
• Alert or alarm is a notification triggered by an IDPS when a potential threat is detected.
• Evasion refers to techniques used by attackers to circumvent IDPS detection.
• Tuning involves adjusting IDPS settings to optimize its performance and minimize false alarms.
• True attack stimulus is a legitimate attack that triggers an IDPS alarm.
• Confidence value is a measure of the likelihood that an IDPS alert is a true positive.
• Alarm filtering involves filtering out false alarms and noise to focus on legitimate threats.
• Alarm clustering and compaction group related alarms together to simplify analysis.

Benefits of IDPS

• Enables detection of violations of system configuration and notification of administrators via email or pager.
• Can be configured to notify an external security service organization of a "break-in".
• Enhances security posture by providing real-time threat detection and response.