intrusion_17
ICSA, Inc.
For more information, call 888-396-8348 17
An Introduction to Intrusion Detection and Assessment
They CAN make sense of often obtuse
system information sources, telling you
whats really happening on your systems.
Operating system audit trails and other system
logs are a treasure trove of information about
whats going on internal to your systems. They are
also often incomprehensible, even to expert system
administrators and security officers. Intrusion-
detection systems allow administrators and man-
agers to tune, organize, and comprehend what
these information sources tell them, often revealing
problems before loss occurs.
They CAN trace user activity from the point
of entry to point of exit or impact
Intrusion-detection systems offer improvements
over perimeter protections such as firewalls. Expert
attackers can often penetrate firewalls; therefore,
the ability to correlate activity corresponding to a
particular user is critical to improving security.
They CAN recognize and report alterations
to data files
Putting Trojan Horses in critical system files is a
standard attack technique. Similarly, the alter-
ation of critical information files to mask illegal
activity, damage reputations, or commit fraud is
common. File integrity assessment tools utilize
strong cryptographic checksums to render these
files tamper-evident and, in the case of a problem,
quickly ascertain the extent of damage.
They CAN spot errors of your system
configuration that have security implications,
sometimes correcting them if the user
wishes
Vulnerability assessment products allow consistent
auditing and diagnosis of system configuration
settings that might cause security problems.
These products offer extensive vendor support
and turnkey design so that even novice security
personnel can look for hundreds of problems
by pushing a button. Some of these product offer-
ings even offer automated fixes for the problems
uncovered.
They CAN recognize when your system
appears to be subject to a particular attack.
Vulnerability assessment products also allow the
user of a system to quickly determine what attacks
should be of concern to that system. Again,
strong vendor support allows novice security
personnel to reenact scores of hacker attacks
against their system, automatically recording the
results of these attack attempts. These products
also provide a valuable sanity check for those
installing and setting up new security infrastruc-
tures. It is far better for a system manager to deter-
mine that his firewall is incorrectly configured
immediately than to discover this after an attacker
has successfully penetrated it.
They CAN relieve your system management
staff of the task of monitoring the Internet
searching for the latest hacker attacks.
Many intrusion detection and assessment tools
come with extensive attack signature databases
against which they match information from your
system. The firms developing these products have
expert staffs that monitor the Internet and other
sources for reports and other information about
new hacker attack tools and techniques. They
then use this information to develop new signa-
tures that are provided to customers for down-
load from web sites, downloaded to customers
via encrypted e-mail messages, or both.