HostedDB - Dedicated UNIX Servers
intrusion_17 ICSA, Inc. For more information, call 888-396-8348                 17 An Introduction to Intrusion Detection and Assessment They CAN make sense of often obtuse system information sources, telling you what’s really happening on your systems. Operating system audit trails and other system logs are a treasure trove of information about what’s going on internal to your systems. They are also often incomprehensible, even to expert system administrators and security officers. Intrusion- detection systems allow administrators and man- agers to tune, organize, and comprehend what these information sources tell them, often revealing problems before loss occurs. They CAN trace user activity from the point of entry to point of exit or impact Intrusion-detection systems offer improvements over perimeter protections such as firewalls. Expert attackers can often penetrate firewalls; therefore, the ability to correlate activity corresponding to a particular user is critical to improving security. They CAN recognize and report alterations to data files Putting Trojan Horses in critical system files is a standard attack technique. Similarly, the alter- ation of critical information files to mask illegal activity, damage reputations, or commit fraud is common. File integrity assessment tools utilize strong cryptographic checksums to render these files tamper-evident and, in the case of a problem, quickly ascertain the extent of damage. They CAN spot errors of your system configuration that have security implications, sometimes correcting them if the user wishes Vulnerability assessment products allow consistent auditing and diagnosis of system configuration settings that might cause security problems. These products offer extensive vendor support and turnkey design so that even novice security personnel can look for hundreds of problems by pushing a button. Some of these product offer- ings even offer automated fixes for the problems uncovered. They CAN recognize when your system appears to be subject to a particular attack. Vulnerability assessment products also allow the user of a system to quickly determine what attacks should be of concern to that system. Again, strong vendor support allows novice security personnel to reenact scores of hacker attacks against their system, automatically recording the results of these attack attempts. These products also provide a valuable sanity check for those installing and setting up new security infrastruc- tures. It is far better for a system manager to deter- mine that his firewall is incorrectly configured immediately than to discover this after an attacker has successfully penetrated it. They CAN relieve your system management staff of the task of monitoring the Internet searching for the latest hacker attacks. Many intrusion detection and assessment tools come with extensive attack signature databases against which they match information from your system. The firms developing these products have expert staffs that monitor the Internet and other sources for reports and other information about new hacker attack tools and techniques. They then use this information to develop new signa- tures that are provided to customers for down- load from web sites, downloaded to customers via encrypted e-mail messages, or both.