intrusion_18
ICSA, Inc.
For more information, call 888-396-8348 18
An Introduction to Intrusion Detection and Assessment
They CAN make the security management
of your systems by non-expert staff possible.
Some intrusion detection and assessment tools
offer those with no security expertise the ability
to manage security-relevant features of your systems
from a user-friendly interface. These are window-
based, point and click screens that step users
through setup and configuration in a logical,
readily understood fashion.
They CAN provide guidelines that assist
you in the vital step of establishing a
security policy for your computing assets.
Many intrusion detection and assessment products
are part of comprehensive security suites that include
security policy building tools. These provide you
easy-to-understand guidance in building your secu-
rity policy, prompting you for information and
answers that allow you to articulate goals and
guidelines for the use of your computer systems.
Unrealistic expectations
They are not silver bullets
Security is a complex area with myriad possibili-
ties and difficulties. In networks, it is also a
weakest link phenomenoni.e., it only takes
one vulnerability on one machine to allow an adver-
sary to gain entry and potentially wreak havoc on
the entire network. The time it takes for this to
occur is also minuscule. There are no magic solu-
tions to network security problems, and intrusion
detection products are no exception to this rule.
However, as part of a comprehensive security
management they can play a vital role in protecting
your systems.
They CANNOT compensate for weak
identification and authentication mechanisms
Although leading-edge research in intrusion de-
tection asserts that sophisticated statistical analysis
of user behavior can assist in identification of a
particular person by observing their system activity,
this fact is far from demonstrated. Therefore, we
must still rely on other means of identification
and authentication of users. This is best accom-
plished by strong authentication mechanisms (in-
cluding token-based or biometric schemes and
one-time passwords). A security infrastructure
that includes strong I&A and intrusion detection
is stronger than one containing only one or the
other.
They CANNOT conduct investigations of
attacks without human intervention
In very secure environments, incidents happen.
In order to minimize the occurrence of incidents
(and the possibility of resulting damage) one
must perform incident handling. One must inves-
tigate the attacks, determine, where possible, the
responsible party, then diagnose and correct the
vulnerability that allowed the problem to occur,
reporting the attack and particulars to authorities
where required. In some cases, especially those in-
volving a dedicated attacker, finding the attacker,
then pursuing criminal charges against the attacker
is the only way to make the attacks cease. However,
the intrusion-detection system is not capable of
identifying the person at the other end of the
connection without human intervention. The
best that it can do is identify the IP address of the
system that served as the attackers point of entry
the rest is up to a human incident handler.