HostedDB - Dedicated UNIX Servers
intrusion_18 ICSA, Inc. For more information, call 888-396-8348                 18 An Introduction to Intrusion Detection and Assessment They  CAN make the security management of your systems by non-expert staff possible. Some intrusion detection and assessment tools offer those with no security expertise the ability to manage security-relevant features of your systems from a user-friendly interface. These are window- based, point and click screens that step users through setup and configuration in a logical, readily understood fashion. They CAN provide guidelines that assist you in the vital step of establishing a security policy for your computing assets. Many intrusion detection and assessment products are part of comprehensive security suites that include security policy building tools. These provide you easy-to-understand guidance in building your secu- rity policy, prompting you for information and answers that allow you to articulate goals and guidelines for the use of your computer systems. Unrealistic expectations They are not silver bullets Security is a complex area with myriad possibili- ties and difficulties. In networks, it is also a “weakest link” phenomenon—i.e., it only takes one vulnerability on one machine to allow an adver- sary to gain entry and potentially wreak havoc on the entire network. The time it takes for this to occur is also minuscule. There are no magic solu- tions to network security problems, and intrusion detection products are no exception to this rule. However, as part of a comprehensive security management they can play a vital role in protecting your systems. They CANNOT compensate for weak identification and authentication mechanisms Although leading-edge research in intrusion de- tection asserts that sophisticated statistical analysis of user behavior can assist in identification of a particular person by observing their system activity, this fact is far from demonstrated. Therefore, we must still rely on other means of identification and authentication of users. This is best accom- plished by strong authentication mechanisms (in- cluding token-based or biometric schemes and one-time passwords). A security infrastructure that includes strong I&A and intrusion detection is stronger than one containing only one or the other. They CANNOT conduct investigations of attacks without human intervention In very secure environments, incidents happen. In order to minimize the occurrence of incidents (and the possibility of resulting damage) one must perform incident handling. One must inves- tigate the attacks, determine, where possible, the responsible party, then diagnose and correct the vulnerability that allowed the problem to occur, reporting the attack and particulars to authorities where required. In some cases, especially those in- volving a dedicated attacker, finding the attacker, then pursuing criminal charges against the attacker is the only way to make the attacks cease. However, the intrusion-detection system is not capable of identifying the person at the other end of the connection without human intervention. The best that it can do is identify the IP address of the system that served as the attacker’s point of entry —the rest is up to a human incident handler.