We live in an era where technology is advancing so rapidly. We are now seeing self-driving vehicle, refrigerators that connect to the internet and heart pacemaker that have wireless capability. All of those devices interconnected is what we called the Internet of Things. With such good things in technology, we are also paying the price for it, and it is security. Companies nowadays are focusing their force in protecting their networks and data. Companies are always looking for ways to improve their network security to protect it from the bad guys; and are always implementing security-in-depth. According to Richard Kemmerer and Giovanni Vigna, computer systems and networks are not 100 percent secure, even with advanced protection. As a result, companies must implement intrusion detection and preventions systems to discover and react to computer attacks. In this paper, I am going to discuss Intrusion Detection and Prevention Systems in depth to have a better understanding of what IDPS actually is; and how can increase network security for an organization. I am going to take as an example the Equifax data breach. According to Amanda O’Keefe, more than half of the U.S population was affected by the breach of Equifax. How did it happened? Hacker exploited a vulnerability in an Apache server that allowed them to get into the network. One of the particular interesting part of this attack is that according to the investigation done by Mandiant, the attackers had time to customize the tools to exploit more efficiently Equifax’s software. The attackers had also enough time to query and analyze dozens of databases and decide which one had more valuable information. There is one question that we should be asking, did Equifax had any Intrusion detection and prevention systems in their network for protection. Apparently, they did not have any and if they did, then it was not properly configured.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents. Some of these incidents could be violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices(NIST). According to NIST 800-94 publication, an incident may have many causes and not just necessarily a hacker trying to attack a network or a computer. Such incidents can be intrusion as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. Some of these incidents may not necessarily be malicious in nature, but some others are meant to be malicious; for example, a person might not type the correct name of a computer and might try to accidentally attempt to connect to a device that he or she is not authorized. Although this attempt was an accident, it is still considered an intrusion.
Intrusion Detection and Prevention Systems
What is an Intrusion Detection System? It is a software that monitor the network traffic for suspicious activities and send alerts when discovers the activity(NIST) The primary function of an IDS is to detect the attacks and send alerts to system administrator so they can react appropriately to stop the attack. According to Teodoro Garcia and Marcia Fernandez writing, companies’ networks are exposed to number of security threats that are increasingly every day. They express that new attacks are emerging continuously and developing flexible and adaptive defensive approach is becoming challenging.
What is an Intrusion Prevention System? An IPS has two functions, one is to detect threats or attacks and the second is to prevent the attacks or threats from proceeding. The intrusion prevention system has all the before mentioned capabilities of the IDS, but is more robust since it can take action and stop attacks, threats or malware that are trying to break into the network. For a more complete network protection, it is better to have and intrusion detection and prevention system working together to protect the network.
Intrusion Detection Systems/Prevention Methodology
Signature Base Detection Systems- As the name suggest it, it works by comparing signatures against observed events on the network to identify possible attacks, incidents or malwares. Bazara Barry and Anthony Chan, argue that Signature-based detection systems try to match computer activity to stored signatures of known exploits or attacks. In other words, signature-based detection systems use a prior knowledge on attacks to look for attack traces. The following samples were provided by NIST as signature based detection examples: A telnet attempt with a username of “root”, which is a violation of an organization’s security policy. An e-mail with a subject of “Free pictures!” and an attachment filename of “freepics.exe”, which are characteristics of a known form of malware. An operating system log entry with a status code value of 645, which indicates that the host’s auditing has been disabled. When this kind of attacks are detected, the system send alerts to the appropriate personal for further investigation or containment.
Anomaly Base Detection/Prevention Systems- according to Symantec, anomaly base systems are a new great idea to combat insider threat. An anomaly-base IDS establish a baseline of normal network activities of the type of network traffic that is moving across the network. Then