Incidents


An incident presents a higher level of the description of security policy violations. An incident is a group of attacks related to each other by several parameters, such as an attack target, an attack purpose and so on. It is this level where the "attack source" concept appears, which is missing in other models (Fig. 2.11).

click to expand
Fig. 2.11. The "Incident" model

An incident can be implemented using a single attack, as well as by using several sequential or parallel attacks. The success of intrusion is determined whether the intruder has achieved the desired result or not. The attack fails if the intruder has not achieved any of his goals. However, the victim remains a victim, and some consequences and losses are possible even in this case.

As statistics have shown, the number of security incidents grows proportionally to the growth of the Internet. Table 2.6, created on the basis of CERT/CC data, illustrates this growth. Notice that the number of processed e-mail messages exceeds these numbers by several times.

Table 2.6. Number of CERT-Registered Security Incidents and Processed E-Mail Messages (from 1998 to the Second Quarter of 2002)

Year

Number of incidents

Number of e-mail messages


1988

6

539

1989

132

2869

1990

252

4448

1991

406

9629

1992

773

14,463

1993

1,334

21,267

1994

2,340

29,580

1995

2,412

32,084

1996

2,573

31,268

1997

2,134

39,626

1998

3,734

41,871

1999

9,859

34,612

2000

21,756

56,365

2001

52,658

118,907

2002

43,136

95,163

An interest in e-commerce will only intensify this growth. Furthermore, another trend has been noticed. During the 80s and early 90s, external intruders attacked Internet hosts just to demonstrate their skills or from mere curiosity. Currently, most attackers want to achieve financial or political goals.

The skills and level of knowledge of the intruders has also changed. In the 80s, these were IT experts (Fig. 2.12) with a sound knowledge of the UNIX operating system, C or Perl programming languages, who created the source code of exploits themselves. More modern intruders, on the contrary, mainly employ ready-to-use GUI tools. According to the latest data, the number of such "hackers," or script kiddies, has reached 95%. Only a limited number of real hackers write exploits themselves. Currently, any user who has a computer with an Internet connection can attack a victim via the Internet and cause that person's hard drive significant damage.

click to expand
Fig. 2.12. Complexity of attacks and intruder's skills

In the past, an intruder entered commands manually and could not access more than a dozen or hundred remote systems simultaneously. Now, you can attack thousands of remote hosts simply by pressing a key. In contrast to the past, currently it is rather difficult to detect an intruder who has penetrated your system. An intruder can penetrate a network, implement an attack and hide the traces of his or her activity within a few seconds. Denial of Service attacks were not popular in the past, and no one could have predicted that they would become a matter of any importance. Now, the situation has changed (for example, the DDoS attacks on the Amazon, eBay, CNN and other servers).




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net