Chapter 7: Anticipating Attacks, or Creating an Intrusion Detection Infrastructure

Overview

"Now the general who wins a battle makes many calculations in his temple ere the battle is fought. The general who loses a battle makes but few calculations beforehand. Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose."

Sun Tzu, "The Art of War."

So far, we have briefly considered all of the basic aspects of intrusion detection technologies and know what to look for and where, as well as how and using which tools. You might ask: "What else do we need?" This information alone, however, is not sufficient in order to create a truly efficient intrusion detection infrastructure. You need to know not only which intrusion detection systems are available and how they work, but also how to make the correct choice when evaluating the broad range of intrusion detection systems currently available on the market. By the most conservative estimate, the number of these systems currently available exceeds a hundred, and continues to grow. As well as this, it is necessary to have an idea of where to install these systems, how to customize them according to your information processing technology, and so on. And these, however, are simply organizational issues, as you will also need to put the system into operation, and maintain and support it. Finally, just detecting an attack is not enough, since you will also need to know how to react to this information by initiating investigative procedures within the proper time frame. The remaining chapters of this book are dedicated to the consideration of these issues. In addition, I would like to emphasize that you should not believe vendors' advertising slogans that state that all you need to do is install the product, and then forget about it completely. Maybe the system itself works like that, but do not forget that you still need to deploy and customize it, and then maintain its knowledge base, keeping it in the most current state. To achieve this, you will need human resources, time and, naturally, money. In other words, you will need to build the intrusion detection infrastructure.

To detect security policy violations efficiently, special preparation is required. These preparations must not only be related to the network environment itself (servers, workstations, routers, security tools and so on), but also to the personnel who are responsible for providing information security. In this case, it is necessary to remember that information security depends not only on the employees working in the information-security department (or in a department responsible for performing similar functions), but also on other specialists, including employees in the IT, communications and other functional departments, including the financial department. All employees must understand the organization's security policy, its role, and the basic procedures for ensuring information security (particularly within the range of their own duties).

In general, organizations that do not pay sufficient attention to preliminary tasks, and do not have an appropriate intrusion detection infrastructure, encounter the following problems:

• They are unable to notice traces of attacks because of the lack or incorrect configuration of appropriate intrusion detection tools and information on the standard functioning of the controlled system. Due to this, it is impossible to determine if an event is anomalous, as there is nothing with which to compare it.

• They are unable to identify attacks due to the insufficient theoretical knowledge, skills and practical experience of their security personnel

• They are unable to evaluate the duration of attacks or the damage caused by them. This significantly increases the time required to recover from attacks.

• In most cases, they are unable to restore the system after a failure using only their own resources.

• These organizations are likely to suffer serious damage, which might not be limited only to direct financial losses. For example, if your customers know that their confidential information or money is exposed to risk, they might go to your competitors, which will result in a loss of expected profit, and so on. You might even land yourself in court for inadequate protection of your resources and the interests of your clients. Quite often, intruders are able to use the vulnerable systems in these organizations as a basis for attacking other networks or hosts.

• Finally, the business reputation of such company might suffer serious damage.

In any case, adequate preparation can either entirely prevent an attack on your organization, or at least minimize the losses and damage due to the attack, and protect your system from similar intrusions in the future. This preparation involves the analysis of several basic components:

• The existing security policy and methods of ensuring that security procedures and security guidelines are being followed. If your organization currently has no such policy, it is high time to design one.

• Information processed within the information system.

• The components of the information system (workstations, servers, communications equipment, software, etc.).

• The corporate network and the segments that comprise it.

• The users of your information system. When considering users, you must take into account both internal users (company employees) and external users that have access to corporate resources (partners, clients, suppliers, etc.).

• Specialized tools used to ensure information security, including intrusion detection.

This chapter describes all of the preliminary actions that must be performed in the course of implementing an intrusion detection infrastructure. Simply following the recommendations provided here will help you prepare for creating an efficient information-security system, even if you are not planning to install the intrusion detection system right away. In practice, all of the preliminary actions described here are common procedures ahead of deploying practically any information-security infrastructure.

The list of actions to implement before creating the intrusion detection infrastructure includes the following:

• Educating and training your personnel. Note that it is necessary to provide education and training not only for employees working in an information-security department, but also for employees from departments in any way related to information security.

• Determining security policies and procedures that will prepare your organization for the detection of intrusions.

• The selection of mechanisms for system and network logon, which are the basis of intrusion detection technologies.

• Generating information that is required for the control of the integrity of information resources and for building an efficient intrusion detection infrastructure.

It is vital to note that, during the creation of a complex security system that includes intrusion detection, it is also necessary to perform a number of other actions, including activating access control systems and authentication servers, antiviral systems and firewalls, eliminating unnecessary services, using "strong" passwords, and limiting modem usage.