In the past, several frameworks, models,
Unfortunately, the performance of a formal risk analysis has turned out to be difficult in practice. There are
A formal risk analysis process requires the establishment of an inventory for all assets (e.g., to decide whether they are
A formal risk analysis always requires the quantification of loss exposures based on estimated frequencies and costs of occurrence. Either value—the estimated frequencies and the costs of occurrence—is hard to quantify. How do you, for example, quantify the estimated frequency for a system being hacked? Does this value depend on the operating system in use? Does it depend on the actual configuration? Does is depend on software patches being installed or not installed? Similarly, how do you quantify the costs of occurrence? Note that-no system or network resource must be damaged during the system hack. Nevertheless, the loss of reputation and customer confidence may still be large and worrisome. It turns out that probability theory is an inappropriate approach to quantify loss exposures in the IT world. Unfortunately, we do not have an alternative approach so far.
Because of these difficulties, it is common today to perform only qualitative risk analyses. A
qualitative risk analysis
In many companies and organizations it is not even possible to perform a qualitative risk analysis, and some simpler risk management approaches and technologies must be used instead. Some alternative approaches and technologies are addressed
Given the difficulties of performing formal risk analyses, IT security professionals are looking into alternative approaches and technologies to manage the relevant risks. The two most
Security scanning tools and security scanners can be partitioned into host-based scanners and network-based
runs on a system and looks into the configuration of the system from the inside. For example, a host-based scanner can check whether files that contain user authentication information (e.g.,
Contrary to that, a network-based scanner runs on a system and looks into the configurations of systems from the outside. For example, a network-based scanner can check what systems are accessible and what services are running on the ports of these systems.
Ideally, a scanner is host-based and network-based, meaning that it can investigate on and take into account information that is available on either side. As of this writing, there are many security scanners commercially or
According to , an intrusion refers to "a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats to a target computing or networking domain," and the term intrusion detection refers to the process of identifying and responding to intrusions.
There are many tools that can be used to automate intrusion detection. These tools are commonly referred to as
intrusion detection systems
(IDSs). Although the research community has been actively designing, developing, and testing IDSs for more than a
There are basically two technologies that can be used to implement an IDS: attack signature recognition and anomaly detection.
Using attack signature recognition, an IDS uses a database with known attack patterns (or attack signatures) and an engine that uses this database to detect and recognize attacks. The database can either be local or remote. In either case, the quality of the IDS is as good as the database and its attack patterns as well as the engine that makes use of this database. The situation is similar and quite comparable to the antivirus software (i.e., the database must be updated on a regular basis).
Using anomaly detection, an IDS uses a database with a formal representation of "normal" (or "normal-looking") user activities and an engine that makes use of this database to detect and recognize attacks. For example, if a user almost always starts up his or her e-mail user agent after having successfully logged onto a system, the IDS's engine may get suspicious if he or she starts a Telnet session to a trusted host first. The reason for this activity may be an attacker misusing the account to gain illegitimate access to a remote system. Again, the database can either be local or remote, and the quality of the IDS is as good as the database and its statistical material.
Again, it is possible to combine both technologies in an IDS. More information about intrusion detection technologies and IDSs that