Training Personnel

The mechanisms employed in intrusion detection infrastructures, regardless of how powerful and efficient they are, are useless if your personnel are not able to use them correctly. The employees must know how to choose the appropriate security tool, evaluate, install and put it into operation. The majority of attacks implemented by intruders with computer skill of the same level as should be easy to detect. However, if you are dealing with an expert hacker, the situation is a lot more difficult. Fig. 7.1 shows the chances you have of tracing the intruder depending on his or her skills, and on the skill level of the security personnel. If the security specialists are more skilled and knowledgeable than the intruder is, then you have a good chance of detecting the intruder. Otherwise, this task becomes rather complicated, if at all possible. If the security administrator and the intruder have equal qualifications, everything depends on chance - the one who makes a mistake first usually loses.

Fig. 7.1. Chances of tracing an intruder based on the qualifications of the security personnel

An efficient intrusion detection system will most likely be able to detect an attack implemented by expert hackers. However, only trained and qualified security specialists will be able to understand system messages and take efficient measures to counter-act the intruder. Therefore, it is rather important to ensure that employees responsible for intrusion detection are well trained and adequately prepared to detect intrusions, gather proof, investigate incidents, and react to them appropriately. According to the latest data, there are currently about 50,000 vacancies for security specialists in the U.S., and this number is constantly growing. One of the reasons for this is the rapid growth of the number of hacker attacks. John Gunn, the director of the Regional Computer Forensic Laboratory, gives an even more pessimistic forecast: "The need for specialists in the field of computer crime is growing exponentially" [Chen1-00]. This problem is especially important for the various governmental structures responsible for the safety of citizens and upholding the law. Most such organizations have special departments responsible for investigating computer security incidents but, even so, the lack of qualified specialists is catastrophic. Most universities and training centers have already reacted to this growing need. By the way, highly qualified IS professionals receive quite generous salaries (at least according to the data provided by the SANS Institute (http://www.sans.org) [SANS2-00]).

As was mentioned earlier, the process of completely automating intrusion detection systems is currently still in the realm of dreams rather than reality. In nearly all cases where an intruder is traced, security administrators use manual methods of intrusion detection, or customized programs that extend the capabilities of the security system. Because of this, manual methods of intrusion detection are still very important and were covered in detail in Chapters 4 and 5. According to the mass media, the U.S. Navy has assigned several experts to control network activities and detect intrusions not only based on data collected by security tools, but also on their own practical experience and intuition.

It is vital to educate and train your system's users (everyone who accesses your data, systems and networks). This training can be organized on the basis of your own organization, by third-party consultants, or through services provided by specialized training centers. The training (including training the users who access your data, systems, and networks) can take any form, including lectures, seminars (including online seminars on the Internet), role-playing and others. In the course of the training, normal users (those not specializing in information) have to master (as well as aspects related to correct password selection, general concepts of the security policy adopted by your organization, etc.) the following topics:

• What to expect when an external or internal intruder implements an attack

• How to identify suspicious activity, and whom to inform of it

• What to do to decrease the potential damage to the information, systems and networks caused by an attack

Before you start the training process, which can involve significant expense, you should perform your own evaluation of the level of skills and qualifications of the personnel that will operate your intrusion detection infrastructure. If your employees lack the required qualifications, it is important to interview the candidates for training and ask them what they need expect to get from the training. Although this advice might seem absurd at first glance, it makes sense and provides and opportunity to achieve the best results with minimum expenses, as it allows you to evaluate the level of knowledge of your employees correctly. Analyze the information that you have collected and develop a training program on aspects of information security, including intrusion detection strategies and procedures. Such a program should be divided into at least two parts, the first of which is oriented toward general users, while the second is intended for security specialists. After the program has been developed, apply it in practice and train your employees. Among other things, the training should be mandatory for all newly hired employees and encompass all aspects of the employee's functions and duties.

It is also important to check the level of efficiency and preparedness of your personnel in performing actions required to ensure the security of your information. For this reason, it is necessary to organize regular training courses to improve the qualifications of your employees by modeling situations that are likely to arise in reality. This will help you to ensure that your employees know their duties and will be able to take adequate measures in critical situations.