Preliminary Analysis

What Needs Protection?

Before purchasing expensive intrusion detection tools, you should determine which resources need protection. After performing such an analysis, you will probably realize that it does not make any sense to spend money on a system that you like but that offers functions you can handle easily enough using organizational measures and built-in security mechanisms. Each organization has its own specific resources that need protecting. However, you can generally divide these resources into the following categories:

• File servers

• Database servers

• Telecommunication servers

• Routers

• Firewalls and other perimeter protection tools

• Web, FTP, and mail servers

• Workstations that process critically important information (for example, in banking systems)

Even a simple listing of critically important resources is very helpful when you need to choose the right technology for intrusion detection for their optimal protection. For example, when it comes to securing file servers, integrity control tools are of primary importance, since they allow you to trace unauthorized file changes. For routers, network-level intrusion detection systems are of the highest priority. Table 9.1 lists the most common categories of important resources, along with the corresponding optimal intrusion detection technologies to be used to protect them.

Protection against What?

Simply put, from attacks and misuse. However, as we showed in Chapter 2, there are too many types of unauthorized actions. Purchasing a system that offers protection against all types of attack is not very reasonable - even if such systems existed. Because of this, you need first and foremost analyze the attacks most likely to be directed at your resources. For example, suppose that you need to secure an application server running Windows NT/2000. In this case, you delegate the detection of network intrusions to a network-level intrusion detection system installed in the same network segment. This immediately narrows the range of possible attacks on your server. Thus, you need to select an OS-level intrusion detection system that analyzes log files or user activities. You must make sure, in this case, that the system you choose supports Windows NT-based systems. By performing this type of brief assessment, you will be able to reduce the number of possible systems to two or three products, thus simplifying the selection process and reducing expenses that you would otherwise incur by purchasing a system that performs functions or supports operating systems that are not applicable in your environment.

Protection against Whom?

Ask a layman this question, and the most common answer will be "hackers." Without delving into terminological details, the vast majority are of the opinion that the main threat to system security comes in the form of external intruders, who penetrate the computer networks of banks or military organizations, intercept control of satellites, etc. This somewhat paranoiac attitude is generated by the mass media, which has recently published a large number of reports about hackers and the threats associated with them. There is no question that this danger is real, so it should not be under-estimated. However, it must not be overestimated either. Let us consider the statistical data that were provided in Chapter 2. These figures show that 70-80% of all registered cases of computer crime are internal security policy violations, meaning that they involve current or former company employees.

If someone on the outside has managed to find a security breach in the information system of some company or organization, they can penetrate the corporate network via this security hole and access financial data or information on the company's development plans. Generally, such intruders do not know what to do next, due to the fact that they are not professionals in the company's field of activities or research area. Thus, it is simply impossible to make any use of these megabytes and gigabytes of information. An intruder exploiting access vulnerabilities often just gets confused, not knowing what information is of real value and what is useless garbage.

The situation is different for a company's employees, who understand the situation and are able to assess the value of specific information realistically. Often, these are employees who have been granted privileges that are not necessary for them to do their jobs.

"Why would my employees want to steal from me?" is a question that arises or many managers in this situation, and the answers to the question can vary. The most common causes arise from disappointment with their position or salary, hidden dissatisfaction, envy, etc. Employees who feel that they are under-appreciated or underpaid have committed computer crimes resulting in tremendous losses for their companies. One example is an internal intruder involved in the well-known case of an attack on the Citibank network. Such cases, however, are often ignored in published reports of the incident, or are considered to be unimportant. Another common scenario involves an employee who is fired from a company and develops a plan to get revenge. If the employee had significant access rights and privileges, he or she is able to inflict significant damage on the company after leaving. If the employee's user account is not deleted, he or she will be able to access company resources for his or her own purposes. In the least harmful cases, the employee will use the company's resources without carrying out any destructive actions. For example, dismissed employees using company accounts to access the Internet are a common occurrence. This is generally the result of the administrator neglecting to change the password for the account used by the employee to perform his or her duties. Often, no one even notices that the former employee is continuing to use the company's Internet account, which is simply a minor financial loss for the firm. In one case, however, the company went bankrupt and could not pay the bills from its ISP. The ISP began to investigate the traffic and thus detected the security policy violation.

The most dangerous departed employees are those who were granted administrative privileges while still working for the company and had access to a wide range of information. Generally, these are technical personnel that worked in the IT or network communications departments. These people usually know all of the passwords to the systems used within the organization. If these people decide to use their knowledge and technical skills for negative purposes, the company can experience some very serious problems. These intruders are very knowledgeable and skilled, and therefore hard to detect. Because of the factors listed above, when designing your security infrastructure, it is necessary to consider protection against both internal and external intruders. You should always keep in mind that traditional security mechanisms (such as firewalls or authentication servers) are oriented toward the detection of external, not internal, intruders.

The answer to this question will enable you to determine appropriate priorities in detecting external and internal attacks. By the way, the answer to the question formulated at the beginning of this chapter as to the tasks to be solved will also enable you to determine the most important direction in which to apply your efforts. For example, if the your company's main activity is e-commerce (such as Internet shopping), you should concentrate on external attacks.

How to Protect?

Although this question appears to be simple, it is much harder to answer than it seems. You can, if you like, simply rely on the claims made by developers of security systems and just purchase a system, install it, and then go on working without giving the subject any more thought. If you feel your company can afford it, then why not? However, the proper usage of the tools at hand is just as important as your choice of tools in the first place. Worldwide organizations now deploy complex protection systems, which are organized in several stages. The first stage - information system investigation - is the most important. At this stage, it is necessary to figure out the most likely threats from which you need to protect the company. Here you should build a so-called "intruder model," which describes the characteristics of the most probable intruder, including skill level, tools utilized for implementing specific attacks, the typical time his or her activities will take, etc. From this profile, you can determine the answers to the questions posed earlier in this chapter: "Why do you need protection, and from whom?"

At this stage, you can also identify and analyze possible ways of implementing attacks, and evaluate the probability of these attacks and the potential damage that might be caused by them. Based on the results of this analysis, you will be able to develop recommendations for the elimination of detected threats, providing the opportunity to select and use the most effective protection tools. Before proceeding to the next stage, it makes more sense to use tools already at your disposal than to purchase expensive security systems. For example, if you have a powerful router as part of your network, it might make more sense to use its built-in security functions than to purchase a firewall.

Alongside analyzing existing technologies, you must also develop organizational documentation, which will provide a legal basis for security services and information security departments when performing a whole range of security and protection measures, including interacting and cooperating with external organizations in order to bring intruders to court. The result of the measures taken at this stage should be the development of your organization's security policy. Upper management must then approve this security policy, including aspects related to intrusion detection.

The next step in building a complex information security system is the purchase, installation, and customization of the security tools and mechanisms chosen during the previous stage. These include tools for protecting information against unauthorized access, cryptographic systems, firewalls, security scanners, and so on.

To ensure the correct and efficient use of the security tools that you install, your staff must be properly trained. To ensure this, you must train all employees working in your security service and information security departments, and make sure that they possess all of the practical skills required to detect and prevent security threats using the security tools you have purchased. Determining who will operate the intrusion detection system also narrows the range of available alternatives. If you can not assign an operator for tracking alerts in real-time mode, you should choose a system that allows you to perform an autonomous analysis.

However, even when this has been done, the process of ensuring your security is not yet over. Both hardware and software become outdated as new versions of security products appear, the list of known vulnerabilities and attacks is growing constantly, technologies used for information processing continue to evolve, and both software and hardware are becoming more and more advanced. At the same time, normal staff turnover means that some employees leave, and are replaced by new ones.

Because of this, it is necessary to revise your organizational documents on a regular basis. From time to time, it is necessary to investigate the information system and/or its subsystems to train new employees and to update security tools. By following the sequence of actions for building a complex information security system described above, you will be more able to ensure the necessary level of protection for your automated system.

What Tools Should Be Used for Protection?

The answers to the first four questions (what, from what, from whom, and how to protect) will enable us to narrow the range of available products that will meet our purposes. The appropriate options will generally consist of two or three systems, which will significantly simplify the process of making a decision, as well as speed up the testing process. Table 9.1 lists technologies that can be used to secure vital resources in the corporate network. Although you are free to choose any of these technologies, be aware that what appears to be the most obvious choice is not always the best. For example, suppose that you need to protect a file server. Here, an integrity control system would seem to be the most appropriate for your needs. However, imagine that stored files are changing every second. Any time such an event takes place, the integrity control system will check to determine whether the change is authorized. This will result in a significant degradation of the file server's performance. In the most extreme case, the integrity control system will end up consuming 100 percent of the server's resources, preventing users from accessing the server. In this event, it makes more sense to use an OS-level intrusion detection system, or to reduce the number of files whose integrity is to be checked by the integrity control system. Similar examples can be provided for other technologies.