To effectively implement any intrusion detection, the system being used to control access to data must be able to identify and authenticate users. This also implements the simplest form of intrusion prevention (users must log on), and is the foundation of auditing. Both NIDS (Network Intrusion Detections systems) and HIDS (Host Intrusion Detections systems) can be implemented.
The initial step in implementing a successful IDS is to create a baseline of normal traffic. This reduces the likelihood of false positives. An IDS that is designed to detect anomalous behavior is known as a behavior‐based IDS. An IDS that works by using a library of signatures (similar to how the majority of anti‐virus software functions) is categorized as a knowledge‐based IDS.
The design and architecture of the network is critical to the successful implementation of an IDS due to the effects of collision domains across the network. The optimum placement of network‐based IDSs remains in more than a science.
Incident Handling
The term incident is defined as any irregular or adverse event that occurs to any part of the organization. Some examples of possible incidents include:
▪ Compromise of system integrity
▪ Denial of system resources
▪ Illegal access to a system (either a penetration or an intrusion)
▪ Malicious use of system resources,
▪ Any kind of damage to a system.
Some possible scenarios for security incidents are:
1 Any strange process running and accumulating a lot of CPU time.
2 Discovering an intruder logged into a system.
3 Discovering malware has infected the system.
4 Being alerted to a remote site as it is attempting to penetrate the system.
The steps involved in handling a security incident are categorized into six stages:
1 Protection of the system
2 Identification of the problem
3 Containment of the problem
4 Eradication of the problem
5 Recovering from the incident
The actions taken in some of these stages are common to all types of security incidents.
Attackers are not terribly considerate and attacks may occur at any time of the day or night in our permanently connected Internet world. In the case of targeted attacks, an attacker is more likely to attack the site during the organizations off hours (including weekends and public holidays).
It is important to know how long it will take the staff to respond. Earlier in the book we covered time based security. It takes a system administrator 24 hours to respond on a weekend it is unlikely that they will stop an attack. It is also likely that the attacker will have sufficient time to be able to destroy evidence or cover‐up their attack.
Both time and distance are important considerations when considering incident response. Where it is unlikely that the primary contact will be able to respond within a reasonable time frame, a secondary contact must be called in addition to the initial person. It is the responsibility of the employees on the incident call list to establish whether they are able to respond to the incident within an acceptable time frame.
Another important consideration is the press. If a member of the press obtains information concerning a security incident, it is likely that an attempt to gather further information concerning
the incident will be made. Worse, they will attempt to obtain this information from personnel on site. These personnel are likely to be involved in responding to the incident when the press calls. Not only does this interrupt the incident process, but providing information to the wrong individuals can have detrimental side effects.
Keep a Log Book
Logging of information is critical in any situation that could end up in court. Any incident has the potential to end up in a criminal trial. At the beginning of an incident the implications remain unknown and the only discovered during the course of the investigation (if at all). A written log should be maintained for all security incidents that are being investigated. This notebook should be kept in a location that is not generally accessible to others and in a format that is not easily altered (i.e. do not take notes using a pencil). Log book should be maintained at least for the minimum statutory period.
Manually written logs are preferable since on‐line logs can be altered or deleted. The types of information that should be logged are:
▪ Dates and times of incident‐related phone calls.
▪ Dates and times when incident‐related events were discovered or occurred.
▪ Amount of time spent working on incident‐related tasks.
▪ People you have contacted or have contacted you.
▪ Names of systems, programs or networks that have been affected.
Inform the Appropriate People
It is important that the appropriate people are informed as soon as an incident is determined. What is more important though is to have a list of these people prior to the incident. Preparation is important.
It is also important to be able to contact people quickly. This means keeping the phone numbers and contact details of key contacts and ensuring that alternate contacts are defined.
Follow‐up Analysis
Post‐incident response is just as important as the procedures used to determine and respond to the incident. Once the incident has been dealt with and systems have been restored to a satisfactory condition (ideally being in a normal mode of operation) a post‐mortem analysis can occur in order to discover what went wrong.
All involved parties (or a delegate from each group) should be present at a meeting to discuss the actions that were taken during the incident. This should culminate in the creation of a lessons learnt document. Where necessary, existing procedures should be evaluated and modified.
The outcome of this process should include a set of recommendations that should be presented to the suitable management representatives. The security incident report needs to be written and distributed to the appropriate parties.