Information resources are deployed in an asymmetric threat environment. Your information assets are at risk whether they are being transmitted or are at rest. How can an individual or organization protect its electronic information?
One way is to utilize a concept known as “intrusion detection” as part of a comprehensive information security plan. Intrusion detection systems (IDS) also assist in the process of discovering and documenting attacks on an information infrastructure. The role of an Intrusion detection/prevention system is to sound an alert when an “incident” or intrusion occurs. A comprehensive IDS also helps the asset owner to mitigate specific threats and close vulnerabilities.
Intrusion detection systems are automated hardware or software applications designed to monitor network communications and to detect an attempt to gain unauthorized access to information infrastructure resources. An intrusion detection system does its work by analyzing raw data packets that move over a computer network and look for anomalous or unauthorized activities that should be blocked.
Unauthorized intrusions may come from external or internal sources. Outsiders can turn to the Internet where the number of tools that are available to malicious users continues to expand. Insiders who wish to gain unauthorized access already have proximity to your assets.
Top-of-the-line intrusion detection systems should also be capable of documenting an attack while it is in progress. Ideally, an intrusion detection system would be active and adaptive. An effective IDS implementation would be capable of discovering unauthorized access and actually re-directing it while the attack is happening. The more robust IDS systems utilize SNMP (Simple Network Management Protocol). “Sensors” or what is known as an SNMP “managed agents” can be used to maintain situational awareness of the “state” of the network segment.
Intrusion detection systems are important because “perfect intrusion” would occur without your knowledge. An intruder could get into your system, steal “confidential information” and the asset owner could be totally unaware that the data had been compromised. The likelihood that an organization would be unprepared to cope with the effects of an intrusion is very high if a comprehensive intrusion detection plan or program is lacking.
Typically, an IDS would be placed on the perimeter of a network or at the entry point to a network segment. An IDS would normally be manage through a console and a software engine. The IDS would look for “out-of-place” behavior and then notify responsible parties if a security breach is detected.
An intrusion detection plan would also have an “incident response” component in place. The processes and procedures to be followed when an intrusion is discovered would be specified in advance of any intrusions occurring. The IDS system would, also, ideally supply the infrastructure owner with the information needed to document the specific details of the intrusion.
The International Standards Organization is an organization that specifies controls for a wide variety of processes. The concept of intrusion detection is addressed in ISO 17799/27000. Intrusion detection practices and controls should be adopted in the organizational official information security plan.
An excellent intrusion detection system can assist information infrastructure owners in maintaining the confidentiality, integrity and availability of their digital assets and help to avoid future attacks.
