Intrusion Detection:
Reducing Network Security Risk —continued

by Recourse Technologies [December 24, 2001]

The Cost of Compromise

Businesses spent $300 billion fighting hackers and computer viruses in 2000 5.7 percent to 7 percent of a company's annual revenue lost in "Economic Leakage" 90 percent of Fortune 500 companies detected breaches 70 percent serious, average loss $2 million Incidents up 300 percent in 2 years

In 2001, computer crime and security reports indicated that companies recognized an increase in financial loss as a result of Internet-based attacks.

In some cases, it can take an intruder less than a minute to break into a company Intranet via the Internet. Yet, finding out what the attacker actually did can take an average of more than 34 hours of in-depth systems analysis. With the right security tools implemented within the network infrastructure, this time could be considerably reduced and corrective action taken before any serious damage is inflicted.

Firewalls: Essential, But Not Impervious
Firewalls are the first line of defense for your network, but they should not be considered a "silver bullet" by any means. No single product is. Firewalls provide a basic level of security when deployed on the network perimeter and throughout the infrastructure. Almost all companies that are serious about their businesses have invested in and deployed firewall technology. But still, over 90 percent of fortune 500 companies have detected breaches even with firewalls deployed. The fact is that all firewalls are open to compromise and can be externally attacked or bypassed in a number of ways. For example, an attacker can exploit firewall misconfigurations, circumvent the firewall by dialing through the PBX, launch Denial of Service (DoS) attacks on specific services, use Trojan horses and tunneling, and even launch buffer overflow attacks to gain root access on the firewall. Because internal attacks account for over 70 percent of incidents on a network, firewalls must also be deployed internally around critical networked assets to lower the risk associated with intrusion. Again, these firewalls can be circumvented or exploited by internal attackers.

Firewalls can be considered the gatekeepers of the network, but they are limited in the protection they deliver. Their biggest downfall is the fact that most firewalls do not inspect the content of the packets they pass. To inspect the contents of these packets, your company must add an intrusion detection layer to your security implementation. IDS systems help identify the attack at an early stage, providing organizations with faster incident analysis and more time to respond to the incident and deploy mechanisms to prevent further occurrences.

A Case For Intrusion Detection
Intrusion Detection Systems (IDS) are a complementary solution to firewall technology. An IDS that has sensors both inside and outside the firewall can help determine whether the firewall is configured and operating properly. An IDS also recognizes attacks against the network that firewalls are unable to see.

• IDSes fall into four main categories:
• Traditional Network-Based IDS (NIDS)
• Traditional Host-Based IDS (HIDS)
• Hybrid IDS
• Deception systems

Traditional Network-Based IDS (NIDS) use network cards in promiscuous mode, looking at every packet that passes on the network. A typical network IDS consists of one or more sensors and a console to aggregate and analyze data from the sensors. Deployment is easier and more manageable than a host-based IDS solution, but once installed, some Network IDSes miss attacks because they can not keep up with high volumes of network traffic and/or they generate an unmanageable number of alerts due to false positives, making a real attack difficult to identify. False positives are alerts that are generated due to legitimate activity, when in fact there is no attack taking place. When a company is repeatedly hit with false positives, they begin to ignore their alerting system and the data it collects, rendering the system potentially useless. False positives are a constant challenge for most organizations.

Traditional Host-Based IDS (HIDS) watch for processes inside the host and monitors log files and data for suspicious activity. Some host-based IDSes operate independently. In other systems, each host-based IDS may report to a master system that centralizes the evaluation and response mechanisms, helpful in large enterprise deployments. As with most host-based solutions, platform availability and coverage make this a difficult solution to manage and allows systems to be open to network attack due to the lack of packet inspection capabilities.

Hybrid IDS combines host-based IDS with network IDS technologies. Hybrid IDSes are system based and provide attack recognition on the network packets flowing to or from a single host. Hybrid systems do not inspect every packet that goes by (unlike a network-based IDS) so they do elevate some of the performance degradation issues of traffic analysis. Hybrid IDSes provide additional protection by monitoring a system's events, data, directory, and registry for attack. Again, platform availability and deployment problems are an issue. Hybri IDSes are traditionally system resource intensive, but are less susceptible to false positives than network-based IDS.

Deception Systems or "honeypots" as they are more commonly known, provide an additional level of security within the network infrastructure. Deception system data is usually more valuable due to the reduction of both false positives and false negatives, Deception systems can be considered as a "set and forget" IDS sensor composed of a single system or network of devices whose sole purpose is to capture unauthorized activity. This means any packet entering or leaving a deception system is suspect by nature. This simplifies the data capture and analysis process and provides valuable information on the motives of an attacker.

A common misconception surrounding deception systems is that, because they lure attackers in, the evidence collected may not be able to be used to prosecute the attacker. The reality is that deception systems are not active lures and they do not advertise themselves. A hacker can only find a deception host by running specific reconnaissance tools used to compromise systems on a network.