(Page 5 of 10)
Intrusion Detection and Honey Pots
You explored the topic of Intrusion Detection, learning that the two types of IDS are:
Most IDS work by pattern-matching traffic with known attack signatures and taking action when it finds a match. Network-based IDS (NIDS) watches all packets it has access to on the network, which excludes packets that may be isolated away from the NIDS location by switches or routers, so you may have to deploy NIDS on multiple subnets to cover all segments of interest on your network. Disadvantages include that it is possible for a cracker to avoid detection by a NIDS by doing their communication via a VPN or SSL, since the NIDS cannot decrypt the traffic and analyze it, and that some NIDS can be forced into ignoring traffic through flooding. A NIDS can use either Active Detection (reconfiguring a router, breaking suspicious network connections, shutting down services) or Passive Detection (Logging the event, notifying the administrator, sending an SMTP alert, displaying an on-screen message) when an intrusion is detected. Host-based IDS (HIDS) watches for events on the hosts on which it is installed, including network traffic in and out of the host, changes to system files, etc.
Host-based IDS can also use Active Detection or Passive Detection. An advantage of host-based IDS is that unlike NIDS, it can potentially see the contents of SSL and VPN conversations involving that host, because the traffic is decrypted at some point on the host.
You discovered that honey pots are decoy systems (or networks) set up to look interesting to crackers, typically mimicking a real system that would interest them; honey pots may be used purely as a research tool or an active defense against intrusions into systems that your organization really cares about.
You explored incident response, the group of activities performed in response to a perceived computer security incident; activities may be defensive (such as securing the network) or offensive (such as investigating the incident and alerting law enforcement). The six key steps in incident response are:
When a threat is detected, the first thing to do is to secure the area; DO NOT power down any computers involved, but do make sure that they are not touched by random system administrators by unplugging network connections, locking keyboards, terminals, etc. Be careful not to change any evidence as that can affect a legal case. After securing the area, report the incident to upper management; they need to know when intrusions have occurred, particularly if financial aspects of the business may have been affected.
You next explored security baselines, which are minimum standards that set appropriate security controls, suitable for most organizations in normal circumstances. (You may use pre-established baselines such as the SANS Gold Standard, or define your own, specific to your organization, if its needs are unique.) Baselines may include both technical and operational standards, with the idea that application of these guidelines will substantially decrease the risk of the organization being attacked. When establishing baselines, consider vendor-provided standards, what others in the industry are doing to harden their networks, and specific issues related to your organization. Test before deploying, since tightening security often breaks applications that expect looser security settings, and you want to know about, and address, those situations in advance.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.