JUSTIFYING

INTRUSION
DETECTION
UNIT-3
INTRUSION DETECTION IN
SECURITY
• If the company deals with personal health information, it may need to
comply with HIPAA privacy requirements; if it’s a financial institution,
it will need to deal with the Office of Thrift Supervision (OTS). These
regulatory bodies are likely to be a part of the organization’s strategy
and will have an impact on your intrusion detection and prevention
strategy.
• After gaining a solid understanding of business strategy, the
organization must determine whether this strategy fits with its
security strategy.
• Attack type It is important that you are able to collect data on the
amount and type of attacks that threaten your organization. While
this is a dynamic number, at any time it can be helpful to determine
what areas of your security program can be bolstered and what areas
have sufficient controls in place.
• Probability of detection This will allow an organization to create a
metric that identifies the amount of correctly detected attacks during
a specific time frame. This is an effective measurement of your IDS
capabilities and the fine tuning that may be needed.
• Correlation abilities This will help you determine your ability to
correlate information from other systems, such as firewalls, with the
current IDS and IPS data to detect attacks. This can be very effective,
especially when detecting “low-and-slow” attacks.
IDS Deployment Costs
• When considering costs, it is important that you evaluate three areas:
the infrastructure cost, the residual costs, and the support costs
• Infrastructure costs are the costs in setting up the actual IDS/IPS
system. You will need to determine what hardware and software you
will need, what consulting services you may need, and the number of
hours needed to install the hardware and software and deal with
network connectivity issues. Another important factor to consider is
the cost of educating the technical staff on the proper use of the
product. Even if staff members educate themselves, a non trivial cost
can affect the company because some other project is not getting
done while the staff is learning to use the product
• Residual costs include extra cabling, more bandwidth,
and new networking hardware. Finally, you must
consider the support costs related to keeping the IDS/IPS
up and running. This will include hardware and software
upgrades and time spent on analysis and responding to
events, upgrading and tuning the systems, and basic
administration. In determining these costs, you may find
it helpful to talk with organizations of similar size and
with similar security needs.
RETURN ON INVESTMENT
• IDS Deployment Costs
Justifying the Cost
• Soft return on investment (SROI) Bases the decision on
fear, uncertainty, and doubt (FUD); unfortunately, a
surprising amount of security decisions are made this
way.
• Hard return on investment (HROI) Bases the decision
on quantifiable data that will help determine the real
business value of the product.
• Determination of the HROI can be accomplished by finding
the annual loss expectancy (ALE), which can be figured by
first looking at the single loss expectancy (SLE)—the
expected impact of a specific one-time event in some terms,
usually monetary, on the organization. An SLE is usually
derived from formal documentation on business impact or a
business impact analysis (BIA). The SLE is not a precise
number but and estimate. Once the SLE has been
determined
• annual rate of occurrence (ARO) of an event should be
determined. The ARO is done on an annualized basis in
which the frequency of an event is to occur. This data can be
derived from industry research or your own attack metrics.
For example, if a threat occurs once every three years, it has
an ARO of 1/3 or 0.33, while a threat happening five times in
a year has an ARO of 5/1 or 5.0. To arrive at the ALE, use the
following formula: Single Loss Expectancy (SLE) X Annual
Rate of Occurrence (ARO) = ALE
• The ALEcan be used to justify the need for intrusion detection and
prevention. For example,-let’s say you want to protect a mission-
critical server that holds customer data. If damaged or destroyed,
the server itself is valued at $5000, but the loss of information and
reputation could be valued at $10,000,000. You have determined
that the SLE for this asset is 70 percent and the AROis once in
every three years or 0.33. Using the formula, we would determine
the ALE to be $2,310,000. From this information, management can
determine whether it is justifiable to implement a $500,000 IDS or
IPS system for protection of this asset.
Acquisition
• 1. Define your organization’s requirements.
• 2. Research the IDS/IPS products.
• 3. Select a vendor’s product to test.
• 4. Test the product.
• 5. Select the product.
Requirements
• Detect denial-of-service (DoS) attacks Detect attacks against your web
server Detecting attacks against routers or firewalls Increase forensic
capabilities Be able to handle evasion techniques
Research
• High sensor stability and integrity
• Counteract attack evasion
• Attack recognition with maximum real traffic stress
• Comprehensive detection without discarding traffic or missing attacks
• Inline mode detection
Vendor Selection
• Financial stability If a company is not financially secure enough to be
around for the next few years, you may want to look somewhere else.
• Service What services does the vendor offer? How is the service you
have received so far? How willing are they to help you with your
unique needs?
• Reputation A company’s reputation is important. Ask colleagues in the
industry about how they have been treated by the company.
Testing
• Verify vendor’s claims Provide insight into the implementation Test performance
• At the beginning of this process, you should determine what you want to
measure. The following is a common list of measurable attributes, which may
vary depending on your organization’s circumstances:
• The number of false positives
• The number of positive detections
• Packets per second
• Attack variety
• Attack diagnosis
• Network impact
Selection
• The final step is to make a selection based on the
requirements, research, and testing that has occurred. This
information can be put into a matrix similar to the
requirements matrix discussed earlier
Managing Intrusion Detection
• This section will cover some other important issues in managing a
successful intrusion detection and prevention program: deployment
and managing in a distributed environment.
Deployment
• Once an intrusion detection or prevention technology has been
selected, it is time for implementation of the technology. The basic
steps to a successful implementation are
• 1. Having a well-planned policy
• 2. Installing the software
• 3. Planning for and hiring staff resources
Managing in a Distributed
Environment
• Managing a decentralized environment has the advantage of
a less complicated setup that can be managed locally, and
information can be communicated with the other locations
as needed. However, in a decentralized environment, the
cost of more equipment, difficulties in data correlation,
inconsistent management across the enterprise, and
operational inefficiencies may prove to be disadvantages.
Managing on a centralized basis, in most cases, is a better
solution in a distributed environment.
• Another issue to consider is the communication across a
distributed environment. With one location in Lisbon, Spain,
and another in Chicago, how do you send large amounts of
highly sensitive data, such as agent activity with IP addresses
and server names, across securely and efficiently? One way
to do this is to use the native communications built into the
IDS. It may be possible to transmit this information over a
private line, such as a T1 line, depending on your company’s
capabilities. When a private line is not available, you can use
a virtual private network (VPN)
 Threat Briefing
– Threat agents---criminals, terrorists, subversive or secret groups, state sponsored,
disgruntled employees,, hackers, pressure groups, commercial groups
– Capability---software, technology, facilities, education and training, methods,
books and manuals
– Threat inhibitors---fear of capture, fear of failure, level of technical difficulty, cost
of participation, sensitivity to public perception, law enforcement activity, target
vulnerability, target profile, public perception, peer perception
– Threat amplifiers---peer pressure, fame, access to information, changing high
technology, deskilling through scripting, skills and education levels, law enforcement
activity, target vulnerability, target profile, public perception, peer perception
– Threat catalysts---events, technology changes, personal circumstances – Threat
agent motivators---political, secular, personal gain, religion, power, terrorism,
curiosity
Top ten Database Security
Threats
• 1. Excessive Privilege Abuse---users are granted database access privileges that exceed the
requirements of their job function; e.g., a university administrator whose job requires only the
ability to change student contact information may take advantage of excessive database update
privileges to change grades
• 2. Legitimate Privilege Abuse ---- Users may abuse legitimate database privileges for unauthorized
purposes; e.g. a rogue health worker who is willing to trade patient records for money
• 3. Privilege Elevation---Attackers may take advantage of database platform software vulnerabilities
to convert access privileges from those of an ordinary user to those of an administrator.
Vulnerabilities may be found in stored procedures, built-in functions, protocol implementations, and
even SQL statements
• 4. Database Platform Vulnerabilities--- Vulnerabilities in underlying operating systems (Windows
2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized
access, data corruption, or denial of service.
• 5. SQL Injection--- a perpetrator typically inserts (or “injects”) unauthorized database statements
into a vulnerable SQL data channel. Using SQL injection, attackers may gain unrestricted access to an
entire database
• 6. Weak Audit Trail--- Weak database audit policy represents a serious
organizational risk on many levels.--- regulatory risk, deterrence, and
detection and recovery
• 7. Denial of Service (DoS)--- access to network applications or data is denied
to intended users
• 8. Database Communication Protocol Vulnerabilities--- e.g., Four out of seven
security fixes in the two most recent IBM DB2 FixPacks address protocol
vulnerabilities; similarly, 11 out of 23 database vulnerabilities fixed in the
most recent Oracle quarterly patch relate to protocols
• 9. Weak Authentication--- allowing attackers to assume the identity of
legitimate database users by stealing or otherwise obtaining login credentials
• 10. Backup Data Exposure--- Backup database storage media is often
completely unprotected from attack. As a result, several high profile security
breaches have involved theft of database backup tapes and hard disks
Ten web threats
• 1. Bigger, Subtler DDoS Attacks---Distributed Denial of Service Attacks
• 2. Old Browsers, Vulnerable Plug-Ins---e.g., browser vulnerabilities and,
more frequently, the browser plug-ins that handle Oracle's Java and
Adobe's Flash and Reader.
• 3. Good Sites Hosting Bad Content---in VOHO watering hole attack, attackers
infected legitimate financial and tech industry websites in Massachusetts
and Washington, D.C., commonly accessed by their intended victims
• 4. Mobile Apps And The Unsecured Web--- bring-your-own-device
movement has led to a surge in consumer-owned devices inside corporate
firewalls
• 5. Failing To Clean Up Bad Input---e.g., Since 2010, SQL injection has held
the top spot on the Open Web Application Security Project's list of top 10
security vulnerabilities
• 6. The Hazards Of Digital Certificates--- a series of hacks against certificate
authorities gave attackers the tools they needed to issue fraudulent SSL
certificates that could disguise a malicious website as a legitimate
• 7. The Cross-Site Scripting Problem--- An attacker going after a banking site
with a cross-site scripting vulnerability could run a script for a login box on the
bank's page and steal users' credentials.
• 8. The Insecure 'Internet Of Things„--- Routers and printers, videoconferencing
systems, door locks and other devices are now networked via Internet
protocols and even have embedded Web servers. In many cases, the software
on these devices is an older version of an open source library that's difficult
• 9. Getting In The Front Door--- Automated Web bots scrape from Web pages
information that can give a competitor better intelligence on your business.
• 10. New Technology, Same Problems--- People click links all day long -- people
are pretty trained to think that clicking a link on the Web is safe.
 Major Security Threats on Information
Systems
• 1. Intrusion or Hacking---gaining access to a computer system without the
knowledge of its owner---Tools: . Poor Implementation of Shopping Carts,
Hidden fields in the html forms, Client-side validation scripts, Direct SQL
attack, Session Hijacking, Buffer Overflow Forms, Port Scan
• 2. Viruses and Worms--- programs that make computer systems not to work
properly-- - Polymorphic Virus, Stealth Virus, Tunneling Virus, Virus
Droppers, Cavity Virus
• 3. Trojan Horse--- These programs are having two components; one runs as
a server and another one runs as a client; data integrity attack, steal private
information on the target system, store key strokes and make it viewable
for hackers, sending private local as an email attachment.
• 4. Spoofing---fooling other computer users to think that the source of their
information is coming from a legitimate user---IP Spoofing, DNS Spoofing,
• 5. Sniffing---used by hackers for scanning login_ids
and passwords over the wires. TCPDUmp and
Snoop are better examples for sniffing tools.
• 6. Denial of Service---The main aim of this attack is
to bring down the targeted network and make it
to deny the service for legitimate users. In order
to do DoS attacks, people do not need to be an
expert. They can do this attack with simple ping
command