MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Intrusion Detection and Prevention Systems Management of Information Security, 5th Edition, © Cengage Learning

Intrusion Detection and Prevention Systems IDPSs combine tried-and-true detection methods from intrusion detection systems (IDSs) with the capability to react to changes in the environment, which is available in intrusion prevention technology As most modern technology in this category has the capability both to detect and prevent, the term IDPS is generally used to describe the devices or applications Management of Information Security, 5th Edition, © Cengage Learning

Intrusion Detection and Prevention Systems (IDPS) When an IDPS detects a violation it activates the alarm, which can be audible and visible (noise and lights), or it can be a silent alarm that sends a message to a monitoring entity Systems that include intrusion prevention technology attempt to prevent the attack from succeeding by one of the following means: Stopping the attack by terminating the network connection or the attacker’s user session Changing the security environment by reconfiguring network devices (firewalls, routers, and switches) to block access to the targeted system Changing the attack’s content to make it benign—for example, by removing an infected file attachment from an e-mail before the e-mail reaches the recipient Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning IDPSs All IDPSs require complex configurations to provide the appropriate level of detection and response These systems are either network based to protect network information assets, or they are host based to protect server or host information assets IDPSs use one of two detection methods: signature based or statistical anomaly based Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning IDPS Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Host-Based IDPS A host-based IDPS works by configuring and classifying various categories of systems and data files Unless the IDPS is very precisely configured, benign actions can generate a large volume of false alarms During times of routine operation, the system will provide alerting for only a few urgent reasons and will provide recording only for exceptions. Host-based IDPSs can monitor multiple computers simultaneously Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Network-Based IDPS Network-based IDPSs monitor network traffic and, when a predefined condition occurs, notify the appropriate administrator The network-based IDPS looks for patterns of network traffic Network IDPSs must match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred These systems yield many more false-positive readings than do host-based IDPSs, because they are attempting to read the network activity pattern to determine what is normal and what is not Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Signature-Based IDPS A signature-based IDPS or knowledge-based IDPS examines data traffic for something that matches the signatures, which comprise preconfigured, predetermined attack patterns The problem with this approach is that the signatures must be continually updated, as new attack strategies emerge Another weakness of this method is the time frame over which attacks occur If attackers are slow and methodical, they may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Anomaly-Based IDPS The anomaly-based IDPS or behavior-based IDPS first collects data from normal traffic and establishes a baseline It then periodically samples network activity and compares the samples to the baseline When the activity falls outside the baseline parameters (or clipping level), the IDPS notifies the administrator The advantage of this approach is that the system is able to detect new types of attacks, as it looks for any type of abnormal activity Unfortunately, these IDPSs require significant processing capacity as they must constantly attempt to match activity to the baseline In addition, they may not detect minor changes to system variables and may generate many false-positive warnings Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Managing IDPSs Just as with any alarm system, if there is no response to an alert, then an alarm does no good IDPSs must be configured using technical knowledge and adequate business and security knowledge to differentiate between routine circumstances and low, moderate, or severe threats A properly configured IDPS can translate a security alert into different types of notification A poorly configured IDPS may yield only noise Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Managing IDPSs Most IDPSs monitor systems by means of agents, software that resides on a system and reports back to a management server A valuable tool in managing an IDPS is the consolidated enterprise manager, software that allows the security professional to collect data from multiple host- and network-based IDPSs and look for patterns across systems and sub-networks, collecting responses from all IDPSs used to identify cross-system probes and intrusions Management of Information Security, 5th Edition, © Cengage Learning

Remote Access Protection An attacker who suspects that an organization has dial-up lines can use a device called a war-dialer to locate the connection points Dial-up connections are usually much simpler and less sophisticated than Internet connections For the most part, simple user name and password schemes are the only means of authentication Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning RADIUS and TACACS RADIUS and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection Typical dial-up systems place the authentication of users on the system connected to the modems A Remote Authentication Dial-In User Service (RADIUS) system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning RADIUS and TACACS When a remote access server (RAS) receives a request for a network connection from a dial-up client, it passes the request along with the user’s credentials to the RADIUS server; RADIUS then validates the credentials The Terminal Access Controller Access Control System (TACACS) works similarly and is based on a client/server configuration Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning RADIUS Configuration Management of Information Security, 5th Edition, © Cengage Learning

Managing Dial-Up Connections Organizations that continue to offer dial-up remote access must deal with a number of thorny issues: Determine how many dial-up connections the organization has Control access to authorized modem numbers Use call-back whenever possible Use token-based authentication if at all possible Management of Information Security, 5th Edition, © Cengage Learning

Wireless Networking Protection Most organizations that make use of wireless networks use an implementation based on the IEEE 802.11 protocol The size of a wireless network’s footprint depends on the amount of power the transmitter/receiver wireless access points (WAPs) emit Sufficient power must exist to ensure quality connections within the intended area, but not so much as to allow those outside the footprint to receive them Management of Information Security, 5th Edition, © Cengage Learning

Wireless Networking Protection War driving is moving through a geographic area or building, actively scanning for open or unsecured WAPs Two most common encryption protocols used to secure wireless networks are: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) Management of Information Security, 5th Edition, © Cengage Learning

Wired Equivalent Privacy (WEP) Provides a basic level of security to prevent unauthorized access or eavesdropping Like a traditional wired network, does not protect users from observing each others data Has several fundamental cryptological flaws, resulting in vulnerabilities that can be exploited, which led to replacement by WPA Management of Information Security, 5th Edition, © Cengage Learning

Wi-Fi Protected Access (WPA) WPA is an industry standard, created by the Wi-Fi Alliance IEEE 802.11i has been implemented in products such as WPA2 which introduced newer, more robust security protocols based on the Advanced Encryption Standard WPA and WPA2 provide increased capabilities for authentication, encryption, and throughput WPA and WPA2 have some compatibility issues with older WAPs and network cards Both WPA and WPA2 can use an IEEE 802.1X authentication server, similar to RADIUS servers Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning WiMAX The next generation of wireless networking is WiMAX, or Wireless-MAN, essentially an improvement on the technology developed for cellular telephones and modems WiMAX, developed as part of the IEEE 802.16 standard, is a certification mark or stamp of approval that stands for “Worldwide Interoperability for Microwave Access” Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Bluetooth Bluetooth is a de facto industry standard for short range (approx 30 ft) wireless communications between devices The Bluetooth wireless communications link can be exploited by anyone within range, unless suitable security controls are implemented In discoverable mode devices can easily be accessed Even in nondiscoverable mode, the device is susceptible to access by other devices that have connected with it in the past Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Bluetooth By default Bluetooth does not authenticate connections, but it does implement some degree of security when devices access certain services like dial-up accounts and local area file transfers The only way to secure Bluetooth enabled devices is to: 1) turn off Bluetooth when you do not intend to use it and 2) do not accept an incoming communications pairing request unless you know who the requestor is Management of Information Security, 5th Edition, © Cengage Learning

Managing Wireless Connections It is possible to restrict access to the network to a preapproved set of wireless network card MAC addresses One of the first management requirements is to regulate the size of the wireless network footprint by adjusting the placement and strength of the WAPs Select WPA or WPA2 over WEP Protect pre-shared keys Management of Information Security, 5th Edition, © Cengage Learning