Importance of Intrusion Detection

Some threats faced by almost all businesses today are the following:

Loss of financial assets
Financial institutions are vulnerable even to trusted employees. With the advent of Internet technology, several financial institutions transfer millions of dollars over computer networks. In addition to easy access, this technology has made the whole financial industry vulnerable to attacks.

Loss of intellectual property
Intellectual property refers to unique knowledge or ideas about technology a company owns. Intellectual property can be the design of a new engine, the code to a new software product, or even the customer contact list. Intellectual property must be handled with utmost care. Companies around the world face this challenge everyday.

Loss of computing resources
Information is of no use if it cannot be acted upon, and not having the computing resources available to process information renders it useless. Any company that offers its customers an online service is acutely aware of the potential losses that can result from even a minute of downtime. This is especially true in the case of web services. Lack of availability of critical computing resources because of malicious actions is a serious threat faced by any company doing business on the Internet today. Loss of business (measured in dollars) can be significant. Harder to quantify, but more damaging in the long term, is the loss of consumer confidence in a business that suffers an online attack. Another example of a loss of a critical computing resource is a corporate email system crash. When the outage is caused intentionally by an attacker who is continually disrupting business, the financial cost to a company can be very high —lost sales or miscommunication with customers, for example.

Loss of privacy
Privacy is a serious security concern in the medical, insurance, and banking fields. If a computer system is broken into by an external attacker, sensitive data may be obtained that can leave a company liable to legal action because of a lack of due diligence to protect sensitive data.

Who are the Perpetrators?

Perpetrators of security attacks most often are not outsiders who roam the Internet, but your own employees, whom you trust with your critical data and systems. Unreliable employees who have an intimate knowledge of systems and network can abuse their positions of trust. However, most effort has been expended in defending against the perceived threat from outside. As a result, most security solutions have focused on firewalls and web servers, completely ignoring the serious problem that comes from within. Industrial corporate espionage is also a significant threat.

How are These Threats Realized?

This section discusses the circumstances that lead to some common security problems.

Misplaced Trust

Trust can be misplaced during any of the following events:

While accessing the website of a specific company, you trust that it is the website of the company you intend to visit.

When you download product data from a website, you trust that it is accurate.

When you order a company’s product from the Internet, you trust that your order information is being kept confidential.

When you receive email messages, you trust that sender information is accurate.

When you type your password into a program, you trust that the program does not include code to decrypt the password at a later date.

Malicious Code

Computer viruses are the single biggest cause of lost productivity in business environments. The real cost of viruses is not the damage they cause, but the total cost of cleanup to ensure that the infection has not spread throughout the company network. Moreover, Java™ and ActiveX permit the downloading of executable code from the Internet without any assurances of its real purpose. There are many examples of websites that contain ActiveX or Java applets that steal files from your hard drive.

Strong Security with a Weak Link

Vulnerability of a system when you download executables from the web depends on its weakest link. For example, a router vendor shipped boxes with a default password that was easy to guess. Most administrators forgot to change the password. Despite investing many hours in correctly configuring the routers for secure operation, their security can be defeated in seconds by an attacker who knew the password.

Exploitation of Critical Infrastructure Elements

As more business is done over the Internet, more trust is placed in critical infrastructure elements: the routers, hubs, and web servers that move data around the Internet. This infrastructure also include DNS name servers that enable users to access URLs from their browsers. A DNS server maps names such as www.company.com to an Internet Protocol (IP) address, such as 10.2.3.4. By targeting these important infrastructure services, an attacker can bring down a whole organization. Sometimes attackers do not have to steal your information to hurt you. By simply making your systems unavailable for use, such attackers can cause losses in both revenue and credibility in your industry.

Misconfigured Software and Hardware

If you do not configure a critical piece of software or hardware properly, your network becomes vulnerable to security attacks. This is a particular problem in the area of firewalls, where configuration rules are complex. One missing rule can leave your whole internal network open to attack.

Excessive Privileges for Simple Tasks

A code that runs with privileges (such as root on UNIX® systems, or as administrator on Windows NT® systems) is particularly vulnerable, because a simple bug can have a major impact. Codes are not designed to handle security attacks. Moreover, most codes run with more privileges than it needs to accomplish a task. Often a site installs its web server to run as root, granting it far greater privileges than it needs to serve up websites and CGI scripts. Web servers that run as root are easy targets for attack. CGI scripts are easily accessible, and any individual can gain complete root privileges to such systems.

Springboards to Attack the Next Target

Even if you are not attacked, your company systems can be used to launch an attack on other victims on the Internet.

Existing Tools Are Only Part of the Solution

A number of technologies have emerged as potential solutions to the various security problems faced by companies. Firewalls, encryption, and security auditing tools are useful. HP-UX HIDS integrates with these existing technologies to enhance system and network security.

Firewalls

A firewall is a system that is placed between two networks to control what traffic can pass between those networks. A firewall is usually placed between the Internet and your company intranet. It can be viewed as a useful point of policy enforcement through which you can decide what network traffic is and is not permitted to pass in and out of your organization. When deployed correctly, a difficult task in a complex business environment, a firewall is an efficient tool to prevent attacks on critical systems and data. However, a firewall connected to the Internet cannot protect against an attack on systems launched from inside an organization. Often, it cannot stop an attacker inside your organization from attacking systems on the Internet, that is, your systems can be used as a springboard to attack another victim.

A further complication in deploying firewalls is that it is difficult to establish clearly where the boundary exists between inside and outside. At one time, it was obvious that the Internet was outside and the intranet was inside. However, more and more corporations are joining their intranets in multiple-partner arrangements, often termed extranets. If internal and external systems are included under the same extranets, it becomes difficult to place the firewall at the required location. In such an environment, some form of continuous security monitoring tool is needed to ensure that critical systems are not attacked and valuable data is not being pilfered by partners.

Encryption

Encryption is a mathematical technique that prevents unauthorized reading and modification of data. With encryption, the intended recipients of data can read it, but no intermediate recipient can read or alter the data. Encryption also authenticates the sender of a message. It ensures that the claimed sender really is the intended sender of the message.

In any well-designed cryptographic system, the heart of the security is the key used to encrypt the message. Knowing this key enables hackers to decrypt any message, alter it, and retransmit it to the sender. Even if the inner workings of the encryption software are known, without the key, hackers cannot read or alter messages.

The problem with relying on encryption lies in system vulnerability. In this case, the weakest link is not the encryption technology but the systems on which the key is stored. How can you be sure that the program you are using to encrypt data has not saved your key to a temporary file on your disk, from which an attacker can later retrieve it? If attackers gain access to your key, not only can they decrypt your data, they can impersonate you and send messages claiming to be signed only by you.

Encryption does not protect data while it is in the clear (not encrypted) as you process it, for example, preparing a document for printing. Moreover, encryption cannot protect your systems against denial-of- service attacks. Despite all the advantages of encryption, it is only part of an overall security solution.

Security Auditing Tools

A security auditing tool probes systems and networks for potential vulnerabilities that attackers can exploit, generates a report identifying holes and recommends fixes. Whenever the system administrator finds the holes, he or she must quickly patch them before they are exploited. If a security audit tool used is executed or run regularly, it is a valuable tool to handle security threats or attacks.

Attacks can occur at any point in the day; an attacker can penetrate a system, cover up the tracks, and install a variety of ways to re-enter the system easily and quickly. Running auditing tools every hour gives attackers a good opportunity to exploit your system, before you ever detect them. It is obvious that if some form of continuously running security audit tool is available, it is easier to monitor systems and make them more secure. An intrusion detection system provides this type of security.

Intrusion Detection Technology

Intrusion detection can be summarized quite simply: after you have erected the barbed wire fence, an intrusion detection system is like adding closed circuit TV cameras so that security guards can monitor the facilities to forestall an attack.

Intrusion detection detects illegal and improper use of computing resources by unauthorized people, before such misuse results in excessive damage. This detection system constantly monitors critical systems and data to protect them from attacks.

An intrusion detection system (IDS) monitors user and system activity to detect patterns of misuse that can correspond to security violations. Monitoring is automatic and constant on all the systems on which the IDS is deployed. It imposes a low overhead on the systems and network, so as not to disrupt your business activities. In addition, an IDS can monitor a server machine, a whole network, or even an application (such as a database or web server).

Before attacking your systems, an attacker needs to identify potential vulnerabilities that can be exploited to subvert your system’s security. A vulnerability is a feature of the implementation, or operation of a computer system or network that leaves it open to subversion by an unauthorized (or authorized) user. Having identified a vulnerability to exploit, the attacker then creates an attack script, which is often just a shell script or simple program that performs a series of fixed steps to exploit the vulnerability. Often the script that the attacker needs has already been written and is available on a website, in which case the attacker’s job is much easier.

Despite the multitude of attacks that are known and reported, there can be small variations on a theme. In several situations, attackers can use shell scripts used in previous attacks. What follows is usually a flood of attacks that exhibit common patterns and follow similar steps. Given a specific attack, you can codify it to express it in terms that an IDS can use. HP-UX HIDS uses the concept of a detection template to express some fundamental aspect of an attack that makes it different from legitimate behavior, while permitting detection.

The amount of information that flows through a typical corporate intranet and the level of activity on most corporate servers make it impossible for any one person to continually monitor them manually. Traditional network management and system monitoring tools do not address the issue of helping to ensure that systems are not misused and abused. Nor can they help detect theft of a company’s critical data from important servers. The potential impact of computer-based crime is significant to most corporations; their entire intellectual property often resides on servers. A tool that can detect security-related threats and attacks as they occur significantly eases the burden that most network administrators face.