Would you know if a hacker launched a stealth attack? How about if a rogue employee ravages your personnel files? Are you sure you’d know about it? Willing to bet your job on that?
Whatever your poison — hackers, viruses, e-mail worms, corporate espionage, saboteurs, disgruntled employees —
intruders are out there.
According to a recent study by the FBI and the Computer Security Institute, 21 per cent of 503 corporations surveyed said they had no idea if there had been unauthorized access or misuse of their systems over the past 12 months.
Those who are aware of such incidents say the problem is getting worse.
The number of security breaches in the first quarter of 2003 jumped nearly 84 per cent compared to the preceding three months, according to Internet Security Systems Inc. (ISS), a key manufacturer of intrusion detection systems based in Atlanta.
Perhaps most alarmingly, the increase in attacks can be attributed to the use of automated attack software exploiting known flaws in widely used commercial software.
Take SQL Slammer, for instance. Late last year, the virulent e-mail worm weaseled its way into millions of computer systems worldwide because IT managers had failed to apply a six-month-old patch to Microsoft’s popular SQL Server. The worm infected some 200,000 vulnerable computers within 10 minutes of being unleashed, shutting down North American telephone systems, automated banking machines and even some airports. A London-based market research firm said the worm caused between $950 million and $1.2 billion (US) in lost productivity in the first five days of its attack, ranking it among the most damaging worms and viruses ever.
There are other threats to lose sleep over. It’s estimated that hackers spent more time and effort exploiting existing security holes than finding new ones.
“”The large increase in security events means that this year will be challenging for security officers and administrators around the world,”” says Chris Rouland, who leads research and development for ISS.
It’s for that reason that intrusion detection software and hardware are beginning to command a much bigger piece of the IT market.
Market research firm International Data Corp. estimates that the market for intrusion detection and vulnerability assessment software and hardware is growing by 18 per year and will reach $1.45 billion (US) in 2006.
That impressive growth rate also takes into account the fact that IT spending remains lax and few major corporations are set to boost budgets significantly. In short, intrusion detection is becoming mission-critical.
Intrusion detection has its roots in the financial audits dating back to the 1960s and 1970s, when mainframe computers were in vogue. Because mainframes were scarce and expensive, access had to be strictly controlled. Audits were eventually put into place, enabling administrators to review logs for anomalies that might indicate misuse. This was the earliest form of intrusion detection.
According to Richard Heady, a recognized expert on intrusion detection and an author of a white paper on the subject, the term intrusion has since evolved to mean “”any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.””
“”A good intrusion detection system tries to detect abuse and to contain the effects of any attack in the early stages, preferably in real time,”” Heady says.
Implementing an intrusion-detection strategy isn’t as easy as writing a cheque. An effective plan means addressing your company’s own unique needs.
There are two types of intrusion detection systems: host- and network-based. IDC predicts a third category will emerge sometime this year to encompass “”vulnerability management.””
Host-based agents monitor individual systems. For instance, a host-based system might guard a database and monitor audit trails, system logs and file permissions.
Network intrusion detection systems monitor packets on the network wire and try to discover if a hacker or cracker is attempting to break down your front door. And no, an expensive firewall won’t cut it.
“”The firewall protects the perimeter. Intrusion detection is monitoring the traffic at all times,”” says Chris Bazinet, manager of product and technology marketing with Cisco Systems Canada Inc.
Bazinet compares an intrusion detection system to an “”electronic bloodhound.””
“”The IDS is loaded with attack scenarios. It will look at something fishy and raise an alarm.””
Host- or network-based, an intrusion detection system should have certain characteristics, according to Internet Security Systems. The system should:
* run continually without human supervision.
* be fault-tolerant and difficult to fool.
* resist subversion and be able to monitor itself to ensure that it has not been subverted.
* not consume too much of a system’s resources.
* observe deviations from normal behaviour.
* be easily tailored to the system it’s monitoring — every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns.
* Be able to cope with changing system behaviour overtime as new applications are added.
Ryon Packer, vice-president of product management with Intrusion Detection Inc., based in Richardson, Texas, believes that network security is not a deliverable and can be achieved only through a combination of control and visibility — that is, understanding the nature of the network and its traffic.
Network intrusion detection systems are a primary provider of security visibility and the resulting network intelligence required to make the enterprise network secure. Because you never know when the next attack is coming.