Intrusion Detection Presentation


Published on

Audit issues and points in auditing Intrusion Detection Systems.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intrusion Detection Presentation

  1. 1. IT AUDIT <ul><li>INTRUSION DETECTION SYSTEMS </li></ul><ul><li>MUSTAFA SHAH </li></ul>
  2. 2. INTRODUCTION <ul><li>INTRUSION DETECTION </li></ul><ul><ul><li>Process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusions </li></ul></ul><ul><ul><li>Intrusions are attempts to compromise the Confidentiality , Integrity , Availability , and Control of a computer network </li></ul></ul>
  3. 3. OVERVIEW <ul><li>Intrusion detection allows organizations to protect their systems from threats that come from increasing network connectivity and information systems </li></ul><ul><li>ID is an important part of the Security Infrastructure: </li></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>Password Authentication </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Anti-virus software </li></ul></ul><ul><ul><li>Incident response plan </li></ul></ul>
  4. 4. TYPES <ul><li>Network-Based Intrusion Detection: </li></ul><ul><ul><li>Monitors traffic on the network </li></ul></ul><ul><ul><li>Examines packets as they pass by a sensor </li></ul></ul><ul><ul><li>Packets are examined if they match a signature </li></ul></ul><ul><ul><ul><li>String signature </li></ul></ul></ul><ul><ul><ul><li>Port signature </li></ul></ul></ul><ul><ul><ul><li>Header signature </li></ul></ul></ul>Port State Service 104/tcp    open    acr-nema 655/tcp    open    unknown 658/tcp    open    unknown 670/tcp    open    unknown 723/tcp    open    unknown 725/tcp    open    unknown 727/tcp    open    unknown 728/tcp    open    unknown
  5. 5. TYPES <ul><li>Host-Based IDS: </li></ul><ul><ul><li>Works by intercepting operating system and application calls on an individual host </li></ul></ul><ul><ul><li>Checks the integrity of system files </li></ul></ul><ul><ul><li>Watches for suspicious processes </li></ul></ul>
  6. 6. METHODS <ul><li>Knowledge-Based: </li></ul><ul><ul><li>Applies knowledge about specific attacks and system vulnerabilities </li></ul></ul><ul><ul><li>Contains information about these vulnerabilities </li></ul></ul><ul><ul><li>An alarm is triggered when an attempt is detected </li></ul></ul><ul><ul><li>Completeness depends on regular update of knowledge about attack methods </li></ul></ul>
  7. 7. METHODS <ul><li>Behavior-Based: </li></ul><ul><ul><li>Intrusion can be detected by observing a deviation from normal behavior </li></ul></ul><ul><ul><li>Maintain a model of expected behavior and compare activities against this model </li></ul></ul><ul><ul><li>An alarm is generated when a deviation is observed </li></ul></ul>
  8. 8. DEPLOYENT <ul><li>Behind each external Firewall in the network DMZ </li></ul><ul><li>Outside an external Firewall </li></ul><ul><li>On major backbones </li></ul><ul><li>On critical subnets </li></ul>
  9. 9. RISK <ul><li>Network Security is a crucial component of every company </li></ul><ul><ul><li>Loss of business </li></ul></ul><ul><ul><li>Loss of intellectual property </li></ul></ul><ul><ul><li>Loss of Reputation </li></ul></ul><ul><ul><li>Stock price </li></ul></ul><ul><ul><li>Loss of third-party confidence </li></ul></ul><ul><ul><li>Legal implications </li></ul></ul><ul><ul><ul><li>HIPAA 1996 </li></ul></ul></ul><ul><ul><ul><li>Gram-Leach Bliley Act 1999 </li></ul></ul></ul><ul><ul><ul><li>Homeland Security Act 2002 </li></ul></ul></ul><ul><ul><ul><li>State Laws </li></ul></ul></ul>
  10. 10. Homeland Security Secretary Michael Chertoff speaks about computer security at the RSA Conference on information security in San Francisco, Tuesday, April 8, 2008. AP Photo/Paul Sakuma Zombie Computers Decried As Imminent National Threat
  11. 11. ATTACK TYPES <ul><li>Scanning attacks </li></ul><ul><li>Denial of Service </li></ul><ul><li>Penetration attacks </li></ul><ul><ul><li>User to Root </li></ul></ul><ul><ul><li>Remote to User </li></ul></ul><ul><li>Authorized User </li></ul><ul><li>Public User </li></ul>
  12. 12. MALWARE <ul><li>Infectious: </li></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><li>Worms </li></ul></ul><ul><li>For Profit: </li></ul><ul><ul><li>Spyware </li></ul></ul><ul><ul><li>Adware </li></ul></ul><ul><ul><li>Botnets </li></ul></ul><ul><ul><li>Keystroke loggers </li></ul></ul>
  13. 13. AUDIT CHECKLIST <ul><li>Proactive Auditing and monitoring are essential </li></ul>
  14. 14. STEPS <ul><li>Examine Log Files </li></ul><ul><li>Look for Unauthorized User Rights </li></ul><ul><li>Look for Unusual or Hidden Files </li></ul><ul><li>Check for Changes in Computer or User Policies </li></ul><ul><li>Check for Odd User Accounts </li></ul><ul><li>Check for Altered Permissions on Files or Registry Keys </li></ul><ul><li>Audit for Intrusion Detection </li></ul>
  15. 15. AREAS <ul><li>Security policies, guidelines, and procedures </li></ul><ul><li>Security awareness programs </li></ul><ul><li>Software-based (Logical) Access controls including: </li></ul><ul><ul><li>Change control </li></ul></ul><ul><ul><li>Data and program access </li></ul></ul><ul><ul><li>Audit trails </li></ul></ul><ul><ul><li>Access control software </li></ul></ul><ul><ul><li>Authentication procedures </li></ul></ul><ul><li>Hiring Policy for Network Administrators </li></ul>
  16. 16. SURVEY
  17. 20. CONCLUSION <ul><li>IDS is an important tool in the Security Hierarchy </li></ul><ul><li>It is mostly outsourced to third-parties </li></ul><ul><li>IDS will be replaced with Intrusion Prevention Systems in the future </li></ul><ul><li>IP systems prevent attacks in real-time </li></ul><ul><li>Able to decode layer 7 protocols like HTTP, FTP, and SMTP </li></ul><ul><li>An Incident Response Plan is a must </li></ul>
  18. 21. SOURCES
  19. 22. SOURCES 114E0DE67DE6965385257341005AED7B/$FILE/PwC_GISS2007.pdf