Intrusion detection systems monitor computer networks and systems for unauthorized access or activity. There are two main types: network-based systems examine network traffic for attacks, while host-based systems check the integrity of individual systems. Methods include knowledge-based systems that detect known attacks and behavior-based systems that identify deviations from normal usage profiles. Regular auditing of systems, logs, user rights and files is needed to detect intrusions. While intrusion detection is important for security, intrusion prevention systems that can block attacks in real-time are increasingly replacing detection-only systems.

1. IT AUDIT INTRUSION DETECTION SYSTEMS MUSTAFA SHAH

2. INTRODUCTION INTRUSION DETECTION Process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusions Intrusions are attempts to compromise the Confidentiality , Integrity , Availability , and Control of a computer network

3. OVERVIEW Intrusion detection allows organizations to protect their systems from threats that come from increasing network connectivity and information systems ID is an important part of the Security Infrastructure: Firewalls Password Authentication Encryption Anti-virus software Incident response plan

4. TYPES Network-Based Intrusion Detection: Monitors traffic on the network Examines packets as they pass by a sensor Packets are examined if they match a signature String signature Port signature Header signature Port State Service 104/tcp open acr-nema 655/tcp open unknown 658/tcp open unknown 670/tcp open unknown 723/tcp open unknown 725/tcp open unknown 727/tcp open unknown 728/tcp open unknown

5. TYPES Host-Based IDS: Works by intercepting operating system and application calls on an individual host Checks the integrity of system files Watches for suspicious processes

6. METHODS Knowledge-Based: Applies knowledge about specific attacks and system vulnerabilities Contains information about these vulnerabilities An alarm is triggered when an attempt is detected Completeness depends on regular update of knowledge about attack methods

7. METHODS Behavior-Based: Intrusion can be detected by observing a deviation from normal behavior Maintain a model of expected behavior and compare activities against this model An alarm is generated when a deviation is observed

8. DEPLOYENT Behind each external Firewall in the network DMZ Outside an external Firewall On major backbones On critical subnets

9. RISK Network Security is a crucial component of every company Loss of business Loss of intellectual property Loss of Reputation Stock price Loss of third-party confidence Legal implications HIPAA 1996 Gram-Leach Bliley Act 1999 Homeland Security Act 2002 State Laws

10. Homeland Security Secretary Michael Chertoff speaks about computer security at the RSA Conference on information security in San Francisco, Tuesday, April 8, 2008. AP Photo/Paul Sakuma Zombie Computers Decried As Imminent National Threat

11. ATTACK TYPES Scanning attacks Denial of Service Penetration attacks User to Root Remote to User Authorized User Public User

12. MALWARE Infectious: Viruses Worms For Profit: Spyware Adware Botnets Keystroke loggers

13. AUDIT CHECKLIST Proactive Auditing and monitoring are essential

14. STEPS Examine Log Files Look for Unauthorized User Rights Look for Unusual or Hidden Files Check for Changes in Computer or User Policies Check for Odd User Accounts Check for Altered Permissions on Files or Registry Keys Audit for Intrusion Detection

15. AREAS Security policies, guidelines, and procedures Security awareness programs Software-based (Logical) Access controls including: Change control Data and program access Audit trails Access control software Authentication procedures Hiring Policy for Network Administrators

16. SURVEY

20. CONCLUSION IDS is an important tool in the Security Hierarchy It is mostly outsourced to third-parties IDS will be replaced with Intrusion Prevention Systems in the future IP systems prevent attacks in real-time Able to decode layer 7 protocols like HTTP, FTP, and SMTP An Incident Response Plan is a must

21. SOURCES http://en.wikipedia.org/wiki/Intrusion-prevention_system http://en.wikipedia.org/wiki/Zombie_computer http://en.wikipedia.org/wiki/Botnet http://en.wikipedia.org/wiki/Cyber-security_regulation http://blog.wired.com/27bstroke6/2008/04/zombie-computer.html?nup=1&mbid=yhp http://en.wikipedia.org/wiki/Intrusion_detection_system http://en.wikipedia.org/wiki/Malware

22. SOURCES http://www.cert.org/tech_tips/WIDC.html#C16 http://www.sans.org/top20/#z1 http://www.nist.org/news.php http://www.snort.org/ http://www.sans.org/resources/idfaq/ http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf http://www.pwc.com/extweb/pwcpublications.nsf/docid/ 114E0DE67DE6965385257341005AED7B/$FILE/PwC_GISS2007.pdf