Technology Evaluation: Bank Solutions
Intrusion Detection System (IDS)
IDS or Intrusion Detection System as mentioned in Part 1 and 2 of technology case study aids information systems in dealing and preparing for network attacks. This security system accomplishes the task of collecting information from various network and system sources and analyzes the information for any potential threats of attack (SANS Institute, 2001). In terms of capabilities IDS provides
- Analysis and monitoring of the system activities and users
- System Audit of vulnerabilities and configurations
- Statistical analysis of activity patterns and matches them with the known activities that constitutes attack
- Audit of operating systems
- Analysis of anomalies in the system
- Integrity assessment of critical data sectors and other systems
IDS are composed of three major components. Once is the NIDS (Network Intrusion Detection system), which is responsible for analyzing the entire subnet traffic. NIDS also matches the subnet traffic information to the known attack patterns. Once an abnormal pattern was sensed in the system, it will notify the administrator for any preventive actions. The second component is called NNIDS (Network Node Intrusion Detection system). This component performs the same function as the NIDS, but the only difference is that the NNIDS analyzes traffic that goes in an out of the specific network or host. The third component is called HIDS (Host Intrusion Detection system). It performs the function of taking snapshots of the exiting system and matches them with the previous snapshots. If HIDS determined changes in the snapshots such as missing file or deleted information, it will send notification to the administrator for investigation.
Using IDS has its own advantages and disadvantage. For instance, IDS can automate the monitoring process in Internet searching to determine latest attacks. In addition, IDS can also trace the user for activities such as point of entry, exit and impact. Because of the automation capability, IDS can easily recognize alterations made in the system and detect configuration errors. The impact of these functions is the administrator’s ability to expedite the process of determining attacks. It is much easier for administrators to monitor activities in the system without going through the different areas of system activities because IDS can do it automatically. This means monitoring and point action during attacks is a lot easier as well. However, IDS also has its setbacks such as compensating weak determination and authentication mechanism (SANS Institute, 2001). In addition, IDS can only notify the administrator, it does not have the available first–aid mechanism to intercept attacks, but rather needs human intervention to perform preventive actions. IDS also have the tendency to have lapses in analysis particularly in busy networks. The impact of this weakness is the possibility of overlooking traffics that lead to firewall intrusions. Lastly, IDS cannot deal with packet-level attacks or even resolve problems that occur in this level.
Setting up IDS entails cost consideration equipment, hardware, software, services, supplies, personnel and other resources. Ideally a company without intrusion detection system experiences an average loss of $200,00 in terms of lost data and recovery (Wei et al., 2001). These losses may occur once every two years, however large amount of losses can be resolved by installing sophisticated IDS, which only costs about and average of $40,000 depending on provider quoted price and size of the network system. The entire cost of network detection tool can be summarized as follows; Data recovery cost estimated to occur twice a year at $50,000 per occurrence - $100,00 less 85% tool effectiveness plus cost of installation at $40,000 ($100,000 - $85,000 + $40,000 = $55,000). If the company losses $200,000 every 2 years in lost data and recovery, and the attack occurs at least once a year the company is likely to have $100,00 in risk cost less ALE due to loss and control ($100,00 - $55,000 = $45,000). Therefore, the company is likely to have a savings of $45,000 annually after IDS installation.
Apart from cost consideration, companies should also be reminded of the maintenance requirements to install IDS. This is because threats and its technology area always changing including, signatures, patches configuration (Wu, 2009). Therefore, maintenance is always needed to ensure that the IDS configuration adheres to accuracy in term of detecting malicious traffic. GUI or graphical user interface applications are used to perform maintenance. A secure web-interface can also be used to perform maintenance from a console. Administrator can perform maintenance by monitoring all IDS components to identify operational problems and to check if the system is working as intended (Wu, 2009). Vulnerability assessment, tuning, checking detection accuracy and updates will also help in performing maintenance.
Talking about IDS flexibility, automated incremental designs integrated to the system will enable IDS to be more flexible (Baker and Prasanna, N.D.). FPGA’s for instance provide a strong platform for hardware implementation due to the dynamic characteristic of the ruleset (Baker and Prasanna, N.D.). The nee ruleset integrated for hardware implementation must be added to the library of detected attacks with a need to regenerate device configuration. The advantage of using FPGA to enable IDS flexibility is that the system would be able to handle massive parallelism, which is a highly intensive computation task (Baker and Prasanna, N.D.).
Given the cost-effectiveness, capabilities and maintenance requirement of IDS, it goes to demonstrate the feasibility of using the security system. According to the quantitative study of Otey et al. (2002) regarding IDS feasibility, the larger the computations cost the better the performance of host-based approach in IDS. In addition, the study also determines that NIC-based IDS works better from various standpoints of network security approaches. Incremental techniques and the use of real intrusion data such as DARPA and KDDCUP in evaluating algorithms entails a more effective intrusion detection functionality that is crucial for large organization use. Furthermore, IDS use to protect network systems from external threats is far more beneficial in terms of eliminating attacks and therefore, alleviate occurrences of data loss.
References
Baker, Z. K., & Prasanna, V. K. (n.d.). Automated Incremental Design of Flexible Intrusion Detection Systems on FPGAs. United States National Science Foundation/ITR. Retrieved from http://gridsec.usc.edu/files/TR/TR11_zbakerHPEC04.pdf
Otey, M., Noronha, R., Li, G., Parthasarathy, S., & Panda, P. K. (2002). NIC-based intrusion detection: A feasibility study. Ameritech Faculty Fellowship and NSF grants. Retrieved from http://www.cse.ohio-state.edu/dmrl/papers/ICDM02-ws.pdf
SANS Institute (2011). Understanding Intrusion Detection Systems. SANS Institute InfoSec Reading Room. Retrieved from http://www.sans.org/reading_room/whitepapers/detection/understanding-intrusion-detection-systems_337
Wei, H., Frinke, D., Carte, O., & Ritter , C. (2011). Cost-Benefit Analysis for Network Intrusion Detection Systems. CSI 28th Annual Computer Security Conference. doi:10.1.1.20.5607
Wu, T. (2009). Intrusion detection systems. Information Assurance Tools Report. Retrieved from http://iac.dtic.mil/csiac/download/intrusion_detection.pdf
