An Effective Technologies in Providing Effective Defense to Businesses - Research Paper Example

Introduction Organizations in the modern world deal with a lot of information and keeping pace with existing needs of businesses in this modern age has forced virtually every big and medium corporation to use the services of an IT infrastructure in the workplace in order to store, retrieve and process data as required. In order to provide the required IT solutions, it is necessary to connect people and resources across a broad domain that spans across physical and geographical frontiers. Networks are a standard component of any IT solutions within a business environment and the size, speed, scale and efficiency of the network depends on the demand and the range of responsibilities that the network needs to provide. Additionally, most of this IT infrastructure is dependent on the efficiency of an underlying corporate network that ultimately delivers the requisite services to professionals within the organization (Northcutt & Novak, 2002). Data Concerns Data used and stored in a company is often very sensitive and is considered to be a valuable asset by any company, whose secrecy and integrity is essential for the business to succeed and carry on its operations. With the rise in the size and extent of networks combined with the huge popularity of the Internet, the security of the data of an organization has never faced a more sever risk of bring accessed and compromised (Northcutt, Frederick, Edmead, & Winters, 2002). In fact, a major chunk of the work of today’s software and network specialists is aimed at identifying and mitigating all such possible risks and attacks that a network is capable of being attacked with in a proactive manner. In fact, the rise in the use of the Internet has spurned a rather huge increase in the spread of viruses and other harmful content across networks that have crippled several systems of some of the major corporations in the world, whose networks were earlier believed to be impenetrable. Intrusions by several unscrupulous elements into corporate and government networks has led to the stealing of critical information, many of which assume national importance owing to their sensitivity. Defining Intrusion With the rise in the speed of today’s networks and with faster speeds promised in the near future, network intrusions are taking place at an even more rapid pace than imagined earlier. Earlier efforts at patching entry points to a network and preventing anonymous accesses by outsides has encourage intruders to develop sophisticated techniques to penetrate networks and cause harm in several forms that includes anything from corrupting data, destroying networks and IT infrastructure to preventing users from accessing their files and terminals. Earlier attempts at mitigating intrusions have simply been thwarted leaving critical systems vulnerable to any form of attack. According to Garay, Peralta, & Mambo (2007), governments and other agencies have recognized the modern influence of networks and have enacted several regulations aimed at ensuring the protection, privacy and integrity of data. However, current skills with intruders leave very little at the hands of lawmakers to identify and nab potential culprits. Intrusion Risk Owing to all these pitfalls that exists in an unsecured network, corporations make heavy investments in providing security to their networks and plugging all potential gaps that may exist. Enterprise security threats are tackled by solutions that use a multitude of complimentary technologies to provide the maximum possible protection to the network against vulnerabilities and attacks. Risk management in real time comprises the use of techniques to block, prevent and clean intrusions and other unauthorized attempts. Intrusion prevention systems (IPS) are components that are made up by a combination of relevant hardware and software that allow the creation of trusted systems and networks. By the combination of some of the best and proven technologies available in the market, organizations strive to achieve a robust and secure infrastructure that is robust in nature (Strebe, 2002). This means that any attacks and attempts at intrusion will be met with very little probability of success and the networks will make a more efficient use of scarce resources. Despite investing heavily in building security around networks, businesses are on the constant lookout to minimize their operating costs and deploy technology in a very limited way. By doing so, companies seem to reassure themselves in a convincing manner that the system will protect the organization from unauthorized attacks, which of course is a fallacy that many corporations possess even today. Intrusion’s Infrastructure Nystrom & Fry (2009) claim that had the nature of attacks and malicious viruses had remained predictable and in a sense static in terms of semaphoring, it would certainly have been easy to provide a basic level of security to systems and be assured that there was no need for a redundant rationalization of the implementation. However, the field of intrusion remains a highly active and dynamic arena that is popular with several individuals and groups who openly share information and new tricks and tactics across the web. As such, owing to the thriving and growing nature of intrusion techniques, it is true that no amount of security whatsoever will proactively identify all possible exploits that may attack the system. Successful attacks result in a number of impacts on the organization such as the loss of data, reputation, business, credibility and most importantly valuable revenue. Intrusion’s Costs As such, the costs associated with deficiencies in intrusion detection system have a rather profound impact on the financial performance of the organization. In the present scenario where business rely heavily on the use of electronic data and information of processes to conduct everyday operations and control the various workflows in the company, it is quite evident that the potential implications of a critical system being compromised due to a security vulnerability are manifold and could seriously impact the future of the company. One of the most common impacts of successful attacks has been the denial of services to end users and lack of productivity owing to disruption of access to systems and networks. Any such vulnerability also strains the time and resources of an IT department owing to the exorbitant times that is usually required to first identify the attack, its extent of impact, the manner in which can be removed and ultimately the process to implement by which the network would not be attacked again in a similar or likely manner (Yang, 2007). Any corruption or delay in protecting client sensitive data especially in the case of the health, insurance and financial sectors has dealt a severe blow to several companies, which has resulted in loss of customer satisfaction and belief thereby turning the market favor against the company. Ultimately, such an impact has directly affected the profitability and turnover of the company. Intrusion Process and Protective Measures Intrusion is usually carried out in a series of stages. Beginning with initial reconnaissance and scanning of the network neighborhood, the attack progresses to identifying deficiencies in the access credentials of the network and thereafter carries out the intrusion depending on the outcome of these fact finding initiatives. Network and host intrusion prevention systems are therefore aimed at preventing sophisticated threats from accessing critical assets of the organization. The Computer Security Institute is an organization that is actively involved in monitoring the standards and practices that are adopted in the market towards host and network security as well as intrusion prevention and detection. The institute also releases surveys and reports on several issues associated with computer security in an effort to educate the public on the general and current issues associated with network security. the aim of organizations such as the CSI and the governmental agencies such as the Computer intrusion squad of the FBI (Federal Bureau of Investigation) is to enhance the level of awareness on security and ensure that the scope of computer and information theft is adequately defined (Bejtlich, 2005). According to Bejtlich (2005) most recent surveys, it has been found that the level of breaches into computer installations has grown unabated despite the affirmation from companies that they have installed the latest intrusion prevention systems. The analysis has further reflected that such threats have increasingly eaten into the monetary resources of organizations. For instance, the computer crime and security survey released in 2001 has claimed that 85% of the respondents that included several prominent businesses and federal security agencies had detected intrusions into their systems that had broken into several layers of security and access levels. Almost a similar number have acknowledged financial losses due to such breaches amounting to nearly $400 million. This was an increase of more than $150 million in comparison to the previous year. A bulk of the crime has been committed through theft of proprietary and personal information in addition to financial fraud (Bejtlich, 2005). Example of Intrusion A major proportion of these attacks have been identified as being directed from across their internet connections that expose corporate networks to the outside world. This suggests that organizations have not been doing enough to plug all loopholes that exist with their internet connections and equipment or that the technologies implemented to protect such interfaces have not been upgraded to be able to ward of any modern and sophisticated attacks. In comparison, only 3 out of every 10 respondents who had reported of intrusion cited internal systems as the origins of the identified attacks. However, the rise in internet based attacks has risen by an alarming 6% every year, which shows that the computer security industry is increasingly finding itself in a position where it is not able to keep up with the dynamic nature of newer computer attacks and techniques. False Protections It has been recognized that some of the companies were falsely convinced that the equipment that they had had in place was adequate for their security needs. Many of them were in favor of just a basic level of security as they had a false apprehension that no one would be really interested in gaining access to their corporate systems, especially from outside. As such, many companies chose to buy cheaper and inferior security systems that had not been upgraded over time. Crothers (2002) further believes that the real threat to corporate security lie from within and that prompted them to require their staff to be able to access systems with several user credentials so that they had access to information only to the extent they were supposed to. Therefore, even through the network was immune to attack from a novice internal user; the lack of proper equipment (sometimes due to lesser budgetary allocations) was the primary source of some of the major and widespread attacks reported during the past decade. Apart from over two-fifths of known attacks that are known to penetrate networks from outside, an increasing number of such attacks are known to cause several damages. Apart from access to information and resources, almost 35% of the attacks have inflicted denial of service attacks. These attacks render systems useless and therefore do not intend to retrieve any valuable information. Of the most widespread form of such attacks is SQL injection, where a user uses a badly programmed corporate website’s URLs (Uniform resource locator) and inserts SQL (Structure query language used for databases) queries that corrupt the database. Subsequent users were presented with sites that were defaced, or had their information distorted or some of the application variables were modified to such an extent that the application could not even start. Other attacks are known to cause the application to run at such a pace that the system is rendered at maximum utilization thereby rendering it incapable of handling any process. In case of an environment that consisted of several servers, modern attacks prompt several copies of the processes to run on these systems thereby rendering the entire cluster incapable (Kruegel, Lippmann, & Clark, 2007). The above points suggest that in the present scenario, it is not just enough for businesses to emphasize on keeping their networks secure. Apart from standard security policies that govern network operations, it is also essential to guard system resources and software against such attacks. If the code that makes up applications is not developed in a proper way, then no amount of network security will be useful as the attacker can simply manipulate the program to carry out an attack, thereby providing him entry into the network. Developers have often cited lack of consideration of required development times by management as one of the most profound reasons for such bad programming. In an effort to deploy the software at the earliest possible times, corporations have allocated very little budget than what would have been required to provide adequate design, analysis, development, testing and maintenance of the software (Yang, 2007). With pressures on time and budget, development teams were stretched to great extents and had to use shortcuts to deliver the product on time. The resulting implications of such deficient systems are there for everyone to see. Employee Malpractice Ioannidis, Keromytis & Yung (2005) note that employees have often used deficient applications to gain unauthorized access to network resources that has resulted in the abuse of network. Downloading illegal content and gaining access into the resources of competitors and management such as files and email has become a common form of attack these days. Studies have shown that employees are able to enhance the proficiency with which they access software systems and a constant use allows them be familiarized with the system that over time, they are good enough to highlight several vulnerabilities in the system. The organization is benefited if these get reported and acted upon promptly. However, if the employee sees this as a means to make a profit or cut corners, then the entire organization is put at risk. Lack of proper systems was one of the reasons why there have been cases where employees of some of the major banks have been able to access credit card details of customers and used them for personal benefit. Storage Time Bombs Another area that is often overlooked by corporate networks is the use of storage medium. Almost 40% of viruses that have been reported have known to originate from storage devices ranging from corrupt disks in network servers to simple USB flash memory. Computer viruses come in several forms that are capable of doing virtually anything if not acted upon. A whopping 95% of businesses that generate revenue through e-commerce have accepted that their networks have been the target of viruses, Trojans and worms that have aimed to perform varied things such as crediting money into unofficial accounts, trying to get products for free as well as attempting to modify information (Rehman, 2003). Another interesting point that has surfaced through these surveys is that more than a quarter of the respondents have acknowledged that they do not even know if their networks have been attacked. Given the widespread nature of attacks that e-commerce solutions are subjected to, such a high incidence of lack of knowledge only indicates that companies are not allocating enough resources to monitor these attacks. They do not spend enough to ensure that their networks are secured and updated as the complexity of viruses increases. Corporate Intrusion Awareness One of the most important things that companies refrain from understanding is that corporate network security is not just about trying to mitigate all possible security systems and intrusion prevention systems and convince oneself that they are secure from attacks and can go about their usual business. In this context, companies that allot a serious thought to network security reach out to prevent any lapses, but do not provide the same emphasis on creating plans to counter any vulnerability that has been successfully exploited. This is one of the primary reasons why companies find it hard to restore normalcy in operations whenever a successful network intrusion and attack is carried out. In the event of any attack, companies are forced to halt major operations and devote crucial resources to initially identify the nature and origin of attack. In large corporate IT infrastructures, this is as difficult as searching for a needle within a haystack. Additionally, companies have to make tremendous efforts at detecting the extent of damage that has been caused by the attack and spend additional time on reinforcing that adequate measures have been taken to eliminate the error from occurring again. All this is absolutely necessary for the company to get back on track and infuse confidence amongst its customer, which of course comes at a heavy price. had the organization looked into its intrusion prevention infrastructure with more seriousness and concern and had it allocated more time, money and resources to mitigating risks, the outcome would have been quite different and allowed the company to cut down costs to the maximum level. All this explains that companies need to encourage their developers and software providers to develop applications that have the capability to identify all possible vulnerabilities in the code and logic and mitigate them. Additionally, resources that are part of the IT set up such as servers and workstations need to be placed in proper de-militarized zones that are secured against any possible attacks and not visible to outsiders in any case (Vacca, 2005). Bayesian influence on network intrusion Intrusion detection systems have been developed by using the Bayesian networks, as an example displayed in the diagram Figure 1, which allows for the classification of events thereby helping in reduction of the amount of false alarms. As such, the Bayesian approach is used to enhance the aggregation of the outputs of several network models thereby allowing their integration into a common approach. The Bayesian influence on network intrusion detection has proven to enhance the accuracy with which intrusions are detected in comparison to earlier methods which were based on thresholds. According to Amor (2004), who has studied a comparison of Bayesian networks with decision tree based approaches a similarity in the structure and performance has however led to an attractive influence on the use of Bayesian networks for network intrusion. The Bayesian approach has been used by other studies to categorize intrusion events on the basis of several parameters (Jensen, 1996). Bayesian networks allow for the modeling of networks through attack procedures and detection alerts. Using this approach, one can identify unobserved attacks that have been carried out based on the detectors alerts that have been previously observed. By definition, a Bayesian network is a probalistic model that is based on ‘n’ random variables (v1, v2, …..vn) which are based on a directed acyclic graph G=(N, E). here ‘N’ represents the set of nodes associated with the variable set explained above. E N X N is the set of directed edges that joins some of the nodes in an acyclic manner. the graph edge are weighted by the probabilities of nodes on the basis that their parents are a part of the joint distribution P(V). Bayesian networks aim to satisfy three primary requirements. The first is associated with inferring the variables associated with nodes that are unobservable given that the values for observable nodes are known. This is synonymous with predicting whether the attack has been carried out based on the alerts from the detector. The second requirement is that the learning of the conditional probabilities within the model are dependent on the availability of data which is estimated from detectors’ reliability and probabilistic dependencies of the steps of the attack. The third requirement is to learn the architecture constantly based on existing data and improve upon it. The second requirement with estimating probabilities is performed through risk assessment and quality estimation of detectors. The third requirement is achieved through extensive graph generation and mapping between an attack graph and Bayesian network. In Bayesian network studies, the nodes are of two varieties represented by V = Va U Vb. The first set Va is the set of binary variables that specify whether an attack step occurred or not. The second set Vb also represents binary variables that identify whether the associated detector has issued an alert (Jensen, 2001). The first set that denote the steps of attack are unobserved while the other set represents alerts that have been observed and make up the path for analysis. The Bayesian network is therefore a joint distribution P (V) = P (Va, Vb), which is used to calculate the probabilities of the unobserved set using the observed values. This is denoted by P (Va | Vb) = P (Va, Vb) / P (Vb). This conditional probability reflects that progress in estimating successful steps of attack using the set of detectors. Figure 1. The Bayesian influence diagram shown in Figure 1 above represents two types of nodes, an unobserved node (v) and an observed node (u). The detector alert corresponds to the observed node and its conditional probabilities are available for the true and false types, denoted by α and β respectively. The analysis is based on simulation and is studied by the introduction of attacks through special software tools that analyze the vulnerability of the network (Cowell, 2007). In the event of disruption to normal work and corruption of data that is important to an organization as a result of successful intrusion, the task of assessing the extent to which the attack has succeeded in reaching the inner levels of the network and the amount of data and IT resources that have been damaged as a result is a specialized task that requires the company to shell out more money. This is necessary and inevitable in the event of an attack as the company needs to reassure itself on the quality of the measures taken to identify and eliminate the attack along with the accompanying errors (Kros, Foltz & Metcalf, 2004). As displayed by this paper, there are many quantifying options available to manage the costs of network intrusion, which clearly outlines the importance of using the most effective tools available. The ability to implement the most effective tool will provide accurate remedies in issuing a solution for quantifying the cost of network intrusions. Kros et al. (2004) continues to suggest that using the Bayesian influence diagram as shown previously should also be used in parallel with a decision tree method. Kros et al. (2004) states, The Bayesian networks constitute a hybrid representation for tools, which show the set of decision variables and problems structures in regard to network intrusion. The influence diagram shows dependencies among the variables while the decision tree allows for sequential analysis of probable loss. Implementing and combining the Bayesian influence diagram with the decision tree in order to quantify the cost of network intrusion, provides an effective and reliable decision process. By using the Bayesian influence diagram and decision tree process, removes ineffective decisions and offers a decision maker the opportunity to analysis the importance and reaction of an attack. According to Kros et al. (2004), “corporations can look at various security measures to determine the influence such measures have upon the final outcome of potential loss” (pg. 38). Examining an example of a decision tree is as follows: The decision tree diagram Figure 2 shown above displays the intrusion detected by the down arrow and under the determined response and risk block is followed by sub-units such as intrusion type, potential loss, and counter measures. These sub-units assist in determining the outcome of the response based on the intrusion risk. Using the Bayesian influence diagram and the decision tree diagram allows a decision maker to examine the various details of the network intrusion can be categorized and the procedures in response can then be implemented regarding time, occurrences, complexity, risk, loss and the determination of the situation. The problem of identifying the ideal location for detectors is another area that has not been studied properly by researchers involved in intrusion detection although related areas have been subjected to extensive research especially in the areas of sensor fields and physical network security. Conclusion Industry experts cite that it is increasingly difficult for IT departments in organizations to get the attention of their CEOs and other senior management to the seriousness of the problem. Government agencies have been striving to get businesses involved in an effort to stimulate general awareness and cooperation among corporations to stave off cyber attacks. Girdardin (1999) states, “Current intrusion detection systems are targeted toward unattended operations. The primary weakness of such systems is their inability to cope with new, sophisticated, and structured attacks. And such attacks represent the greatest threat to security” (pg. 1). The primary position of this problem is that effective communications of the basic network security principles and the understanding of the importance of implementing significant tools and techniques should be commonplace with senior management (Wagner & Phillip, 2006). However, analysis of the industry during the past decade has revealed that neither corporations nor technologies are effective in providing effective defense to businesses. The policies in place do not give enough powers to law enforcement agencies to act upon potential threats. Standard and highly regarded practices such as data encryption and secure connections are broken at will by anonymous attackers, who are succeeding at maintaining their anonymity. As such, organizations that wish to succeed against network intrusion in the near future must have requisite procedures in places to prevent intrusion and provide detection. A comprehensive solution that embraces the human and technological perspectives associated with network security needs to be adopted if future attacks are to be thwarted. For an example, Langer (2001) concludes that technological infrastructure should be implemented into the core functionality of business operations and that action science can promote the formulation of reflection thinking. Additionally, companies need to understand that they need to devote sufficient resources and budgets to security so that they do not have to end up spending a lot more towards correcting disruptions and deficiencies. The staff needs to be trained, empowered and provided required flexibility to be able to deliver information security across the business enterprise. References 1. Stephen Northcutt, Judy Novak (2002), Network intrusion detection. New York: Sams Publishing. 2. Juan Garay, Rene Peralta, Masahiro Mambo (2007), Information Security: 10th International Conference, ISC 2007, Valparaíso, Chile, October 9-12, 2007 : Proceedings. Boston: Springer. 3. Stephen Northcutt, Karen Frederick, Mark T Edmead, Scott Winters (2002), Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems. New York: New Riders. 4. Matthew Strebe (2002), Network Security Jumpstart: Computer and Network Security Basics. New York: John Wiley. 5. Martin Nystrom, Chris Fry (2009), Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks. London: O'Reilly. 6. Christopher C. Yang (2007), Intelligence and Security Informatics: Pacific Asia Workshop, PAISI 2007, Chengdu, China, April 11-12, 2007 : Proceedings. New York: Springer. 7. Richard Bejtlich (2005), The Tao of Network Security Monitoring: Beyond Intrusion Detection. London: Addison Wesley. 8. Tim Crothers (2002), Implementing Intrusion Detection Systems. New York: Wiley. 9. Christopher Kruegel, Richard Lippmann, Andrew Clark (2007), Recent Advances in Intrusion Detection: 10th International Symposium, RAID 2007, Gold Goast [i.e. Coast], Australia, September 5-7, 2007 : Proceedings. New York: Springer. 10. Finn V. Jensen (1996), An Introduction to Bayesian Networks. London: Springer. 11. Finn V. Jensen (2001), Bayesian Networks and Decision Graphs. London: Springer. 12. Robert G. Cowell (2007), Probabilistic Networks and Expert Systems: Exact Computational Methods for Bayesian Networks. London: Routledge. 13. John Ioannidis, Angelos Keromytis, Moti Yung (2005), Applied Cryptography and Network Security: Third International Conference, ACNS 2005, New York, NY, USA, June 7-10, 2005 : Proceedings. New York: Springer. 14. Rafeeq Ur Rehman (2003), Intrusion detection systems with Snort: advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. London: Prentice. 15. John R. Vacca (2005), Computer forensics: computer crime scene investigation. Michigan: Cengage. 16. Debra Littlejohn Shinder, Ed Tittel (2002), Scene of the Cybercrime: Computer Forensics Handbook. London: Syngress. 17. Kros, Foltz & Metcalf (2004), Assessing and Quantifying the loss of network intrusion. Journal of Computer Information Systems. 18. Langer, A. M. (2001). Fixing bad habits: integrating technology personnel in the workplace using reflective practice. Reflective Practice, Vol. 2, pp. 99-111. Retrieved February 10, 2009, from Business Source Complete database. 19. Wagner, P., & Phillips, A. (2006, December). A portable computer security workshop. Journal on Educational Resources in Computing, ACM Computing Surveys (JERIC), 6, 4, 3. Retrieved February 10, 2009, from http://doi.acm.org/10.1145/1248453.1248456 20. Girardin, Luc. (1999). An eye on network intruder-administrator shootouts. USENIX Association Paper. Retrieved February 10, 2009, from http://www.usenix.org/events/detection99/full_papers/girardin/girardin.pdf Read More