The Adoption of Intrusion Detection System - Essay Example

Information security is a major concern of organizations today. Firms rely on information systems to facilitate essential business processes and are at risk due to a variety of factors. The 2003 survey on information security experiences and practices conducted by the Computer Security Institute (CSI) and U.S. Federal Bureau of Investigation (FBI) explained, "the risk of cyber attacks continues to be high." The survey showed that an astonishing 74% of the 530 "security practitioners" in the survey sample reported they had experienced at least one information security incident in the prior twelve months, while 36% had experienced anywhere from six to thirty incidents over the same period. 75% of participants in the study indicated they had experienced financial losses as a result of information security incidents (Richardson, 2003). Healthcare organizations are in an especially vulnerable position because of the sensitivity of the information stored on their systems. Accordingly, it is imperative that Healthcare Oganization A adopt and implement an intrusion detection system (IDS). Following a definition of IDS, this essay will argue the imperatives of our organization are adopting such a system. IDSs are similar to home burglar alarm systems, alerting neighbors, homeowners, and law enforcement that someone or something has broken through the security measures. ID techniques attempt to identify and isolate computer and network attacks by observing traffic logs or audit data. IDSs are based on the idea that an intruder can be detected through the examination of various elements. Such as, network traffic, packet elements, central processing unit use, input/output use, and file activities (Proctor, 2001). IDSs are powerful tools used to reduce and monitor computer attacks. The goal of ID is to positively identify all true attacks and negatively identify all non-attacks (Proctor, 2001). The motivation for using ID technology may vary for different sites: Some may be interested in law enforcement including the tracking, tracing, and prosecution of intruders. Some may use ID as a mechanism for protecting computing resources. Others may be more interested in identifying and correcting vulnerabilities. Not only is it important to put access-control measures in place, but it is also important to verify whether or not an intruder has breached the access controls (Proctor, 2001). To fully protect an organization, it is necessary to audit the network on a regular basis for intrusion attempts. An intrusion is any set of actions that attempts to compromise the availability, integrity, or confidentiality of the system. To make an audit easier, a new category of software has emerged: the IDS (Proctor). ID is needed because firewalls cannot provide complete protection against intrusion. Experience teaches us never to rely on a single defensive line or technique. A firewall serves as an effective noise filter, stopping many attacks before they can enter an organization's networks. However, firewalls are vulnerable to errors in configuration and ambiguous or undefined security policies. They are also generally unable to protect against malicious mobile code, insider attacks, and unsecured modems. Firewalls rely on the existence of a central point through which traffic flows. With a growing trend toward geographically distributed networks with internal and external users, there is a greater chance for compromise. Therefore, the absence of central points for firewall monitoring purposes is a relevant concern. A computer system should provide confidentiality, integrity, availability, and assurance against DoS. However, due to increased connectivity (especially on the Internet) and the vast spectrum of financial possibilities that are opening up, more and more systems are subject to attack by intruders. These subversion attempts try to exploit flaws in the operating system as well as in application programs and have resulted in spectacular incidents like the Internet Worm incident of 1988 (Bandy, Money, Worstell, & Saita, 2001). There are two ways to handle subversion attempts. One way is to prevent subversion itself by building a completely secure system. Networks, for example, could require all users to identify and authenticate themselves. Such networks would protect data by various cryptographic methods and very tight access-control mechanisms. However, this is not really feasible because: In practice, it is not possible to build a completely secure system. Bandy et al. (2001) gave a compelling report on bugs in popular programs and operating systems that seem to indicate that (a) bug free software is still a dream and (b) no one seems to want to make the effort to try to develop such software. Apart from the fact that we do not seem to be getting our money's worth when we buy software, there are also security implications when our e-mail software, for example, can be attacked. Designing and implementing a totally secure system is thus an extremely difficult task. The vast installed base of systems worldwide guarantees that any transition to a secure system, (if it is ever developed) will be long in coming. Cryptographic methods have their own problems. Passwords can be cracked, users can lose their passwords, and entire crypto-systems can be broken. Even a truly secure system is vulnerable to abuse by insiders who abuse their privileges. The level of access control is inversely related to user efficiency: the stricter the mechanisms, the lower the efficiency becomes. If there are attacks on a system, network administrators would like to detect them as soon as possible and take appropriate action. This is essentially what an IDS does. An IDS does not usually take preventive measures when an attack is detected according to Bandy et al. (2001). It is a reactive rather than pro-active agent; it plays the role of an informant rather than a police officer. The most popular way to detect intrusions has been by using the audit data generated by the operating system. An audit trail is a record of activities on a system that are logged to a file in chronologically sorted order. Because almost all activities are logged on a system, it is possible that a manual inspection of these logs would detect intrusions. However, the incredibly amount of audit data generated (on the order of 100 Megabytes a day) makes manual analysis impossible. IDSs automate the drudgery of wading through the audit data jungle. According to Bandy et al. (2001), audit trails are particularly useful because audit trails can be used to establish guilt of attackers. Audit trails are often the only way to detect unauthorized but subversive user activity. Often times, even after an attack has occurred, it is important to analyze the audit data so that the extent of damage can be determined. Additionally, the analysis facilitates tracking down the attackers and may reveal steps to be taken to prevent such attacks in the future. In conclusion, the adoption of IDS can enhance information security and, importantly, ensure that databases containing highly sensitive patient information are not accessed by unauthorized personnel. The adoption of such a system is an imperative imposed upon us, as a healthcare organisation, by the very nature of the information we store on our systems and the phenomenon of internet connectivity. Bibliography Proctor, P. E. (2001). The practical intrusion detection handbook. Upper Saddle River, NJ: Prentice Hall. Bandy, Money, Worstell, & Saita. (2001). The Need for IDS. Retrieved August 2003, http://www1.acm.org/crossroads/xrds2-4/intrus.html#ref12 Richardson, R. (2003) Eighth Annual CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute. Read More