Dynamic Vulnerability Analysis, Intrusion
Detection, and Incident Response
Kevin M. Smith
CSEC662 – University of Maryland, University College
31 May 15
TABLE OF CONTENTS
Overview 3
Greiblock Credit Union Policy Regarding Dynamic Vulnerability Analysis, Intrusion Detection, and Incident Response 6
Purpose 6
Scope 6
Policy 6
Dynamic Vulnerability Analysis 6
Intrusion Detection 7
Incident Response 8
Enforcement 9
Dynamic Vulnerability Analysis 9
Intrusion Detection 9
Incident Response 9
Metrics 10
Dynamic Vulnerability Analysis 10
Intrusion Detection 10
Incident Response 11
References 12
OVERVIEW
With the increase in threats over the past few years it is no longer acceptable for an organization to feel data is protected
…show more content…
• Determining what hardware underlies applications and data – to identify servers (both physical and virtual), web based applications, and data storage devices that hold critical and sensitive data.
• Mapping of network infrastructure – to understand the network devices that applications and hardware depend on for secure performance.
• Identification of controls already in place – including policies, firewalls, applications, intrusion and detection prevention systems, virtual private networks, data loss prevention and encryption.
• Running vulnerability scans – to identify known vulnerabilities within an organizational system.
• Application of context to scan results – to determine which infrastructure vulnerabilities should be targeted first and most aggressively.
The goal of intrusion detection is to monitor network assets, detect anomalous behavior, and identify misuse within a network (Ashoor, Gore, 2011). An intrusion detection system (IDS) is a device or software application that monitors network system activities for malicious activity or policy violations and produces reports to a management station (Kashyap, Agrawal, Pandey, Keshri, 2013), additionally there are three types of IDS:
• Host based IDS – monitors a computer system on which it is installed in order to detect intrusion or misuse by analyzing several types of logs files including kernel, system, server, network and firewall logs, and compares logs with signatures for known attacks.
• Network based
When the GCU gathers evidence for later use for the court, sources of evidence can be monitored to detect threatened incidents in a timely manner. The GCU employee’s needs to be aware of suspicious transaction related to any activity in the customer account. Securing intrusion detection systems (IDS) components are important because IDS are often targeted by attackers that want to prevent the IDS from detecting attacks or want to gain access to sensitive information on the IDS, such as host configurations and known vulnerabilities. In monitoring and auditing, the types of activities recognized as suspicious will be different from different business needs. For example, a forensic accountant may look for specific patterns of financial data to trigger suspicion of fraud or theft. A suspicious event might be multiple emails on a sensitive subject from a person that is not involved in the subject. Recommend resources that can be used
Finally, gathering all this information would enable the network administrator adjust the IDS to attacks specific to the network.
Interruption identification frameworks (IDS) take either system or host based methodology for perceiving and redirecting assaults. In either case, these items search for assault marks (particular examples) that for the most part demonstrate malignant or suspicious goal. At the point when an IDS searches for these examples in system activity then it is system based (figure 1). At the point when an IDS searches for assault marks in log records, then it is host based.
Monitor all network traffic and alert personnel to suspected compromises using network intrusion-detection systems, host-based intrusion detection systems, and intrusion-prevention systems.
With reports from the CIO that malicious activity is on the rise, analyzing the system is essential to guarantee that the data that is critical to the organization's success is secured. Since assaults must be executed on a framework with vulnerabilities, I should analyze the system to address concerns, for example, backdoors, patches and updates, security to server rooms, appropriate security for access of data, and so forth.
Firewalls prevent unauthorized users from accessing a private network when it is linked to the Internet. Intrusion detection systems monitor private networks from suspicious network traffic and attempts to access corporate systems. Passwords, tokens, smart cards, and biometric authentication are used to authenticate system users. Antivirus software checks computer systems for infections by viruses and worms and often eliminates the malicious software, while antispyware software combats intrusive and harmful spyware programs (Laudon and Laudon, 2009, p.260)
As CIO, the goal is to keep the network safe from rapidly evolving malicious intent and this can be accomplished by an effective vulnerability assessment. The first thing on the agenda is to start with performing risk assessment. Corporate assessments are the ones that are risk-based and measurable with the intent of isolating corporate assets that generate the highest value to a corporation and present the highest potential threats and vulnerabilities related to the assets (Bayan, 2004). Further, risk assessments will help to isolate the areas where security investigation is needed and where it's likely to be loaded with consequences, as well as point out whether a business continuity or disaster recovery plan is required.
We also described various Vulnerability Assessment (VA) tools that allow customization of security policy, automated analysis of vulnerabilities, and creation of reports that effectively communicate security vulnerability discoveries and detailed corrective actions to all levels of an organization. Vulnerability Assessments tools will identify known network, operating system, web application, and web server exploits/vulnerabilities with the use of automated scanning
The purpose of this report is to explain the process of conducting vulnerability assessments and modeling threats. Vulnerability assessments are conducted to keep organizations safe from device and network vulnerabilities. There is a process that should be followed in order to perform a proper vulnerability assessment, if it is followed properly the organization will eliminate most if not all vulnerabilities from their network. Modeling threats is also an important step in creating a safe computing environment. It is a way for organizations to classify threats to their network, applications, and devices. Classifying the threats allows an organization act accordingly when it comes to the threats that are present on their networks. All organizations should adopt some form of vulnerability assessment and threat modeling, this will help protect the organizations reputation as well as its data that resides and travels through the network.
Two factors increase the stakes of the cyber struggle. Tactically and operationally, the increasing dependence of modern technologically advanced forces (especially U.S. forces) on networks and information systems create new kinds of exploitable vulnerabilities. Second, as modern societies including the militaries that mirror them have continued to evolve, they have become ever more dependent on a series of interconnected, increasingly vulnerable “critical infrastructures” for their effective functioning. These infrastructures not only have significantly increased the day-to-day efficiency of almost every part of our
Intrusion Detection Systems – IDS should be installed that contain the capabilities to monitor the network and send alerts if odd or different behavior is observed.
Technology can also be used to be a security guard on the company’s network. “In every network today, we have the ability to capture detailed performance and event log data on just about every network device, system, or application that, in turn, provides us vital information about what is happening on our network” (Hale, n.d.). Intrusion Detection Systems (IDS) and Log Monitoring are used to identify potential unauthorized use of the network, systems or devices.
Security is a standout amongst the most difficult and complex issue in Information Technology (IT) today. Security causes millions of dollars loss to the different organizations every year. Even if 99% of all assaults result from known vulnerabilities and flawed misconfigurations, an answer is most certainly not direct. With a crowd of networks, operating system and application related vulnerabilities, security specialists are getting the opportunity to be logically aware of the need to review and direct potential security dangers on their network and systems. This requires a more effective and insightful way to deal with sustaining the project. Vulnerability Assessment (VA) is the procedure of identifying, quantifying, measuring and organizing dangers connected with system and host-based network to reduce its risk to the system. Vulnerability Assessment (VA) tools permit customization of security strategy, computerized examination of vulnerabilities, and formation of reports that helps to discover security vulnerability.
Navigating vulnerable unpatched client-side workstations through the Internet super highway can lead to computer security
(IDS) use different methods because each one need to specific method. (IDS) can be identified threats but cannot deterring.[4] National Institute of standards and Technology (NIST) organization provides guidance document on Intrusion Detection Systems [5]. we can classify intrusion detection systems into three different categories