Because IDS systems must deal with a wide range of potential attacks, attack signatures must be kept current with release levels provided by the vendor as new attacks are developed. Use of an IDS requires that a response capability is established and maintained so that qualified technicians can be notified and will be able to quickly react to detected attacks. Response levels must be based upon business rules specifically developed for this kind of exposure. An IDS must also be able to separate actual attacks from false or mistakenly identified attacks.
A newer technology in this genre is intrusion prevention, which takes a more active role in monitoring network traffic. This kind of sensor will actively prevent suspicious packets from continuing across the network. Global DataGuard (www.globaldataguard.com) is one company that specializes in IPS. According to Bage Anderson, Media Relations for Global DataGuard, "Detecting an intruder after he enters the house and reacting to an attack is what most (IDS) security companies do. Global DataGuard monitors the street outside of the house, looking for intruders who are casing the joint, identifying them and stopping the attack before it occurs."
Penetration Testing - Proactively evaluates and tests your network defenses to ensure that they are current, well maintained, and support established network security policies. A variety of tools are available to simulate known exposures and detect if your network components are vulnerable to them. An example of this kind of technology is StillSecure VAM(tm) (www.stillsecure.com). This product identifies, manages and repairs network security vulnerabilities.
Penetration testing also ensures that none or your critical network components are improperly configured. It makes sure all default accounts and passwords have been eliminated or renamed. The most common cause of network penetration is improper or faulty configuration of these devices. Penetration testing must be conducted regularly and carefully.
Anti-Virus Program - Keeps you safe from viruses and malicious code. These programs require frequent updates to signature files in a timely manner. You should use an industry- standard and well accepted set of software tools. Your network group should also regularly review CERT alerts, homeland security alerts and vendor alerts to stay current and keep your levels of protection as proactive as possible.
If appropriate, behavior-based controls can be used, and e-mail filtering should be enabled.
Auditability - Allows you to track key records and actions on your information systems. You want to have a principle in place to ensure individual accountability for user actions on your systems. You must be able to demonstrate that all configurations, settings, access controls and rules have been properly requested and authorized by appropriate levels of management. Access must be permitted by the owner of the information or their delegate. We must be capable of automatically dispatching or alerting key staff for those items of a critical nature detected by the audit trail or monitoring systems.
Network security risks can significantly impact your operation. If you are thinking this is a lot of technical stuff, you are correct. In fact, there are more challenges and risks than can be effectively covered in an article of this length. The above set includes many of the basics and is used to illustrate the nature of the risks associated with today's networks. It requires a dedicated and qualified group of information security professionals to provide you with proper assurances that the network will indeed be ready, willing, and able to meet your needs. Get to know these folks as they become key players in the success of your program.
Eduard Telders has security manager for PEMCO Financial Services for 16 years. His responsibilities include physical security, information security, corporate contingency planning and safety programs. Mr. Telders has been providing security management in the banking, insurance and financial industries since 1981.