Intrusion Detection Systems (IDS)

 

Recent cyber-attacks have turned the World Wide Web into a virtual war zone. Cyber-criminals and hackers are constantly looking for a way into our home, office, government, and even military networks to wreak havoc on our personal and private information. If compromised, there is literally no end to what cyber-criminals can do with this information. This is why it is so important to not only have an intrusion detection system (IDS),  but to make sure it is turned on, properly configured, monitored, and kept up to date. An IDS is a computer security software that works to monitor for unusual, suspicious activity, and will alerts the administrator when it detects something out of the norm (Software Testing Help, 2022). It also allows for data to be transferred in a safe and trusted manner, without the possibility of the data being compromised.

There two types of intrusion detection: network and host-based (Software Testing Help, 2022). Network Intrusion Detection (NIDS) is responsible for keeping track of all traffic both inbound and outbound from all of the network devices. Host intrusion detection (HIDS) takes an electronic “picture” of the systems entire file set and actively compares it to a previous “picture," if it detects any anomalies; it immediately notifies the system administrator. Additionally, there are two main types of IDS subsets: signature based intrusion detection (SBIDS) and anomaly based intrusion detection system (ABIDS), (Software Testing Help, 2022). SBIDS, also referred to as knowledge-based and tracks all of the packets passing over the network and compares them to a database of known or familiar malicious threats (Gross, 2020). ABIDS, also known as behavior-based detection, compares the traffic crossing over the network to a known system baseline and immediately alerts the system administrator of any unusual or malicious activity.

It is recommended to employ both NIDS and HIDS in any business or organization. This is considered best practice because neither of these technologies is fool-proof. Cyber-criminals are getting better every day at circumventing our network security measures. NIDS should be applied to all of the network devices, configured, monitored, kept up to date, and responded to immediately when an alert is sent from the system. HIDS should also be applied to and monitoring all system hosts and should also be configured, monitored, kept up to date, and responded to immediately when an alert is sent from the system. Intruders are known to attack networks from both the network devices and the connected systems. Employing both a NIDS and HIDS will ensure a more complete security strategy, and in return, offer a better-rounded defense system.  

Lastly, these systems should be configured to not alert at everything that it comes across, as that results in many false positives, but should be configured to a level where only real threats are reported. I have seen environments that had the big, expensive IDS’s applied but were misconfigured to where they sent out way too many alerts (false positives) that the administrators start ignoring the alerts and miss actual intrusion alerts. Also the administrator needs to actively update these IDS systems. These updates contain newly discovered threats, and therefor are more likely to protect against the latest new threats. I have also seen systems that were compromised because their definitions were out of date and therefor allowed the system to be compromised against a newly discovered cyber threat. Cyber security is a continual and full time job, the hackers don’t take a day off, and neither can we.

References

Gross, G. (2020, February 3). Intrusion Detection Techniques, Methods & Best Practices. AT&T Cybersecurity. Retrieved January 25, 2022, from https://cybersecurity.att.com/blogs/security-essentials/intrusion-detection-techniques-methods-best-practices

Top 10 best intrusion detection systems (IDS) [2022 rankings]. Software Testing Help. (2022, January 5). Retrieved January 25, 2022, from https://www.softwaretestinghelp.com/intrusion-detection-systems/