Intrusion and Incident Detection Basics

Intrusion and Incident Detection Basics - CIS 3351...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
CIS 3351 Intrusion and Detection Basics 9/9/2011 1 Intrusion and Incident Detection Basics Wm. Arthur Conklin, PhD Assistant Professor Department of Information & Logistics Technology College of Technology 2 Agenda o Detection of Incidents o Basic IDS Theory o Types of IDSes 2007 Wm. Arthur Conklin, PhD
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CIS 3351 Intrusion and Detection Basics 9/9/2011 2 3 Definitions o Incident » An event of interest in an information system. o Interest » Something which is suspect or out of expected bounds o Not all Incidents are “hacks” » Incident is a suspect event only. o Attribution / Determination » The determination of unauthorized activity and attribution occur as part of the incident response process o It all begins with the report of an incident. 2007 Wm. Arthur Conklin, PhD 4 Time based security o The amount of time that a secure solution is actually secure is related to several functions. o Protection Time << Detection Time + Reaction Time o A lock doesn’t have to last forever, just long enough to let the police answer the alarm. 2007 Wm. Arthur Conklin, PhD
Background image of page 2
CIS 3351 Intrusion and Detection Basics 9/9/2011 3 5 Detection of Incidents o Sources » IDS » Firewall Logs » End Users » Help Desk » System Administrators » Security » Human Resources 6 Indications IDS Detection of remote attack Numerous Failed Logons Logins into Dormant or Default Accounts Activity During non-working hours New Accounts not created by SysAdmins Unfamiliar files or executable programs Unexplained escalation of privileges Altered web pages Gaps in logs files or erasure in log files Slower system performance System crash Receipt of extortion email Notification by upstream/downstream sites Pornography/Music files/Movies 2007 Wm. Arthur Conklin, PhD
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CIS 3351 Intrusion and Detection Basics 9/9/2011 4 Detection of Incident Process System Admin IDS Logs Suspicious user etc. Activate CIRT Firewall Logs Begin IR Checklist Detection 8 Are Firewalls Enough? o You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe? o
Background image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 10/21/2011 for the course CIS 3351 taught by Professor Conklin during the Spring '11 term at University of Houston.

Page1 / 20

Intrusion and Incident Detection Basics - CIS 3351...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online