Page 166 - Courses
P. 166

Logical Security: The Network Layer

            The primary function of an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) is to
            monitor network activity for malicious activity, log it, and attempt to block or stop it. Important
            concepts include:
            •  Event logs are usually transferred to an SIEM for evaluation.
            •  IDS/IPS could be forward-facing towards the Internet, ensuring that malicious activity does not
               infiltrate the network, or backward-facing, internally detecting network malicious activity from
               network authorized users. Normal prevention activity occurs by dropping the malicious
               communication upon detection or completely blocking the traffic.
            •  Detection occurs based on pre-defined and customized policies. The vendor will provide periodic
               updates and the organization should ensure all customized policies are fine-tuned or periodically
               evaluated.
            •  Systems can be passive, active, or both. A passive system will detect and alert (straight IDS only).
               A reactive system is geared towards the prevention mechanism (IPS).
            •  IDS/IPS differs from a firewall, which looks outward for intrusions. Firewalls usually do not signal
               an attack occurring internally.
            •  IDS/IPS may exist on a server with its own OS or could share a server with other network
               appliances.
            •  A limitation is that encrypted communications cannot be evaluated.

            Security Risks

            Security risks include:
            •  Unusual network traffic (“noise”) that limits the detection effectiveness.
            •  Noise that occurs due to unusual communication originating from corrupt Domain Name System
               (DNS) data or software bugs.
            •  Numerous false positives.
            •  Policies that are not fine-tuned, causing detection of events that are not an issue.
            •  Sporadic updates.
            •  Vendor-supplied updates that are focused on looking for specific versions of malware. If not
               updated, new malware variants may not be detected.
            •  Unauthorized access to the network appliance.
            •  Unchanged account vendor-supplied default passwords.
            •  Network appliance hacking.
            •  Operating system not security hardened such that the risk of potential intrusion occurring
               increases.

            Controls

            Controls include:
            •  Monitoring of logged events occurs with timely follow-up.
            •  Vendor-supplied updates are applied in a timely manner.
            •  Customized policies are fine-tuned to limit false positives. All changes and updates comply with
               the organization’s change management policy.



            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   161   162   163   164   165   166   167   168   169   170   171