Digital forensic skills and electronic discovery provides proficiency for dealing with computer-related crimes. According to Department of Homeland Security such skills requires corporate security personnel and law enforcement agents to understand how to legally obtain electronic evidence stored in computers. Essential evidence on criminal and civil cases can be retrieved from electronic records such as computer network logs, e-mails, word processing files, and even picture files. Most importantly the forensic skills provides the users and owners of a system with the ability to detect intrusion in to their systems. Intrusion detection is an increasingly important segment of the security technology market especially in solving all of the complex and diverse threats to network security. Although any system has its limit of capabilities intrusion detection techniques are mitigating user networks off many threats and risks. (Beasley, 2008).
This paper will discuss reasonable expectations of Intrusion Detection Systems (IDSs) with utility of digital forensic skills. Its aim is to enlighten potential users on the increasing importance of intrusion detection in companies though a threshold assessment of a security attack incident.
Systems and networks are subject to electronic attacks. The increasingly frequent attacks on Internet and intranet-visible systems are attempts, which require Vulnerability assessment tools to check for systems and networks problems and configure errors that represent security vulnerabilities. Intrusion detection systems collect information from a variety of vantage points within systems and networks and analyze this information for symptoms of security breaches. In line with PacketDefence on Network defense, the tools allow organizations to protect themselves from losses associated with network security problems.
Network Security is the ability of a system to safeguard owners’ and users’ information by assuring confidentiality, control, integrity, authenticity, availability, and utility. The functions of the intrusion detection systems entails monitoring, analyzing, and auditing the user and system activities, configuration and vulnerabilities, secondly is assessing the integrity of critical system and data files, thirdly is recognizing and statistically analyzing abnormal activities patterns or system operations that may reflect known attacks, Lastly is auditing trial management of system with recognition of user activities reflecting policies violation. (Beasley, 2008)
Realistic benefits involves the ability to tell what’s really happening to the system and tracing user activity from the point of entry to point of exit or impact therefore analyzing for symptoms of security problems and reporting on alterations to data files. The goals of security counter-measures are to detect problems, to delay damage and to mitigate the effects of error and attack therefore vulnerability assessment and intrusion detection are necessary parts of the security infrastructure but are not, by themselves, a complete security infrastructure. (Beasley, 2008)
Analysis of the firewall
With a system located behind a firewall to prevent access to the Internet, the intrusion most likely must be within the intranet. But in accordance with Northrup on firewalls, not all threat originates outside the firewall research indicate that a vast majority of losses due to security incidents is traced to insiders. Again, the firewall only sees traffic at the boundaries between the internal network and the Internet. If the traffic reflecting security breaches never flows past the firewall, it cannot see the problems.
Secondly firewalls only act as a barrier between corporate (internal) networks and the outside world (Internet), and filter incoming traffic according to a security policy. This is a valuable function and would be sufficient but not all access to the Internet occurs through the firewall. Users, for a variety of reasons ranging from naivety or malice to impatience, sometimes set up unauthorized modem connections between their systems connected to the internal network and outside Internet access providers or other avenues to the Internet. The firewall cannot mitigate risk associated with connections it never sees.
Thirdly firewalls themselves are subject to attacks for example though tunneling; a practice of encapsulating a message that might be blocked by firewall filters inside a second message which is under the right protocol to bypass firewall protection. As Northrup puts it, “No firewall whether a small, free host-based firewall or a multiple-thousand-dollar enterprise firewall array will make your computers impervious to attacks”
Like firewalls, identification and authentication products, access control products, virtual private networks, encryption products, and virus scanners all perform functions essential to system security but they are also prime targets of attack by adversaries and further more failure of any of these components of the security infrastructure jeopardizes the security of the systems they protect. (Sliwa, 2008).
The only way to deal with the issue at hand is by use of vulnerability assessment products combined with a network management product to help uncover information about user rights, permissions, account access, account restrictions, and users passwords. They accomplish this goal by collecting information from a variety of system and network sources; analyze it for symptoms of security problems and in some cases, allow the user to specify real-time responses to the violations. (Beasley, 2008).
Passive and active, host and network based mechanisms should be used to inspect configuration files, reenacting common intrusion scripts, recording responses to the scripts to represent a snapshot of security at a point in time. They can determine that an attack is possible, and sometimes determine that an attack has occurred. Operating systems audit trails and other system logs and these are a treasure trove of information about what’s going on internally to a system. The information is often incomprehensible, even to the users, expert system administrators and security officers. Intrusion detection systems allow administrators and managers to tune, organize, and comprehend what these information sources tell them, often-revealing problems before loss occurs. (DHS, 2008).
By monitoring or viewing the event logs generated by a system, decrypting routers, key management servers and files critical to other security mechanisms, provide additional layers of protection to a secured system. The strategy of an attacker will often include attacking or otherwise nullifying security devices protecting the intended target. In line with Northrup, expert attackers can often penetrate firewalls; therefore, the ability to correlate activity corresponding to a particular user is critical to improving security.
A good security system recognizes and report alterations of critical information files to mask illegal activity, damage reputations, or commit fraud for example the standard attack technique of putting of Trojan Horses in critical system files. This can be done using file integrity assessment tools that utilize strong cryptographic checksums to render these files tamper-evident and, in the case of a problem, they Quickly ascertain the extent of damage. They automatically recognizes when a system appears to be subject to a particular attack and quickly determine what attacks should be of concern to that system by automatically recording the results of these attack attempts. According to PacketDefence, these products also provide a valuable sanity check for those installing and setting up new security infrastructures. It is far better for a system manager to determine that his firewall is incorrectly configured immediately than to discover this after an attacker has successfully penetrated it. (Northrup, 2008).
Identifying the intruder
An extensive attack signature databases, which match information from a system is essential. However, there is no intrusion detection system that is capable of identifying the person at the other end of the connection without human intervention unless there is availability of personal information, which is a rate situation. Detecting system ought to identify the IP address of the system that served as the attacker’s point of entry plus the time of the attack and the rest is up to a human incident handler. (DHS, 2008).
System cached data provides information of alteration on the database and the assessment on this data provides the reason for intrusion.
Detection expert systems increase in value when they are allowed to function as both hacker/burglar alarms and policy-compliance engines. These functions can not only spot the armature hacker executing the “teardrop” attack against file server, but also spot the programmer accessing the payroll system after hours. However, this policy compliance checking can exist only if there is a security policy to serve as a template for constructing detection signatures.
Signatures are patterns corresponding to known attacks or misuses of systems. They may be simple or complex. They are concerned with a process or an outcome. The patterns of system settings and user activities are matched against a database of known attacks. Most commercial intrusion detection products perform signature analysis against a vendor-supplied database of known attacks.
Good detection Systems monitors a variety of information sources in networked systems, analyzes the information in various ways, mostly by comparing this information to large databases of attack signatures, each reflecting an attempt to bypass or nullify security protections. They perform statistical analysis on the information, looking for patterns of abnormal activities such as accesses that occur at strange times, or an unusual number of failed logins. They are able to capture the intruder with ease without affecting the whole networked system at large.
Beasley, K. (2008). Configurations to Improve Security. Tripwire Inc Portland. Retrieved July 24, 2008, From http://www.tripwire.com/press/press_release/pr.cfm?prid=371
Northrup, T. (2008) Firewalls. Microsoft Corporation. Retrieved July 25, 2008, from http://technet.microsoft.com/en-us/library/cc700820(TechNet.10).aspx
PacketDefence. (2003). Network Defense. Retrieved July 24, 2008, From
Sliwa, C. (2008, May 7). Audit and Improve Virtual Server Security. CIO Retrieved July 25, 2008, from http://www.cio.com/article/print/351013
US Department of Homeland Security (DHS). (2008, May 1). Web Time and Attendance System. Retrieved July 24, 2008, from http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_webta.pdf