Should Companies Use Ids to Secure Their Networks?

Organisations are more concerned about computer security, as most information now is stored in databases, and most systems are connected to the Internet. Use of Intrusion Detection Systems (IDS) is one of the factors companies should consider when planning their information security policy. IDS is important to protect sensitive information, to meet laws and regulations and to prevent economic loss, although in some cases IDS implementation is no economically viable. To be able to determine if an implementation of an IDS is necessary some factors must be taken into consideration, such as advantages and disadvantages, economy, laws and regulations.

The basics of Intrusion Detection (IDS) and Intrusion Prevention (IPS) systems are essential to determine. A definition of an IDS is “the tools, methods, and resources to help identify, assess and report unauthorized or unapproved network activity” (Endorf, Schultz and Mellander, 2004, p. 4). There are three types of IDS, each of which functions differently, namely host-based IDS (HIDS), network-based IDS (NIDS) and hybrids. HIDS is software that scans all resources on a host for activity, and then compares against known threats. NIDS analyzes network packets on a network segment and either compare against known threats or analyze for patterns of malicious behaviour. A hybrid IDS combines these two methods (Endorf, Schultz and Mellander, 2004, p. 7). Two different analysis methods are used; rule-based detection analyses based on signatures, like virus scanning, and profile-based detection looks for abnormal data patterns (Endorf, Schultz and Mellander, 2004, pp. 16-17). Larger companies with sensitive information to protect should use hybrids to protect the network and those servers containing sensitive information. Ortega (2006, p. 6) states that signature-based solutions will not work for defending sensitive information, because hackers knows how to conduct new types of attacks.

Furthermore, according to Grimes (2004, p. 301) there are two generations of IDS. First-generation is based on accurate detection to give early warnings to security managers. Second-generation IDS uses more features to improve the accuracy and decrease the cost, and also implement some prevention mechanisms. Second generation gives the most protection, but for small organisations first generation will be sufficient and easier to implement and maintain.

Another consideration is a good management system. Grimes (2004, p. 317) says that instead of many management systems it is better to implement one system that can manage all security products in an effective way. Systems combining IDS and firewall technology should also be considered, especially for smaller organisations that have to save costs and manpower (Grimes. 2004, p. 322). Moreover, types of attacks, such as attacks against network protocols or applications, denial of service, buffer overflows, malcrafted requests, file corruption, malformed network packets, or unauthorized program execution all can give unauthorized users access to confidential data and slow down or halt applications or network traffic (Grimes, 2004, p. 297).

Another important factor is, according to Lunch (2006, p. 40), threats from inside sources, normally former employees with technical knowledge of the firms network, or currently employees or contractors. Mostly they use simple methods to damage data or get information, but also some sophisticated methods are utilized. More than 50 percent of the attacks are conducted by insiders, so focus must be on protecting servers, more then the network.

Having looked at the basics of IDS it is necessary to consider the benefits and disadvantages. Advantages, such as logging network and host activity, analysis to use in forensics or criminal prosecution and restricting malevolent activity (Endorf, Schultz and Mellander, 2004, p. 14), as well as detecting hackers and quantifying attacks (Endorf, Schultz and Mellander, 2004, p. 20), are immense. There are also some disadvantages. According to Grimes (2004, p. 301) IDS cannot stop misuse, when unauthorized users use legal usernames and passwords or human errors from legal users. Also, generation of false positives makes it difficult for security managers to analyse alarms. Additionally, IDS reacts to threats and normally do not prevent damage, and it require full time monitoring (Endorf, Schultz and Mellander, 2004, p. 20). The most important is to be able to log and analyse incidents that might be attacks, to prevent sensitive data from being enabled for misuse, and to avoid damage to the network and servers. Security managers must have enough skills to configure and maintain IDS software to minimise the disadvantages and to analyse alarms effectively.

Economic considerations are another important factor. An IDS is expensive to acquire, configure and maintain (Endorf, Schultz and Mellander, 2004, p. 20). Security experts are high-priced, and without proper expertise the system will give more problems then benefits. There are economical methods for determine if an IDS implementation gives economical benefits for an organisation. Grimes (2004, p. 303) focus on costs and return on investment’s (ROI) importance for justifying implementation of IDS. Since IDS implementation does not give any increase in profit, Brandel (2006, p. 39) says that when using ROI it is important to focus on avoiding cost, generating revenue ability, keeping market share and protecting its image.

Cavusoglu, Mishra and Raghunathan (2005, pp. 31-33) uses two terms, namely “Quality Profile” and “Receiver Operating Characteristics (ROC) Curves” to define quality of an IDS system. Quality profile measures by false positives and false negative rates, and is displayed in a ROC curve. By deriving the value of IDS a company can decide whether acquiring an IDS or not. It is important to configure the IDS properly to get a positive value. Poor defending of network and data systems can be fatal for the business. Moreover, Lunch (2006, p. 44) refers to a study by the Secret Service National Threat Assessment Center (NTAC) and the Carnegie Mellon University Computer Emergency Response Team (CERT) of “The Insider Threat Study (ITS): Computer System Sabotage in Critical Infrastructure Sectors” (May 2005), stating that financial loss, impaired reputation and reduced business because of sabotage are economic impacts if attacks are successful.

Avoidance is the real value of IDS; preventing hackers from attacking the network is the importance, since hackers less likely will try to attack a system they know is protected with IDS, this relate especially to internal threats (Cavusoglu, Mishra and Raghunathan 2005, p. 40). In addition, according

...