[Tfug] Lightweight IDS options/strategy/policy
vaca at grazeland.com
vaca at grazeland.com
Wed Sep 25 01:17:39 MST 2013
IDS is a part of a comprehensive security program. I don't think anyone is suggesting it as a replacement for perimeter security, OS hardening, anti-malware software, strong policies, etc.
On Sep 24, 2013, at 11:27 PM, Kramer Lee <krameremark1 at gmail.com> wrote:
> "Think about it. Would you tolerate something on your
> "personal" internet if it *couldn't* "dial out" -- but
> *could* interfere with the operation or integrity of
> your stuff?"
>
> That sounds like a virus/malware. Is that part of intrusion detection?
>
> So, we can be intruded into directly, an event we might be able to see
> if an intrusion detection system worked and it wasn't a zero day
> exploit. If the hackers get past the IDS you are in trouble. That
> would be a bad event, especially if the critical internal computers
> with the valuable information are connected directly to the internet
> (not the best idea). But even if that happens, and it isn't good, it
> would be made much worse of the intrusion program can dial back out,
> so you now suffer even more competitive loss from IP being taken, or
> also financial information, internal passwords, etc. At least if the
> data can be kept inside the firewall, that part of the disaster can be
> mitigated. Many hackers are hacking for profit, less are hacking to
> damage.
>
> Anyway, more emphasis should be put on keeping the valuable
> information from getting out. The intrusion detection stuff is great,
> but not sufficient.
>
> On 9/24/13, vaca at grazeland.com <vaca at grazeland.com> wrote:
>> Tuning of an IDS can be very time consuming for some of the reasons
>> mentioned here. When is it innocent? When is it a virus or a hacker? That
>> doesn't mean, however, that in a secure environment you just omit it.
>>
>> IDS is a basic building block for secure networks. It is part of any
>> comprehensive defense-in-depth strategy...as would be a documented and
>> rehearsed security incident response plan.
>>
>> Tyler
>>
>> On Sep 24, 2013, at 10:12 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
>>
>>> Hi Kramer,
>>>
>>> On 9/24/2013 3:08 PM, Kramer Lee wrote:
>>>> The best thing would be to be able to keep packets of your information
>>>> from going out of the computer. So what if there is an intrusion? it
>>>> only is a problem if there is an outflow of information as a result of
>>>> the intrusion.
>>>
>>> Think about it. Would you tolerate something on your
>>> "personal" internet if it *couldn't* "dial out" -- but
>>> *could* interfere with the operation or integrity of
>>> your stuff?
>>>
>>> I can contain attacks so they can't "do" anything (even
>>> for an adversary "on the inside" -- though I can't prevent
>>> certain types of DoS attacks ).
>>>
>>> But, how do I tell the user (internet owner/administrator) that
>>> something is (possibly) *trying* to "harm" (?) him -- even if
>>> I've neutralized the threat?
>>>
>>> And, what do I tell him to *do* in that event? "Worry"? :<
>>>
>>>
>>> _______________________________________________
>>> Tucson Free Unix Group - tfug at tfug.org
>>> Subscription Options:
>>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
More information about the tfug
mailing list