An intrusion detection system (IDS) is a software that works with your network keeping it secure from someone trying to break into your system. There are a multitude of types of intrusion detection tools and it can be a little challenging figuring out which one will work best for your needs. Regardless of which tool you choose to use, the importance of keeping your network safe from attackers is a top priority. Breaches to your network can cause massive losses including downtime, data loss, and loss of customer trust.
How does it work?
Explaining how these systems work requires a basic understanding of the types of attacks that can occur on your network. There are a ton of different ways an attacker can attempt to breach your system, but we will highlight some of the most common methods. In most cases the attacker will flood or overload your network in order to gather data about the weak points in your system. With that information they will go in later to insert information into the network which will spread and allow them to gain access from the inside. Therefore, it is always important to keep hacker detection active preventing the vulnerabilities from being placed into your network in the first place.
A scanning attack is where an attacker sends packets of information to the network in attempt to gain insight into the networks permitted types of traffic, active hosts, versions of software running, open or closed ports, and the network topography itself. Basically, the attacker is scanning your network for weak points that they can insert malicious code. If the malicious code goes unnoticed, the attacker could be stealing confidential data without the company even knowing- for extended periods of time. Depending on the type of business you own or manage, attackers could be accessing your customers saved account or identity information.
We have all heard of different types of malware at some point in our careers. The dreaded email scams where an employee opens a viral attachment or opens a document that looks legitimate. No matter how many educational courses we run within our organizations, these threats are always present and always changing. There are several types of malware which I will highlight and link to additional information below:
- Worms spread copies of themselves from computer to computer. They can replicate without any human interaction and they do not need to be attached to software in order to cause damage (Norton). In general worms are spread through spam email attachments or instant messages. All it takes is to open one of these files and the worm will get to work silently without the user knowing. They have a multitude of jobs to complete depending on the attacker’s goals.
- Trojan or Trojan Horse is a form of malicious code. They often look legitimate but can take full control of your devices. Their main goal is to damage, disrupt, steal or generally cause damage to your data and network. There are a lot of types of trojans and it is important to understand what these are in order to keep your employees’ devices, and your network secure.
- Viruses behave very much like the viruses we catch as humans. They are designed to spread from host to host and replicate. They cannot replicate without a host, such as a document or file. Technically, a computer virus is a malicious code designed to alter how a computer operates.
- Bots can be used in both positive and negative ways. They are created to obtain information – such as your email address when you subscribe to a blog. However, when bots are used maliciously, they can be used to steal passwords, log keystrokes, obtain financial information, and open back doors on an infected computer. It is important to know which information you should be sharing with a bot. A “good” bot should never as you for personal information such as your date of birth, bank information, or passwords. If you feel that a bot on a website is asking you for information that it shouldn’t be, call the company and speak to a person about it. You could potentially be saving your own information, as well as notifying a company of a malicious attack on their network.
Buffer Overflow Attacks
This type of attack includes attempts to penetrate memory sections in a device on a network. The attacker will replace/place new data in your memory locations with malicious data that will lay dormant until later in an executed attack. Generally, the goal here is for an attacker to overload your memory centers causing it to overflow into adjacent memory storage causing the system to crash and cause confusion. This can hide the attacker in different parts of your system because the network is trying to organize and handle a sudden influx of data.
Simply, this means information packets travel though one route to their destinate, but another one back. This is unwanted in a network because it makes it tougher to track the information packets as well as creates a vulnerability within your firewalls. The data passes through a firewall on the way in but takes a different path out in order to avoid passing by it again with the data it obtained.
Both buffer overflow attacks and asymmetric routing are forms of traffic flooding. Traffic flooding is an attack on web servers which explores the way a connection is managed.
Types of Intrusion Detection Systems
There are three main “parts” to an intrusion detection system, if you view them all as part of one system.
- Network Intrusion Detection System
- Network Node Intrusion Detection System
- Host Intrusion Detection System
A network intrusion detection system (1) is a software that analyzes network traffic. This part has a wide net, but low specificity. It passively watches network traffic coming through specified points on the network where it is deployed. This is only as effective as it is configured and needs to be monitored by an administrator to ensure that it is always looking for the correct things.
A network node intrusion detection system (2) is very similar to the network intrusion detection system (1) described above, but it is only applied to one host at a time. Whereas (1) is usually attached to an entire subnet.
A host intrusion detection system (3) is placed on and runs on the devices in the network with access to the internet. This part of the system looks a little more closely at internal traffic and acts as a defense against malicious packets of information that the initial intrusion detection systems (1 and 2) may have missed.
As I mentioned at the beginning, there are a lot of threats to our networks out there, so it is very important to make decisions on protecting our data. While we have only grazed the surface on these threats and the tools available to mitigate them, we are always open to discussing concerns with you. Whether you have an existing intrusion detection system in place and would like us to analyze it for you, or you are interested in implementing something brand new, we have you covered.
It’s important to note that intrusion detection systems differ from intrusion prevention systems. When discussing cyber and network security you will want to ensure that prevention, detection, and attack resolution are touched on.
If you would like to discuss your concerns about your existing Intrusion Detection Systems or implementing a new one reach out to us at ContactUs@Matrix-NDI.com or call 763.475.5500