The most common threat to a company's information assets mainly come from human error, inappropriate disclosures, and sheer carelessness on the part of the company's employees. Hackers who do intentionally tamper with the company's network often do so because they are tempted by assets they know are poorly protected. Weak security policies present the image that a company does not truly value its assets, which in turn attracts the petty thief and curiosity seeker. Therefore, the preventive element of any network security system should include a strong and enforceable security policy for its employees to follow, re-enforced by a form of technical protection (Control Data, 1999).
Firewalls, ...view middle of the document...
This is an effort, should a system violator manage to breach the security of the network, to catch the violation before any real damage can be done to the network. The most common approach to intrusion detection is based on the belief that violations can be discovered by looking for abnormal system usage, or scanning the system in search for known attack patterns or virus indicators (Denning, D., 1986). The two approaches used by LADWP are automated intrusion detection, and network traffic and vulnerability monitoring.
For automated intrusion detection, LADWP has deployed the Cisco Intrusion Detection System (IDS). This system has two major components. The sensors and the Director Platform. The sensor captures network packets, reassembles them, and compares these packets against known intrusion signatures. Should the sensor detect an attack, it logs the attack and then forwards an attack notification to the Director Platform. Once the Director Platform receives an attack notification, it displays an alarm and takes action to reduce the effect of the attack (Stiffler & Carter, Dec. 28, 2001). Because this is an automated system, it depends on a mechanical process of discerning what is good or bad. This at times can lead to false positives or negatives, or the blocking of a legitimate user and giving access to a system violator. This weakness in the Cisco IDS requires that an additional form of violation detection be used.
In addition to the IDS, LADWP has a staff of technicians who provide continuous network monitoring. In addition to keeping track of the alarms detected by the IDS' Director Platform, these technicians also use other tools to keep an eye on network traffic levels, as well as performing routine vulnerability probing. One key tool used is Lucent's Vital Suite. This tool uses real-time event analysis, which helps to identify network resources that have exceeded acceptable levels.
To properly use Vital Suite, the technicians establish what they believe to be normal network activity. This norm is then used as a baseline to help in the identification of any abnormal network traffic. Once the baseline is established, levels of severity are set. The levels are minor, major and critical, with critical meaning immediate action is required. The only time the system alarm is when a critical error is detected. During normal operations, the technicians monitor Vital Suites' display, looking for unusual events. These events can come as a serious of major alarms that occur only a one specific time of day or a continuous string of minor alarms. These events can indicate subtle attempts at compromising the network. In the case of such events, the traffic is examined closer and any needed corrective action is taken at that time.
Data collected by Vital Suite can also be used to expose points of vulnerability by looking for unused ports or poorly configured network devices. When a point of vulnerability is found, the technicians make...