Saturday, 10 March 2012

Why Use Intrusion Detection?

Web apps have an option of something called Intrusion Detection which attempts to identify suspicious behaviour being carried out on the web site. It is not like a firewall which blocks parts of the system that should never be used but more like looking at legitimate traffic channels and seeing if someone is trying to brute force their way in.
Intrusion detection systems vary in cost and complexity but are really trying to stop brute forcing. If someone knows a way into the system without using brute force then ID will probably not detect or stop it. A site recently hacked suggested their site had been hit 26000 times in 6 hours as part of an attack. You wouldn't allow someone to keep kicking your door until it eventually broke down so why don't we use ID more often?
My first thought would be ignorance for the most part. Unless you have managed a web site, and even in some cases if you have, you might simply be unaware of how to check for intrusion and what it even means. A friend worked for a church and even their site was hit sometimes by people who presumably simply wanted to deface the site and might be considered low-risk for attack but it still happened.
Secondly, there is the fear of cost. Unless you are comfortable using some open source software and setting it up, you are prey for companies that can sell solutions which can cost many thousands of pounds, something which many organisations are simply not prepared to spend (understandably).
Then there is a lack of expertise among IT technicians who might have the job of managing a web site but who have limited or no specific web site training. Without training, even if you know roughly what ID is supposed to do, you might not know how to configure it (or configure it correctly).
The simple conclusion is that, as in most cases, you need to risk assess whether you should have, even basic, Intrusion Detection. As previously mentioned, the likelihood is actually quite high of being attacked. Depending on how much faith you have in your web applications and/or web server, you should consider it a very high possibility. You then should decide what is at stake if your site is attacked/defaced/penetrated. You should then take advice on what Intrusion Detection is available, either from your service provider, from commercial outfits and from internet forums. Remember that the advice on most forums is of unprovable worth but with enough opinions and input from people, you should be able to form a valid opinion that means your company won't be mentioned in the news as the one who let someone hit your site thousands of times without doing anything about it!
Post a Comment