Guard Your Critical Information Systems with IDS/IPS

In the latest May issue of Credit Union Magazine, the Credit Union National Association’s BITS Liaison Task Force detailed how cybercriminals are using malware, phishing, and social engineering to steal information from credit unions and their members. Intrusion Detection and Prevention Systems (IDS/IPS), especially if they are implemented in the proper way with 24/7 proactive management, can mitigate such risks and potential theft from criminals. However, since effective IDS/IPS can be very costly, a risk-based decision should be used to determine which system is best and where it should be located within the financial institution’s (FI) network in order to provide the most cost-effective benefits. There are typically two deployment scenarios that determine the appropriate system or systems to provide the best value. The institution either hosts Internet accessible servers or it does not. The distinction plays a key role in determining the appropriate deployment of IDS/IPS systems for the FI.

Internet Accessible Systems

If the FI hosts systems that are accessible from untrusted sources, such as a web server being accessed from the Internet, an in-line IDS/IPS system would be appropriate. This system should monitor traffic destined for the network area hosting the accessible systems. In a web server example, authorized traffic would pass through a firewall into a screened subnet (or DMZ). This public internet traffic would then pass through an IDS/IPS on its way to the web server. In this configuration, the firewall would filter most traffic, with the IDS/IPS evaluating the traffic destined for the web server. Should malicious external traffic pass through the firewall, the IDS/IPS should identify and stop the traffic before it enters the internal network. However, often times IDS/IPS systems are not totally effective unless there are a trained security engineers also analyzing anomalies around-the-clock as not all intrusions will be signature based, and may be missed without the visibility from 24/7 security personnel.

If the FI does not have externally accessible systems, an inline IDS/IPS may be overkill, as there would be no traffic allowed through the firewall that originated from untrusted networks, such as the Internet. The FFIEC recommends intrusion detection or prevention systems “…at any location where network traffic from external entities is allowed to enter controlled or private networks.” (FFIEC Information Security handbook pg. 84)

No Internet-Accessible Systems

If the institution does not maintain any Internet accessible servers, then a fully managed inline IDS/IPS may be both inefficient as it would be costly and provide little benefit over and above a properly configured firewall. Given that all traffic originating from external entities would be blocked at the firewall, it is unlikely that the internal systems would be attacked from the outside.

For example, if an FI does not have Internet accessible servers and employs an inline IDS/IPS configuration, the system would only be monitoring private internal traffic. In this case, an inline IDS/IPS would not detect an internal system from attacking another internal system. If malicious traffic from internal system A attacked internal system B without passing through the IDS/IPS, it would go undetected. You may wonder if this could actually happen. The answer is Yes! However, for that to happen, the attacker would have to first gain access to the internal corporate network. In many cases, this illicit access could be from a malicious employee, an insecure/unauthorized wireless access point, remote access software, directly connected device, unpatched systems, etc.

Given that an inline IDS/IPS would not mitigate the risk in the aforementioned scenario, a fully managed Intrusion Detection System that monitors an entire network segment would be more appropriate. Such a system would alert management to any suspicious traffic that is being monitored. With that said, it could be quite costly to monitor all network segments with an IDS, such as all branch locations. In order to provide a good value for the security dollars spent, an IDS could be limited to the network segments that host critical systems.

For instance, if an FI has twenty locations, but only two locations contain critical systems, the institution may warrant installing IDS only at the locations where critical systems reside.

According to the FFIEC, “Multiple nIDS [network-based intrusion detection systems] units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the nIDS is to sensitive data, the more important the tuning, monitoring, and response to nIDS alerts.” (FFIEC Information Security handbook pg. 84) Should a non-critical system be compromised at a location without an IDS, the damage would be minimal, as the system should not have any critical and/or sensitive information. Should the compromised system then attempt to attack critical systems, the IDS framework monitoring the network segment with the critical systems would trigger appropriate alerts. Even with those controls in place, an Intrusion Detection System should be managed around the clock by a security expert in order to improve effectiveness given that not all suspicious activity will trigger an alert and often, analysis needs to be done on the behavior of the traffic to determine whether it may be harmful.

In Summary

Your FI’s Intrusion Detection and Prevention Systems need to be comprehensive, fully managed, and an integrated component of your company’s information security plan. The FFIEC further advises, “To use a nIDS [network-based intrusion detection system] effectively, an institution should have a sound understanding of the detection capability and the effect of placement, tuning, and other network defenses.” (FFIEC Information Security Booklet pg. 82) Therefore, FIs need to ensure that they have a well engineered and thought out IDS/IPS program not only to meet regulatory guidelines, but also to mitigate the very real vulnerabilities and threats that are present in the financial arena and increasingly targeting your critical information systems.

Bradley Fenster

Bradley Fenster

Bradley Fenster is a former regulatory examiner, having more than seven years’ experience with the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA). He is an ... Web: Details