We're going to move on into section eight, where we're going to talk about how we operate and maintain preventive measures. So here are our section topics, we're going to look at the various forms of preventative tools that we're going to have in place, which will include firewalls, IDSIPS, our intrusion response process, and the IDS management.

Now, operations can be impacted by a variety of threats, these threats may be caused by individuals or environmental factors. The security practitioner who is aware of common threats will be more prepared to propose or implement controls to mitigate or limit the potential for damage. Just as most security requirements can be summed up by the CIA triad, most threats are associated with their opposites. In the case of confidentiality, that would be disclosure, in the case of integrity, that would be corruption or contamination, and, when it comes to availability, that would be mostly destruction. So, let's go into these various preventative measures and see what contribution they make.

Firewalls are a very common preventative measure. Most organizations wouldn't dream of connecting themselves to the Internet, an example of an unknown, and un-trusted network, so they put these devices at the perimeter, where their corporate enterprise network connects to the rest of the world. This technology is designed to examine and filter traffic, both inbound and outbound, based on a set of rules designed to indicate what will or will not be allowed. They typically operate at either the network layer or at the application layer. Usually, alongside it will be something along the lines of an intrusion detection system.

Here we have a network intrusion system, this is usually incorporated into the network in a passive architecture. A network intrusion detection system has to examine every packet traversing the network so that it can see it and compare it to its rules or storage signatures. By inspecting these packets and monitoring sessions, it will be able to alert us when anything of an anomalous or an outright forbidden nature should happen to be traveling through the network, potentially going to impact systems or the applications available through it.

Now, IDS engine analysis methods include two basic families of techniques, these are going to be the ones that analyze the traffic, based on either a pattern match, such as might be the case against a storage signature, or anomaly detection, which can be an unknown, or unwanted pattern, or simply an unrecognized pattern, followed by an alert to say, "Hey, I've found this, this doesn't look normal to me, what do you think I should do?" The intrusion detection uses stateful matching, it scans for attack signatures in the context of a stream of traffic, or overall system behavior, rather than looking at individual packets, or discrete system activities.

We have the statistical anomaly-based intrusion detection, which attempts to identify suspicious behavior by analyzing event data and identifying patterns of entries that deviate from a predicted norm. Along with these, we have protocol anomaly-based, which identifies an unacceptable deviation from expected behavior, based on known network protocols. And then traffic anomaly-based, which identifies unacceptable deviation from expected behavior, based on actual traffic structure.

Now, the intrusion detection system and the intrusion prevention system are both given deterministic logic. When these are brought in and installed and implemented, from the moment they're activated on the network, they begin to learn. The deterministic logic in their programing looks at various patterns, it stores the patterns, or accepts custom programing by its operator. When it learns, and it learns from the moment it's turned on until the moment it's disconnected, it will get better and better at recognizing things that are anomalous, either based on protocol or traffic or statistical models. But over time, it gets to be more and more effective, reducing false positives and false negatives, and increasing the probability that what it will see are things that really do require your attention, rather than many false positives that lead you in wrong directions.

Tactics also include doing whitelisting and blacklisting, in other words, those things that are always okay, or, those things that are never okay. We have spam filtering, which may rest on the ability to recognize unwanted traffic, which we would call spam. It has the ability to put in place a sandbox, so that anything that it recognizes, it puts a virtual environment around it to isolate it from the systems that it may be attempting to assault. If we're looking for a person, an actual hack, we put up honeypots, or possibly a string of honeypots in a honeynet, simulating a real environment. We have anti-malware, of course, or we have third-party services that can provide this as a managed security service.