Survey shows that few organizations have an intrusion response policy

Our recent survey on intrusion detection and response shows that although most companies use an IDS to monitor for attacks, few actually have policies to guide responses to network intrusions. See how your company can learn from these findings.

Results of a recent TechRepublic survey indicate that although many organizations monitor their networks for attacks, a relatively small number have intrusion response policies in place to ensure consistency in the handling of attacks that are detected. Without a policy aimed at governing actions, chances that incidents will be mishandled are dramatically increased. Consistency in conducting investigations and gathering evidence can be critical, especially where legal action against the perpetrator becomes necessary. If investigations don't follow carefully outlined procedures, and if evidence is handled improperly, attempts to prosecute a dangerous hacker may fail.

Following procedures outlined in formal policies also ensures that the necessary steps are taken to prevent future attacks. That may mean installing new security measures or removing existing vulnerabilities, but it often means changing how members of an organization use their network and approach security.

Our survey indicates that organizations need to make more pointed efforts to develop network intrusion policies.

We're working on it
As Figure A shows, only 30 percent of those responding to our survey reported that they currently have policies in place for responding to network intrusions. Of the other 70 percent, half said they are in the process of developing policies, and half said they don't have an intrusion response policy and aren't working on one.

Figure A
Who's developing intrusion response policies?

Organizations are obviously concerned about intrusions, however, because most are monitoring their networks for signs of attack. Figure B shows that more than 80 percent of respondents said they're currently monitoring for attacks.

Figure B
Monitoring for intrusions

Comparing this data to the results in Figure A, it's clear that many of those who are monitoring for attacks don't have rules in place for how to handle them. Presumably, the 19 percent of respondents who don't monitor for intrusions don't have response policies either.

Are those who don't monitor for attacks lacking the resources to do so? Do they put so much faith in firewalls and other security measures that they don't feel monitoring is needed? Perhaps some organizations figure that if they haven't been attacked, there's no reason to expend resources on monitoring efforts. Whatever the case, these survey results show that a sizable number of organizations simply aren’t looking for intrusions.

Organizations react to attacks in a variety of ways. As you can see in Figure C, many try to discover who launched attacks on their networks and investigate the means by which the attack was carried out.

Figure C
Responding to attacks

Just 19 percent of those responding said they secured the vulnerability after an attack, and only 14 percent said they documented their actions in responding to the attack. Both data points seem to indicate a need to establish a policy to ensure that incidents are handled consistently and properly.

As Figure D indicates, however, intrusions have prompted a number of organizations to change their approach to security. In fact, more than 50 percent of respondents said they changed their security measures as a result of attacks.

Figure D
Changing practices after attacks

Figure E  shows that organizations have also  implemented new  security measures as a result of attacks. The most common step has been to close open ports, but many organizations have also implemented or upgraded firewall solutions to block attacks.

Figure E
Beefing up security after attacks

Figure F  shows the variety of intrusions that respondents have detected. As you would expect, the most common intrusion is port scanning. Unauthorized FTP or Telnet sessions, Trojan horses, and spyware were other common types of intrusions. A small number of those responding said they have suffered DoS attacks, and an even smaller number—only 1 percent—said they have had their data compromised or stolen.

Figure F
Types of detected intrusions

Intrusion detection systems
Our survey results indicate that organizations aren’t necessarily relying on a commercial IDS from a major vendor to monitor their networks. As you can see in Figure G, nearly 60 percent of respondents said they use an IDS for monitoring purposes. However, as Figure H shows, more than 60 percent said they are using a solution from a company other than the bigger vendors, such as TripWire, Cisco, Symantec, and RealSecure.

Figure G
Relying on an IDS

Figure H
Favored IDS solutions

Final thoughts
Organizations are obviously doing something to account for possible attacks on their networks. Most are monitoring for attacks by some means, and many are responding to attacks by taking steps to improve security.

It seems that few, however, are adopting formal policies to govern how they manage responses to intrusions. The result of this could be inconsistency in the gathering and handling of evidence. Both the SANS Institute and the CERT Coordination Center emphasize the importance of adopting policies to ensure that organizations manage network security in a uniform manner. For more information about why you should establish an intrusion response policy and what details you should consider in doing so, be sure to check out CERT’s article on intrusion policies.

Editor's Picks