Intrusion Detection Policy

Version: 1.00Issue Date: 3/3/2015

This Intrusion Detection Policy specifies how intrusion detection shall be used on the organizational network.

1.0 Overview

This Intrusion Detection Policy will help define how intrusion detection should be used on the network. It will define the proper response to an intrusion along with the Incident Response Policy. It will specify locations where intrusion detection should be placed on the network and define types of systems which should operate with host based intrusion detection.

2.0 Purpose

This Intrusion Detection Policy is intended to ensure the security of the organization and data by ensuring that intrusion detection systems are located in appropriate places and that intrusions are properly reported and dealt with in a timely manner.

3.0 Scope

This Intrusion Detection Policy applies to the organizational network, all servers, and all employees or contractors that monitor the network or servers for intrusions. It also applies to those who resolve intrusion issues. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Intrusion Detection Definitions

  • Network based intrusion detection - Network based intrusion detection is a network device which looks at network traffic for suspicious patterns. When suspicious patterns in traffic are noticed, an administrator is notified automatically.
  • Host based intrusion detection - Intrusion detection software that operates on a serveror workstation similar to anti-virus software. The software looks for suspicious activity that may indicate that someone has attempted or has penetrated the security of the computer without authorization.

5.0 Intrusion Detection Requirements

  • Network based intrusion detection shall be placed behind every firewall where there is an entry point into any organizationally controlled network from an untrusted network.
  • Network based intrusion detection shall be placed behind every firewall where the security level of the organizationally controlled network changes. It shall be between the DMZ (semi-trusted network) and the trusted network.
  • Host based intrusion detection shall be placed on the following types of servers:
    • File servers containing any confidential or higher level sensitive data.
    • Database servers containing any confidential or higher level sensitive data.
    • All email servers.
    • All DNS servers.
    • All domain controller servers.

6.0 Intrusion Investigation

When the intrusion detection equipment detects a possible intrusion, the proper personnel must be quickly notified and the intrusion must be investigated in a timely manner so its affect can be minimized or prevented.

  • The intrusion detection software must be configured to contact at least three members of the incident response team whan there is sufficient reason to believe a significant intrusion has been detected.
  • The member of the incident response team that investigates should inform other members that they are investigating the incident to prevent duplication of effort.
  • A manual or automated mechanism should be in place so if a member of the incident response team does not investigate within 15 minutes, at least two members of management should be informed.
  • When the intrusion is investigated, the investigator should post their conclusions as to whether the intrusion was significant or additional corrective action is recommended. If the intrusion was significant or additional corrective action is recommended, management must be informed and corrective action shall be taken with the knowledge and possibly under the direction of management.
  • If the intrusion was significant or additional corrective action is recommended, the incident must be posted in the central tracking system for incidents.

7.0 Incident Response Goals

To contain the intrusion and prevent additional intrusions, the applicable steps from the Incident Response Policy shall be followed which are:

  • Containment - Take action to prevent further intrusion or damage and remove the cause of the problem. May need to:
    1. Disconnect the affected system(s)
    2. Change passwords.
    3. Block some ports or connections from some IP addresses.
  • Prevention of re-infection
    1. Determine how the intrusion happened - Determine the source of the intrusion whether it was email, inadequate training, attack through a port, attack through an unneeded service, attack due to unpatched system or application.
    2. Take steps to prevent an immediate re-infection which may include one or more of:
      1. Close a port on a firewall
      2. Patch the affected system
      3. Shut down the infected system until it can be re-installed
      4. Re-install the infected system and restore data from backup. Be sure the backup was made before the infection.
      5. Change email settings to prevent a file attachment type from being allow through the email system.
      6. Plan for some user training.
      7. Disable unused services on the affected system.
  • Restore Affected Systems - Restore affected systems to their original state. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. Depending on the situation, restoring the system could include one or more of the following
    1. Re-install the affected system(s) from scratch and restore data from backups if necessory. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system.
    2. Make users change passwords if passwords may have been sniffed.
    3. Be sure the system has been hardened by turning off or uninstalling unused services.
    4. Be sure the system is fully patched.
    5. Be sure real time virus protection and intrusion detection is running.
    6. Be sure the system is logging the correct items.
  • Documentation - Document what was discovered about the incident including how it occurred, where the attack came from, the response, whether the response was effective.
  • Evidence Preservation - Make copies of logs, email, and other documentable communication. Keep lists of witnesses.
  • Notifying proper external agencies - Notify the police if prosecution of the intruder is possible.
  • Assess damage and cost - Assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
  • Review response and update policies - Plan and take preventative steps so the intrusion can't happen again.
    1. Consider whether an additional policy could have prevented the intrusion.
    2. Consider whether a procedure or policy was not followed which allowed the intrusion, then consider what could be changed to be sure the procedure or policy is followed in the future.
    3. Was the incident response appropriate? How could it be improved?
    4. Was every appropriate party informed in a timely manner?
    5. Were the incident response procedures detailed and cover the entire situation? How can they be inproved?
    6. Have changes been made to prevent a re-infection of the current infection? Are all systems patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
    7. Have changes been made to prevent a new and similar infection?
    8. Should any security policies be updated?
    9. What lessons have been learned from this experience?

8.0 Enforcement

Since prompt intrusion detection and resolution is critical for protecting the security of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

9.0 Other Requirements

  • Incident Response Plan

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________