ISO/IEC 27039
ISO/IEC 27039:2015 – Information technology — Security techniques — Selection, installation, and operation of intrusion detection and prevention systems (IDPS)
Introduction
Intrusion detection systems detect attacks by hackers and intrusions into networks and raise alarms when they occur. Identifying hacker traffic through a firewall and closing off specific network ports are just a few of the methods used by Intrusion Prevention Systems to automate the response to a certain type of attack. IDPS can refer to either type.
Scope and objectives
According to the scope, “This International Standard provides guidelines to assist organizations in preparing to deploy Intrusion Detection Prevention System (IDPS). In particular, it addresses the selection, deployment and operations of IDPS. It also provides background information from which these guidelines are derived.”
IDPS that are well designed, deployed, configured, managed, and operated are beneficial in several ways, for example:
– By automating security operations, security engineers don’t have to spend time monitoring, analyzing, and responding to network security incidents;
– Automation is useful for speeding up the detection and response to attacks, particularly common types of attacks that can be identified by their unique signatures;
– They provide additional assurance to management regarding the identification and mitigation of security threats on networked systems.
By construction, the standard is a guide for ISP’s implementation.
Structure
There are three main sections in the standard’s 50 pages:
– Selection of IDPS – the various types of IDPS, complementary tools, etc. to be considered (given some specifics and expanded upon in the annexe);
– Implementation of IDPS;
– Operating IDPS.
The standard’s status
2015 saw the publication of the standard, “revising and cancelling” (in other words, replacing) ISO/IEC 18043:2006.
It was only in 2016 that the title of the published standard was rewritten, with the omission of “and prevention” being reintroduced.
Commentary
It would be nice if the standard also cited information security risks and issues relating to the IDPS, as well as the network security risks they are designed to address, such as:
– They lack technical sophistication and complexity, so they are challenging to install, configure, and use effectively. Therefore, there is a risk that they could be incorrectly installed, configured, or used in practice, resulting in a variety of negative consequences for the organization. Further, they are likely to introduce additional vulnerabilities into the very systems and networks they are supposed to protect;
– They could harm network traffic, thereby restricting legitimate traffic and limiting normal use of the network and systems;
– They are not 100% effective, so certain forms of attacks (especially those that have just been developed) are not always identified and blocked, potentially making the user feel more protected than they are (unwarranted assurance);
– They can only detect and react to existing data, and are therefore unable to detect attacks that bypass the networks and operating systems monitored (such as social engineering or physical intrusion attacks);
– They typically require a lot of network bandwidth, processing work, and storage space to operate, requiring hooks into the networks and systems being monitored and/or controlled, impeding normal operation;
– For best effect, they have to be configured and managed by competent security engineers who, at the very least, may themselves be hackers;
– They could potentially be used as vectors or mechanisms for compromise because they have privileged access to network traffic, network devices, and/or systems.
Yet, it fails to…