- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
What about the Snort ruleset? It is open and can be examined and has been subjected to exhaustive public review—are these rules uncertain? To be sure, there are great advantages to public review (and you can bet that more than one or two of those rules finds its way into other IDS systems), but the fact that it is open means an attacker can be aware of it and modify the attack just enough to evade the rule.
Oh yeah, the scariest three words to an intrusion-detection analyst. They are when the gruff old decision-maker who has to make a hard call looks you in the eye and asks, "Are you sure?"
Risk
Risk happens. It is ridiculous to say I don't want any risk in a given situation. Rather, we manage risk. I heard on TV once that the space shuttle often has backup systems for its backup systems. A shuttle flight is an exercise in strapping yourself to a rocket and heading for space. Space is an environment where any number of things can kill you: radiation, heat, cold, vacuum, and finally the reentry. If you approach a reentry with too steep an angle, the mistake will crash you; and if your angle is too shallow, it will bounce you into space. That is a lot of risk, which is one of the reasons astronauts get all the free Tang they can drink.
If you really think it through, the whole process is nuts and no sane person would do it. NASA actually has go/no go criteria. If anything is wrong, they do not go ahead with the launch, even though there are backup systems. This is judged an unacceptable risk. Other risks are considered acceptable, like the bit about strapping yourself to a rocket. With any risk, we must decide how we will deal with risk. We have three options for dealing with risk:
●Accept the risk as is.
●Mitigate or reduce the risk.
●Transfer the risk (insurance model).
Accepting the Risk
If we don't install a firewall and we connect to the Internet, in some sense we are as daring as the men and women who bolt themselves onto rockets; what we are doing is risky and we've chosen to accept that risk. If we have information assets of high value and we don't do auditing on these hosts or use some form of intrusion detection, we are again choosing to accept the risk.
The concept of accepting risk is simple enough, but there is another aspect of this we need to consider. The elementary school bus driver who drinks a few too many beers before picking up the kids with his school bus is accepting risk all right, but he is accepting risk he does not have a right to accept. The firewall administrator who was just testing some service and mistakenly left it in the system might have caused the organization to accept a risk that it would not choose to accept. After all, why did it go through the trouble to buy and set up a firewall? One of the interesting problems of information security is that it is quite possible for an individual to accept a risk for an organization that he is not authorized to accept. I would like to illustrate this point with an intrusion-detection story.
Last week, we detected systems initiating file transfers from a site that we monitor. It was just odd enough that we decided to look into it a bit further. When we examined the payload of the ftps, it was clear each of these systems was sending a bit of information about itself. We weren't sure what the information was until we saw a couple instances of "Preferred Customer." It seemed like it had to be the registration field for Microsoft Office products. Our suspicions were quickly confirmed. A member of Human Resources had sent a memo as an attachment to
an email message to all the senior managers of the organization. It was the fact they were senior managers that alerted me to further investigate the ftp sessions; these folks didn't even read their own email! They had a secretary screen their mail, print it, and put the important messages in their inbox. The email message sent by Human Resources was infected with a macro virus that sent information out of the organization. It apparently didn't do any serious harm. From an information warfare perspective, however, I was appalled, because it gives a clear potential infection vector into this organization, which could be exploited at a later time. This support employee, by just failing to maintain current virus software, accepted a high degree of risk for the entire organization. As Jimmy Kuo, a research fellow at NAI would say, "You are only as good as your last update." How about one more example?
The same week we detected many more systems initiating file transfers than usual from the same site we monitor. We found five in one day. When we pulled the payload, we found they were all going to the same IP address, the same user ID, and the same password. They were downloading files to the desktop systems. In this case, it turned out to be a shareware program, PKZip. Now, this is no Trojan; this is no sneak attack. A paragraph on the shareware web site stated that when PKZip was installed it came with a bonus component that downloaded ads. None of the five users gave a second thought to what they were actually doing; they just wanted PKZip. So what's the problem? Well, so long as the software is just downloading ads, there isn't a problem. However, keep in mind that many sites configure their firewalls so that if a connection is initiated from the inside, it passes through the firewall without any problems. This means there are several potential attacks from such a behavior.
Trojan Version
We have seen several examples of Trojan versions of legitimate software, such as the Trojan ICQs and Internet Relay Chat (IRCs). The user would not be aware that the program was actually uploading sensitive data from the system, or downloading tools that could be used to attack his organization's network from the inside.
In the same vein, what if the advertisement company hired a malicious individual, or an expert in economic espionage? Think about what he could accomplish with robot code that downloaded arbitrary files every time a system was booted! If this seems like science fiction, consider the use of netbugs (www.bugnosis.org) and spyware that is so common today.
Malicious Connections
There are a number of DNS attacks, but the idea in DNS cache poisoning is to manipulate the DNS system so that the client system goes to a malicious server rather than to the actual server. This is often done when a client answers a question, within a query.
The problem is complex; users of desktop Windows systems do not generally know what connections their systems are making. I honestly didn't know that software programs on my Windows system could connect to the Internet without me clicking on them. Several years back, I bought a software package, McAfee Office, primarily to get the Pretty Good Privacy (PGP) that comes with it, but decided to play with most of the software. One of the programs was called GuardDog, which is a security program for Windows systems. I installed it, and imagine my surprise when I booted my computer and it barked at me, to warn me that one of the programs on my system was trying to connect to the Internet. It was Real Audio; I didn't have the time to set up monitors and traps in my home lab to track it, so I just uninstalled it. Later, it turned out they were collecting information on users. Today, I use application-aware personal firewalls such as ZoneAlarm and Norton Internet Security.
We have gone through some important information, so let's take a second to summarize some points. In the preceding two examples, macro virus and PKZip, users' desktops initiated connections to the Internet without the users knowing about the connections. Both cases have the potential for harm to the organization, although mercifully the only real damage in these examples was my blood pressure shooting through 200. In both cases, one by inaction, one by action, the users make a personal decision to accept a risk that affects the entire organization.
Expanding Our View of Intrusion Detection
Neil Johnson, a researcher and faculty member at George Mason University, presented a really wonderful paper on intrusion detection and recovery against watermarked images at the SANSFIRE 2000 conference. If you spend a lot of time and money creating graphics, you might want to put a copyright seal on these graphics in some way. There are tools to do this. Then, it is possible to use World Wide Web worm technology to search the Internet looking for graphics to see whether your seal turns up on some server that didn't license the graphic. Neil explained this and demonstrated both attacks and the recovery techniques. Now, you might be thinking, what do watermarks have to do with intrusion detection?
As we continue our study of risk and its application in the field of intrusion detection, keep in mind that the dangerous enemy is not the one aimlessly running three-year- old canned attacks! The dangerous enemy is the one who knows what he wants and uses a hard-to-detect technique to get it. USA Today ran a story in the wake of 9/11/2001 that Bin Laden used steganography to send messages related to the attack. There are more pragmatic examples. In the case of a graphics company, its images are its crown jewels. To the company, this is the nightmare scenario: an attacker who can remove the proof that it is the owner of the images and possibly even brand the images under another company's name.
Mitigating or Reducing the Risk
What if we decide that even though it is risky to strap ourselves to a rocket, the end result of doing so is worthwhile? Perhaps our objective is greater than just a free drink of Tang; perhaps we have an opportunity to be the first human to set foot on Mars. The enterprise is still very risky, but we are certain that this is something we want to do. In this case, if we aren't foolhardy, what we do is try to find ways to make the endeavor less risky; we reduce the risk. Have you ever thought about intrusion attacks against laptop computers? Most professionals carry them these days. They often have sensitive information about their organization on them. We have already mentioned information-gathering malicious code, but that can be directed against any system. How specifically are laptops vulnerable to attack? What can you do to mitigate their vulnerability?
Network Attack
If the organization uses Internet service providers (ISPs) to connect for email rather than secured dial-in, there is an opportunity to attack the organization's systems while they are on the net. They are outside the firewall and so the normal screening protections against NetBIOS and other Windows attacks that desktop systems enjoy inside the firewall are not available to them.
Snatch and Run
I really hate putting my laptop on the X-ray machine conveyor belt at airport security checks. If I don't make it through the metal detector, this is a golden opportunity for someone to steal it because I am physically separated from my briefcase in a dynamic, crowded environment. Worse, I only have one shoe on because thanks to the terrorist that tried to blow up the airplane with his shoes, mine are being inspected. Further, if someone does walk off with my laptop if I rush after them, I run the risk of getting shot by the National Guard with the M16s. There are also the situations when I get to my destination: Do I leave it in my hotel room when I go to dinner, or lug it?
I don't know whether you are worried about the information that professionals in your organization put on laptops. After all, it is just stuff such as your design and business plans, sales and marketing information, perhaps a bid work-up or two. I write this tongue and cheek, but if you interview the folks who lug these laptops around, you might find that they do not often perceive the information on them as sensitive and needing protection.
I do know my situation. In writing, teaching, and reviewing I often find myself working with proprietary information. I have signed several Non Disclosure Agreements and have always
tried to be careful with that information. If a large security and network company decides I have not protected its information properly, I have to face its army of lawyers (alone). So I am inspired to do the best job I can to protect my laptop; I look for tools to mitigate the risk. Because I know that connecting to the Internet is risky, what are some of the tools that help protect my system?
I have looked at several tools. ZoneAlarm is free for personal use and works well. A lot of my friends swear by BlackIce, and the traces it creates have nice fidelity; but, it has steadily dropped in quality since the company was acquired. I have found the Norton Internet Security tool actually runs on XP, which is a plus. PGP appears to have a personal firewall, but my boss installed it on his XP and lost his ability to connect to the Internet. I went through that with Windows ME when I installed PGP. In both cases the culprit was the PGPNet product. With the ME computer, I thought about it for a while, I knew I needed PGP, but was pretty sure I didn't need ME so I just wiped out that system and rebuilt it as a Windows 2000 system. PGP also comes with PGPdisk that protects sensitive files should the laptop ever be stolen or suffer an intrusion, or you can use the Microsoft Encrypting File System on Windows 2000 and XP. Although PGP has a disk overwrite, data-destruction routine, I find BC Wipe from http://www.jetico.sci.fi to be a better tool for my purposes. There, that is my personal example of
implementing countermeasures to mitigate risk.
Transferring the Risk
Last week, when I wasn't dealing with outbound ftps, I was dealing with flood damage. The toilet upstairs got stopped up (with a little help from my teenager). The chain that drops the stopper just happened to chink and not drop the stopper flush to seal the water. So, the water filled the toilet bowl and poured over onto the bathroom floor and began its journey in search of sea level. But wait, there's more! This happened to be the day the city decided to flush the fire hydrants, which stirs up all kinds of rust, so it wasn't clear water pouring through the house; it was blood red. When my wife got home, the water was pouring from the dining room chandelier like a fountain. The plaster ceiling had huge cracks and the wooden floor had already warped in two places. The water continued on, accumulating until the ceiling of my wife's sewing room collapsed, spewing rusty water and soggy ceiling tile on her machine and the projects below. My wife called me at work, asking where she should begin. "Turn off the water, move away from the dining room, I'm on my way," I answered.
I use the same incident-handling technique for everything. As I hung up the phone, it hit me that this had to be 20 to 30 thousand dollars worth of damage. I was very sad as I drove home and then busy as we tried to salvage what we could of my wife's sewing room. It wasn't until later at night that it hit me. I have insurance! In fact, I have insurance with a good company, one that has always treated me well. I always knew owning a home had risks that were beyond what I could financially accept. There just aren't good enough home firewalls to expect them to defend against toilets that get jammed and stuck on a day that the city is purging the fire hydrants. Like most homeowners, we had chosen to transfer the risk. So I called Travelers. They came over, were very sympathetic, and said they were going to take care of us. Sure enough, I was only out $100 for the deductible; and the job would have been done except that no one told my wife the five little words you never say to a contractor. Still, even after a "while you are at it," it only cost me an extra $2,500 and now I have crown moldings on the ceiling, something I am sure I always wanted.
So how does this notion of transferring risk apply to information assurance and intrusion detection? In the first place, there is a direct correspondence. Several agencies, including Lloyds and IBM, are now offering hacker insurance. They usually require the organization to do its part before insuring them, and their part is likely to include firewalls, vulnerability assessments, and intrusion detection, at least it would if I were offering such insurance.
We have discussed uncertainty and how it applies to risk. We have proposed that some risks we are willing to accept (whether or not we are authorized to do so), and other risks we are not willing to accept. In the last case, we need to either mitigate the risk or transfer it. Now, we need to deal with the issue of what agent is going to potentially do us harm; we call this the