ISO/IEC 27039
Go home

ISO/IEC 27039 — Information technology — Security techniques — Selection, deployment and operations of Intrusion Detection [and Prevention] Systems (IDPS) (DRAFT)

Background

IDS (Intrusion Detection Systems) are largely automated systems for identifying attacks on and intrusions into a network or system by hackers and raising the alarm.  IPS (Intrusion Prevention Systems) take the automation a step further by automatically responding to certain types of identified attack, for example by closing off specific network ports through a firewall to block hacker traffic.  IDPS refers to either type.

Well designed, deployed, configured, managed and used IDPS are valuable in several respects, for example:

  • Automation leverages scarce security engineers who would otherwise have to monitor, analyze and respond to incidents as best they could;
  • Automation tends to speed-up identification and response to most attacks, particularly common types of attack that can be identified unambiguously through specific attack signatures;
  • They give additional assurance to management that security issues on the networks and systems are being identified and mitigated.

However, there are also information security risks associated with IDPS, for example: 

  • They are technologically advanced and complex, making them difficult to configure, deploy and use effectively, hence there is a risk that they may be incorrectly configured, deployed or used in practice, with various consequences on the organization and other systems;
  • They may adversely affect network traffic, restricting legitimate traffic and hence normal use of the network and systems, as well as hacking traffic;
  • They are not 100% capable, meaning that certain types or modes of attack (particularly novel ones) may not be reliably identified and hence blocked, potentially creating a false sense of security (inappropriate assurance);
  • They can only detect and react to available information, making them blind and deaf to attacks that bypass the networks and systems being monitored (including, for one obvious example, social engineering attacks);
  • They usually require network bandwidth, processing and storage capacity for their own operations and record-keeping, and require hooks into the networks and systems being monitored and/or controlled, impinging upon normal use;
  • They are complicated to configure and manage for best effect, requiring the involvement of competent security engineers who, potentially at least, may themselves be hackers;
  • They require privileged access to network traffic, network devices and/or systems, and could potentially be misused as a vector or mechanism to compromise them;
  • Being complex technologies, they probably introduce additional technical security vulnerabilities into the very networks and/or systems they are supposed to protect.

The standard will help organizations consider, plan, implement/deploy, configure, use and manage IDPS, (hopefully!) taking all of the above into account.

This standard will revise and replace ISO/IEC 18043:2006

Scope

The first Working Draft currently reproduces the scope text from ‘18043: “This International Standard provides guidelines to assist organizations in preparing to deploy Intrusion Detection System (IDPS).  In particular, it addresses the selection, deployment and operations of IDPS. It also provides background information from which these guidelines are derived ...”

Status of the standard

The 3rd WD is available to SC27.  Given that it is based on a sound, issued standard, it will hopefully not take too long to revised and republish - probably in 2013.

Copyright © 2013 IsecT Ltd.