Tài liệu Intrusion Detection The Big Picture – Part VI pdf

Trang 2

Intrusion Detection Roadmap

What are the pieces and how they play together

• Honeypots

• Firewalls

– Proxy, State Aware, Filtering Routers

• Risk Assessment and Auditing

– Introduction to Risk Management

– Knowledge-Based Risk Assessment

– Online Auditing Tools

This page intentionally left blank

Trang 3

Seven Most Important Things to

Do if Security Matters

• Write the security policy (with business input)

• Analyze risks, or identify industry practice for due

care; analyze vulnerabilities

• Set up a security infrastructure

• Design controls, write standards for each technology

• Decide what resources are available, prioritize

countermeasures, and implement top priority

countermeasures you can afford

• Conduct periodic reviews and possibly tests

• Implement intrusion detection and incident response

You will notice that I have never read a slide to you in the entire time together, so please bear with

me

• Write the security policy (with business input)

• Analyze risks, or identify industry practice for due care; analyze vulnerabilities

• Set up a security infrastructure

• Design controls, write standards for each technology

• Decide what resources are available, prioritize countermeasures, and implement top

priority countermeasures you can afford

• Conduct periodic reviews and possibly tests

• Implement intrusion detection and incident response

So here on this slide we have another big picture view of information security Students that

complete Information Security KickStart and Security Essentials certification are well on their way

to accomplish each of these This is by no means the only way to approach building a security

capability, but it is a comprehensive high level view

Trang 4

4

Theory of Risk Assessment

It is critical to have an understanding of risk management to properly choose and deploy intrusion

detection and response assets To manage risk, one must be able to assess it In this section of the

course we will cover the basic theory of risk assessment We will also talk about three methods of

risk assessment: qualitative, quantitative, and knowledge-based (also known as best practices).

Trang 5

The Three Risk Choices

• Accept the risk as is

• Mitigate or reduce the risk

• Transfer the risk (insurance model)

Whether or not we explicitly choose, we have exactly three options and we do choose between:

acceptance, mitigation, and transference.

When we accept the risk, this means we make no changes in policy or process This decision means

that we judge the risk of a given threat to be inconsequential in the greater scheme of things

If we feel the threat is significant and could cause harm to our business or enterprise, then we have

the option of taking action to protect operations by reducing the risk A firewall or system patch are

obvious examples of risk mitigation

Transferring the risk is sometimes a workable technique The classic example is to buy insurance

This means that you do not have to fully protect yourself against a catastrophic threat Instead, for a

fee you pass this risk to a risk broker that insures you up to some limit against the threat A real

world example of this is hacker insurance The insurance company still expects you to have a

firewall and patches, but insures should these fail

Trang 6

Risk Management Questions

• What could happen? (what is the threat)

• If it happened, how bad could it be? (impact

of threat)

• How often could it happen? (frequency of

threat - annualized)

• How reliable are the answers to the above

three questions? (recognition of

uncertainty)

In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we

analyze the risk to better understand it.

What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy

feeling?

If the threat is successful, how bad will it hurt? What is the probable extent of the damage?

How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi,

Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often

But, if something can damage us on a daily basis, this is a significant problem

Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new

program or operating system vulnerabilities are discovered weekly?

Trang 7

Have you ever wondered why Bond (James Bond) never gets shot, can jump off of an airplane

without a parachute and live, and never loses at cards? It is simple! He read the script! In fact he

may have had a hand in writing it Since they follow the script, the stunts he does are closer to

professional wrestling because he certainly knows he is going to get the bad guy – and the girl

He wouldn’t look half so composed if he was uncertain as to what was going to happen

Uncertainty then, is the heart of risk management.

Trang 8

Risk Requires Uncertainty

If you have reason to believe there is no uncertainty,

there is no risk For example, jumping out of an airplane

two miles up without a parachute isn’t risky; it is suicide

For such an action there is a 1.0 probability you will go

splat when you hit the ground and almost 0.0 probability

you will survive

Probability ranges between 0.0 and 1.0 though people

often express it as a per cent

Jumping out of an airplane with a parachute involves risk If you were to try the James Bond stunt of

jumping out of an airplane without a chute you are committing suicide, but you aren’t doing anything

risky Risk involves uncertainty Let’s tie this back to the information assurance world.

If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the

perimeter, it is certainly going to be compromised It might not happen in a single day, but it will

happen over the course of a year In the same way that gravity is the compelling reason jumping

from a plane sans chute is near-certain death, the continuous probing and poking of exposed systems

on the Internet is the compelling reason the box will be compromised So what? How bad can a

compromise be? Well, once they compromise the box they have the ability to manipulate your

organization’s trust model If you have valuable assets, that may be what happens Or they may

just create weird system domains and hit systems all over the Internet, giving your organization a bad

name

Trang 9

What is an Unacceptable Risk?

• You can define the threat.

• If it happened, it would be bad (high impact)

• If one shot didn’t kill you, and then it hit you

again and again (frequent threat)

• There is high certainty the threat exists, it is

high impact, and potentially could occur

multiple times.

So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk To be

an unacceptable risk, it has to be a defined threat They will compromise the DNS server, most

likely via a buffer overflow How bad would it be? If they chose to manipulate the trust model and

had several days to work without being detected - such as over the Christmas holidays - they could

make considerable headway at owning the entire organization’s information assets You might never

get them dislodged What if they chose simply to use your box to attack others?

People are usually forgiving if it only happens once, but there are domains that have been

compromised a number of times These are not usually respected and may even be blocked One of

the classics is the Brazilian Research Network This loose group of addresses has been the source of

hundreds and hundreds of attacks against Internet hosts The price? Besides being a standing joke,

legitimate users continue to find their access blocked

Trang 10

Single Loss Expectancy

(SLE - one shot)

• Asset value x exposure factor =

How much financial loss am I willing to accept in a single event? It all comes down to money in the

end When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the

information resource asset Example: a company’s top salesman accounts for 25% of their $40

million in revenue, or $10 million His client contact list and fee schedule is stored on his laptop and

is not encrypted If it fell into the wrong hands it would be worth at least 10% of its value to the

competition ($1 million) and possibly more if they can finesse the information So we find we can

calculate a minimum approximate SLE, but there is uncertainty as to a maximum value

Another example: an author takes a royalty of $100,000 to write a book He receives partial

payments every 25% of the project What is the SLE if his hard drive crashes at the 70% mark and

the data is not recoverable? 25,000 x 80% or $20,000, unless he has been sending chapters in as they

are done

Trang 11

Annualized Loss Expectancy

(ALE - multi-hits)

• SLE x Annualized rate occurrence = Annual

Loss Expectancy (ALE)

• Annual loss is the frequency threat is

expected to occur

• Example, web surfing on the job

– SLE: 1000 employees, 25% waste an hour per

week surfing, $50/hr x 250 = $12,500 – ALE: they do it every week except when on

vacation: $12,500 x 50 = $62,500

If you are screaming “but what if??”, relax - we understand Again, a main point of the chapter is

uncertainty, this is what drives the “what ifs” The key question, however, is how much continuing

risk am I willing to accept?

Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This

is the notion of annualized risk It applies well to shoplifting - we expect to lose 9% of revenue

over N occurrences.

The information about expected losses due to cyber attacks is much harder to come up with, as

organizations do not tend to share this type of information so it is only available in the micro-view of

a given organization

Trang 12

When Faced with Unacceptable Risks

• What can be done to

reduce/mitigate the risk?

• How much will it cost to reduce the

risk (usually annualized)?

• Is it cost effective to apply these

risk reduction measures

(cost/benefit analysis)?

The problem is that reducing risk tends to have costs We need to balance the cost of the cure (or

risk reduction) against the benefits The challenge is to determine the cost-effective fixes for the

common attacks

This is a reason the Top Ten vulnerabilities (www.sans.org/topten.htm) is such an important

document This was a consolidated effort by the security community to implement the steps shown

on this slide By going through a consensus process to agree on the known primary vulnerabilities,

we have something to target It simply makes sense to make sure information resources are

protected against these attacks

Then, the community worked to define the threats in tutorial fashion and calculate defenses against

them Much of this work was done as student practicals as part of GIAC certifications At the

conclusion of this world-wide analysis, it was then possible to execute quantitative analysis of the

risk of the Top Ten vulnerabilities with a reasonable degree of certainty

Trang 13

Qualitative - Another Risk Assessment Approach

• Banded values: high, medium, low

• Asset value and safeguard cost can

be tied to monetary value, but not

the rest of the model

• Very commonly used

For most applications the best approach is the financial one, with the exceptions of critical systems

(such as nuclear plant control) and weapon systems However, it does take a lot more effort to

quantify what the value of things are, and so the qualitative approach is far more popular

The single biggest problem with the qualitative approach is in the implementation - people tend to

mark “low risk” even if it is other than that Or they mark “medium” or “high” for their pet peeves

as opposed to actually calculating the risk

Trang 14

Economic vs Qualitative

• Qualitative is easier to calculate, but its

results are more subjective

• Qualitative is much easier to accomplish

• Qualitative succeeds at identifying high

risk areas

• Economic is far more valuable as a

business decision tool

The main point between the two approaches is that qualitative is much easier and when done well,

can certainly identify the areas that need attention

There is still another approach to risk assessment, this is the knowledge-based, or best practices

approach There is much more up-front work required to implement this, but the results are more

accurate and consistent

Trang 15

• Knowledge-Based (best practice)

application of risk assessment

• Business case for intrusion

detection - revisited

The steps to create knowledge-based risk assessment tools are fairly straightforward:

• Identify the problem domain (e.g securing Windows NT)

• Identify the primary threats

• Identify potential countermeasures

• Select and test countermeasures

• Develop step by step instructions for implementing and auditing countermeasures

Ideally, each step should be made available for public review

Trang 16

For knowledge-based risk assessment to be effective the developer of the system must have the knowledge

and mindset to think like an attacker!

One of the hardest things to keep in mind in building knowledge-based countermeasures is the threat

step: what are the attackers likely to do, what are their goals? If we do not do this, we tend to have

no focus in deciding what and how to protect our systems

Once we can reduce the uncertainty over what the attacker is going to target, we can focus on

protecting these assets This is done by developing countermeasures or defenses The goal is to

select countermeasures that are effective, reasonable in cost (and free if possible), and measurable

In most cases, we should be able to produce specific checklists When we are able to produce

checklists, we have reached the point where we are able to establish best practice as our security

policy

Trang 17

Knowledge-Based Risk

Assessment

• System administration is a

high-turnover job for large organizations,

which affects continuity

• System administrators tend to be

focused on having the “trains run on

time”

• Security configuration may not be

understood or implemented

If a sufficiently developed checklist exists, this is a major benefit to organizations This can help

protect the organization against a number of problems, including turnover and training

Trang 18

Windows NT Example

• Checklist approach designed for

two persons (check and double

check) to configure an NT to at

least minimal acceptable security

• Draws on SANS’ Securing Windows

NT Step-by-Step

• 80/20 rule applies

When I used to fly helicopters for the US Navy, I was struck by the effectiveness of checklists A

checklist is used to make sure the helicopter is ready to take off and also used before landing One

crew member reads the item, the other verifies it and states that it is correct This is a powerful

technique!

This check and double check technique is crucial for knowledge-based risk assessment One person

who knows security and risk in general and another that knows the specific technology make the

ideal team to work with the system owner to evaluate the system

Let’s look at a specific example of a checklist This is from a document series originally developed

by Stephen Northcutt when he was employed at the Naval Surface Warfare Center These have been

developed for a number of operating systems, but we will examine part of one developed for

Windows NT

Trang 19

NAVAL SURFACE WARFARE CENTER, DAHLGREN DIVISION

IS SECURITY OFFICE, CODE CD2S WINDOWS NT COMPUTER RISK ASSESSMENT

JUNE 7, 1999 PART II (V3.1)

Risk Assessment/Countermeasure Analysis/Security Test and

Evaluation (ST&E) for Microsoft Windows NT Computer Systems.

( ) Check here if this risk assessment is used for a version of Microsoft Windows NT

prior to version 4.0 and in the section entitled "ADDITIONAL COMMENTS AND

EXPLANATIONS", state when (within the next two months) the operating system will be

upgraded to at least version 4.0.

This IS is: (Check only one)

( ) LOCATED AT NSWC DAHLGREN

( ) Complete site description is attached.

Threat and Countermeasure Check List

Mark each as True, False, or NA - not applicable.

For all items not marked as "T", indicate in the section entitled "ADDITIONAL

COMMENTS AND EXPLANATIONS" how the risk is mitigated by other means In

the absence of indications to the contrary, the Information System is operating at an

acceptable risk (accreditable) when all of the leftmost countermeasures are marked

'True'.

The person that knows security and risk in general (often an auditor or security officer) reads the

items to the person more familiar with the specific technology This person checks each item and

fills in the checklist

At the end of each section, the security officer makes the determination as to the overall risk posture

of the system

Trang 20

a Threat/Vulnerability: Unauthorized System Access

Operating Countermeasures:

File System Configuration

( ) System is configured as NTFS file system?

( ) System Administrator has a current Emergency Recovery Disk in a locked

storage area

Accounts

( ) Guest account is not present (or is disabled)

(Check Administrative Tools, User Manager, highlight guest and hit enter)

If Guest access is allowed:

( ) Audit trails for all accesses are enabled In the section

entitled "ADDITIONAL COMMENTS AND EXPLANATIONS", describe

(1) how the audit information is collected,

(2) who reviews the audit logs, and

(3) the frequency of said review

Include the signature(s) of those conducting the review

( ) There are no Anonymous users

( ) All accounts are password protected

One this slide we see additional questions in the checklist

Trang 21

Passwords

( ) NT password policies comply with Best Practices for NT Passwords

( ) User passwords are known only by the user

( ) Users are required to maintain unique passwords for each AIS

( ) Passcrack for Windows NT or other password tester is run at least yearly

( ) Administrator password is protected to the same level as the data

contained on the IS

( ) Password is enabled for screen saver (Control Panel, Desktop)

Access

( ) Automatic logon as Administrator is disabled

( ) RAS is NOT installed

IF RAS IS INSTALLED, describe how it is configured in a secure manner

in the section entitled "ADDITIONAL COMMENTS AND EXPLANATIONS"

( ) There are no modems connected to this Information System

IF THIS BLOCK IS NOT MARKED, describe how it is configured in a secure

manner in the section entitled "ADDITIONAL COMMENTS AND

EXPLANATIONS" Provide the phone number used for modem connection,

any security measures in place (i.e callback, securID) and purpose for connection

( ) Remote Registry access is limited to Administrators

( ) Scheduler service is disabled

( ) If Scheduler service is NOT disabled, access is limited to Administrators

This is by no means the end of the checklist On the online version, you can click on these items for

additional information about how to check

These checklists are available at www.nswc.navy.mil/ISSEC

Trang 22

SANS’ Securing NT SBS

* Action 3.1.1 Disable the display of the last logged on username by setting the

following registry value If the value does not already exist, it must be created With REGEDT32 this

is done with the Edit menu, Add Value Enter the Name "DontDisplayLastUsername” exactly as

shown and then use the String Editor to enter a "1" Also, you can use the C2 Configuration

Manager from the NT Resource kit instead of using REGEDT32.

Hive: HKEY_LOCAL_MACHINE Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon Name: DontDisplayLastUsername

Type: REG_SZ Value: 1

Note: In some situations it might be preferable to allow the display of the last logged

on user Certain users may not be able to remember their user name, and this would keep the

administrator from having to tell them each time they logged on Another reason to display the last

logged on username is because it will quickly let you know if someone else logged onto the machine

Not displaying the last logged on user name will only keep novice hackers from finding out which

users exist on the machine It is trivial for a determined hacker to get that information Therefore,

many administrators do not bother hiding the last logged on user name.

A similar project - also a community development effort - is the SANS Securing Windows NT Step

by Step booklet This is on its third revision, and the current editors are Jason Fossen and Stephen

Northcutt Both projects are related to one another The main difference is that in the SBS booklet

the detailed information is shown up front, and is in the help files on the NSWC checklist

Trang 23

Windows NT Form Summary

• Benefits

– Reasonably good tool for minimal OS

security – Good form “layout”

• Limits

– Needs a list of applicable patches

– Where to get them

– Tool to determine patch status

The NSWC checklist or the SANS Securing Windows NT Step by Step checklist are not the final

answer Teams are continually re-evaluating these, fixing problems, reacting to new threats

However, these can help an organization or individual get up to speed fast

Trang 24

• Business case for intrusion detection

-revisited “How to use Risk

Assessment tools!”

This page intentionally left blank

Trang 25

Intrusion Detection Roadmap

Using What We Have Learned

• Business Case for Intrusion

Detection

– How all these Capabilities Work

Together

• Future Directions

– Intrusion Detection in the Network

– Program-Based Intrusion Detection

In this next-to-last major section, we are going to summarize and use everything we have studied to

date The goal of the business case section is to give you the process and procedure tools to

supplement the technical capabilities you have learned

Trang 26

We already spent $25K on a firewall

and now you tell me we need

Intrusion Detection?

Why you care about being able to present a business case for Intrusion Detection

Imagine you are speaking to your boss and you are telling her the organization needs an intrusion

detection system What if she replies loudly as shown on the slide How do you answer? Does this

mean the manager doesn’t understand?

There are a couple things to consider We have been talking about “the big picture” Management

wants to know the big picture – and rightfully so There is more than just the initial outlay for the

hardware and software There is maintenance, training, and the employees’ time Management

knows the purchase is just the tip of the iceberg

Their job is to manage risk - all kinds of risk, not just cyber intrusions When you tell your

management you need an IDS, they are wondering if they really need it They are wondering if they

have been remiss and the organization has been at risk all this time Why didn’t someone tell them

before this? They are also wondering, what else? If they buy the IDS this month, what will they get

hit with next month? Management does not like to be nickeled and dimed

Trang 27

Business Case for Intrusion

Detection

• In order to present the business case we

need to convey the “Big Picture”

• We are now familiar with these core

technologies and how they play together:

– Host- and Network-Based Intrusion Detection

– Vulnerability Scanners and Honeypots

– Firewalls

In a sense, this is the section that everything points to Intrusion detection is expensive; it has a cost

It is wise to consider the cost and the benefits before embarking on this journey You have spent the

day learning about the big picture The real question is, can you explain it to your management?

Can you show them how the technologies we have talked about play together?

Trang 28

Business Case For Intrusion

Detection (2)

• We have been introduced to a

basic risk assessment process; can

we apply this process to the

business case for intrusion

detection?

– If there is a ‘big picture’ can we apply

what we have learned to our real world environment?

The real test of this course’s value is whether you can apply what you have learned here in your

organization Every situation is different; a financial institution has different priorities than a

military organization, for example As we work though this next section, think about your

organization and whether these concepts apply If you have ideas that would help me balance or

improve this, please send me e-mail at stephen@sans.org

Trang 29

Business Case - Applications

• Organization has no intrusion detection

and you are presenting the case for

standing up a capability

• Organization has rudimentary capability

and you want to upgrade

• Organization has central monitoring and

you are presenting the case for a

departmental capability

These are the primary situations that this section of the course has been tailored to meet Often, to

satisfy these conditions you will need a business case for the expenses and investment

Trang 30

Business Case - Application

• Many managers are uncomfortable when

confronted with actual data about attacks

and vulnerabilities.

• You can often use any existing source of

data (firewall logs, system logs) to

leverage additional intrusion detection

financing by showing them a “smoking

gun”.

Since management is responsible for risk, if you can show them the organization was in a measurable

degree of risk they will be uncomfortable with that information The more specific and clear that

information is, the more they squirm

The idea is to take an inventory of the data sources that you have available and see if these already

show a problem

Trang 31

RA/Getting Started

• Threat assessment and analysis

• Asset identification and valuation

• Vulnerability analysis

• Risk evaluation

• Interim report

This is not unlike the steps we go through to develop a knowledge-based risk assessment As

always, we want to identify the threats that are arrayed against our organization We compare the

effectiveness of the threat against the value of the assets it can affect We do research to find out the

known vulnerabilities and then evaluate the risk to determine whether we have a significant problem

or not This is the basis for an interim report to management

Trang 32

PIndications and Warning

P Host Late Detection

P Host Very Late Negation

The Big Picture

P= Probability of

When considering the future, we consider the entire model

The cyberscape shown on the slide above is a tool that can be used to simplify information warfare

scenarios The key point for our purposes is to help us consider the entire world our systems exist in

Generally, unless we are playing at the information warfare level, the detection system outside the

firewall is as far out into the battle space as we are able to go

This model is called a Measure of Effectiveness, or MOE The idea is to compute the probability

of any given countermeasure being able to mitigate a given threat Again, probabilities are values

between 0 and 1, though most people express these are percents

Trang 33

Threat Assessment - Step 1

• Are you connected to the Internet

(that you know of)? - if so:

– Do you have a firewall? - if not:

• Get one immediately

• Get a different job

People connected to the internet without a firewall

that think nothing bad has happened are sadly

mistaken.

Let’s illustrate this with a simple example We do some research and determine there are a number

of threats if our systems are exposed directly to the Internet We quickly calculate the value of our

information resource assets We do research and find there are countermeasures available, one

common one is a firewall available in price ranging from free for a Linux firewall to over $100K for

high end solutions So we issue a report to management advising them of the risk and potential loss

and also that there potential countermeasures, with a recommendation that the organization invest the

time to further evaluate the solutions

Trang 34

Threat Assessment and Analysis

• Bad things happen to nice people; our

goal is to identify the types of threats.

– R/A purists would say we need a dictionary

of all possible threats – We will focus on fairly general threats and

choose to be as complete and specific as possible with our vulnerabilities.

• Look for evidence that these threats are

actually in use

If everything is threat-driven, how do we find the threats? Successful information security

professionals need to spend some of their time thinking about how to attack Then it becomes a lot

easier to enumerate the threats they might have to deal with I once reviewed the information system

security architecture plan for a major weapon system It was a huge document, probably cost more

to develop than I make in a decade and it listed two threats: viruses and denial of service - yikes!

There are dictionaries of threats They are often built into commercial risk assessment tools This

approach can bury the real problems in the noise The best way to focus on the real threat is to focus

on the threat vectors

Trang 35

Threat Vectors

• Outsider attack from network

• Outsider attack from telephone

• Insider attack from local network

• Insider attack from local system

• Attack from malicious code

This slide shows our old friends - how will they get to us? The threat vector approach is taken from

the Center for Disease Control methodology What are some of the sources of attacks? If we can

identify the avenues the attack might come from, we can defend against it As we consider the

information resources that can be threatened by these vectors we are able to focus on the problem

This is also a valuable way to target effective countermeasures

Trang 36

Outsider Attack - Internet

• Newspaper, web articles on attacks at

other places, if it happens to them…

• Hacking web sites: www.antionline.com

• Firewall/Intrusion Detection logs are an

excellent source for specific threats

• System audit trail logs are as well

• Demo an intrusion detection system

OK, so where can we get threats? Start by using the world wide web to visit www.antionline.com or

www.sabotage.org Try a few word searches for “hacker” and “exploit”

But the real eye-opener may be to actually run an intrusion detection system on your DMZ for a few

days This can allow you to catalog the actual threats directed against your site One of the

interesting things I have never been able to figure out is why some sites don’t ever seem to get

attacked, others are constantly under fire

Can’t talk an IDS vendor into a demo? Dig in to those firewall logs! Firewalls are still the number

one intrusion sensor in use

Trang 37

How to manage your boss

(Demo an intrusion detection system)

There is no money in the budget for an IDS!

Fine, they are willing to come out here and loan us a demo for a week for free,

OK?

Free? Sure

One thing though, boss, if it does detect an attack I won’t be responsible for

knowing we are under attack and not detecting them If it finds something, we

need to come up with the funds to pay them and keep the durned thing

Umm, yeah, we’ll work something out.

Most IDS systems will let you try a loaner or download a demo copy This is a great idea, it lets you

determine if you like the system and the way things are on the Internet If it doesn’t detect anything

on your DMZ during the evaluation phase, it is not the product you are looking for

If it does detect attacks, this goes back the “smoking gun” phenomenon If you can show

management understandable metrics that they are under attack and that the firewall is not guaranteed

to stop all possible attacks (often because of the permissive firewall rules that have been added at

management’s direction for business needs), then they will likely support additional

countermeasures

Tiêu đề	Intrusion Detection The Big Picture – Part VI
Tác giả	Stephen Northcutt
Trường học	SANS Institute
Chuyên ngành	Information Security
Thể loại	Essay
Năm xuất bản	2001
Thành phố	United States

Định dạng
Số trang	74
Dung lượng	1,12 MB