An internal intrusion prevention model for a distributed organisation

Abstract

Information security has never been a tougher challenge with the security attacks being both internal and external. Most organizations focus great amounts of attention and funds on securing the perimeter of their network while forgetting that their most valuable assets are actually inside. As a minimum they deploy a common set of network defenses to establish a security perimeter or multiple security zones. Generally this includes network firewalls, anti-virus software and network intrusion detection capabilities. Unfortunately due to the nature of modern network and sophistication of intruders/attackers, perimeter security defenses are often circumvented. Defense in-depth is the only viable strategy for data and system protection. It is for this reason that a host-based intrusion prevention system was designed which would focus on protecting applications by means of application data inspection and application behaviour control to provide comprehensive host protection. Questionnaires, interviews and observations laid out the existing security configuration deployed on the computing resources of Pride Microfinance Limited(PML). Analysis of the findings concerning the existing security configurations as well as the common security threats faced by information systems network were used as the basis for the design of the host based intrusion prevention tool. On analysis of the findings the researcher designed a tool which was based on Windows Active Directory and Kaspersky antivirus software version 6.0. This tool addressed the most frequent internal network attacks faced on the PML network. The end result was a host-based intrusion prevention tool (HIP) that bound closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or application programme interfaces in order to prevent attacks as well as log them.