Prevent -> Detect -> Survive
Instruction Examples
– remote root compromise, running packet sniffer, web server defacement, distributing pirated software, guessing/cracking password, using an unsecured modem to access internal network, copying databases containing credit card numbers, impersonating an executive to get information, viewing sensitive data without authorization, using an unattended workstation
Designed to Counter Threats:
known, less sophisticated attacks
sophisticated targeted attacks
new, zero-day exploits
Defense-in-depth strategies include:
encryption
detailed audit trails
strong authentication and authorization controls
active management of operation systems
application security
Intruder behavior
primary assumptions:
system activities are observable
Normal and intrusive activities have distinct evidence