IDS and IPS - CSU1899 - Shoolini U

FL17: IDS and IPS

1. Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS)

In the context of Ethical Hacking, understanding IDS and IPS is essential as they are critical components of network security. These systems monitor network traffic for malicious activity and provide different ways to respond to potential threats.

1.1 Intrusion Detection System (IDS)

1.1.1 Definition

An Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity, policy violations, or unauthorized access. IDS analyzes network packets, system logs, or file changes and reports any suspicious behavior to the network administrator.

1.1.2 How It Works

IDS does not block or prevent attacks but alerts the security team or generates a log of the suspicious activity.

1.1.3 What It Does
1.1.4 Advantages
1.1.5 Disadvantages

1.2 Intrusion Prevention System (IPS)

1.2.1 Definition

An Intrusion Prevention System (IPS) is a network security system that actively monitors network traffic and takes immediate action to prevent attacks. IPS not only detects potential threats but also blocks or prevents them in real time.

1.2.2 How It Works
1.2.3 What It Does
1.2.4 Advantages
1.2.5 Disadvantages

1.3 IDS vs. IPS

Feature IDS IPS
Position Monitors network traffic passively. Positioned inline to actively monitor.
Action Alerts and logs but does not block traffic. Blocks or prevents malicious activity.
Response Time Requires manual response. Takes automatic preventive actions.
Performance Impact Minimal impact on network traffic. May impact performance due to inline nature.
Use Case Used for monitoring and logging. Used for real-time attack prevention.

1.4 Examples and Case Studies from India

1.4.1 Example of IDS: Indian Government's CERT-In

The Indian Computer Emergency Response Team (CERT-In) employs various Intrusion Detection Systems to monitor critical infrastructure networks and government agencies. IDS is part of India’s strategy to monitor network traffic, detect anomalies, and alert teams about potential attacks, such as Distributed Denial of Service (DDoS) attacks.

1.4.2 Example of IPS: Indian Banking Sector

Many major Indian banks, such as State Bank of India (SBI), implement IPS systems to prevent cyber attacks on their financial networks. With growing concerns over phishing, ransomware, and other online banking frauds, IPS solutions are used to stop malicious attempts before they can exploit vulnerabilities in financial systems. These systems block suspicious traffic and enforce strict firewall policies in real time.

1.4.3 Case Study: National Knowledge Network (NKN)

The National Knowledge Network (NKN), a high-speed, nationwide educational and research network in India, utilizes both IDS and IPS systems to safeguard academic data from cyber attacks. The network connects educational institutions and research bodies, making it a target for attackers. By using IDS for monitoring and IPS for proactive defense, NKN ensures data security while maintaining high-speed connectivity.

1.4.4 Case Study: Indian Railways

Indian Railways, one of the world’s largest rail networks, uses Intrusion Prevention Systems to prevent cyber attacks on its ticketing and passenger information systems. IPS solutions help secure online ticketing platforms and internal communication systems by blocking malicious IP addresses and unauthorized access attempts. By using a combination of IDS and IPS, Indian Railways mitigates risks to its critical infrastructure.

2. Vulnerability

2.1 Definition

A vulnerability in the context of cybersecurity is a weakness or flaw in a system, application, or network that can be exploited by attackers to gain unauthorized access, cause damage, or disrupt normal operations. Vulnerabilities can exist in software, hardware, or procedural controls, and they create opportunities for cybercriminals to launch attacks such as data breaches, malware infections, or denial of service (DoS) attacks.

2.2 Types of Vulnerabilities

Vulnerabilities can be categorized based on their source and nature. The main types include:

2.2.1 Software Vulnerabilities

These are caused by flaws in the code of software applications, operating systems, or firmware. Common examples include:

2.2.2 Network Vulnerabilities

These weaknesses can be found in network protocols, configurations, or devices like routers, switches, and firewalls. Examples include:

2.2.3 Hardware Vulnerabilities

Flaws in physical devices that can be exploited. Examples include:

2.2.4 Human Vulnerabilities

Often referred to as the weakest link in security, human errors like poor password management, phishing susceptibility, or improper handling of sensitive data create entry points for attackers.

2.3 How Vulnerabilities Are Exploited

Vulnerabilities are typically exploited through attacks or exploits. Common methods of exploitation include:

2.4 Vulnerability Management

Vulnerability management is the process of identifying, evaluating, and mitigating vulnerabilities within a system. The key steps involved are:

2.5 Examples & Case Studies from India

2.5.1 Aadhaar Data Leak (2018)

One of the most well-known vulnerabilities in India was related to the Aadhaar system, India's biometric identification system. In 2018, a security researcher discovered a vulnerability that allowed unauthorized access to Aadhaar data through third-party websites. Although the Aadhaar system itself was secure, the APIs used by some service providers were poorly configured, leading to potential data leaks. This highlighted the critical importance of securing all components of an ecosystem, including third-party integrations.

2.5.2 WannaCry Ransomware Attack (2017)

In May 2017, the WannaCry ransomware attack affected several organizations worldwide, including parts of India's critical infrastructure, such as banks and healthcare services. The ransomware exploited a vulnerability in the Microsoft Windows operating system (EternalBlue exploit). Even though Microsoft had issued patches for this vulnerability, many organizations failed to update their systems, resulting in widespread infections. This event demonstrated the importance of timely patch management.

2.5.3 RailYatri App Vulnerability (2020)

A vulnerability discovered in the popular Indian travel app RailYatri exposed sensitive user information, including travel data, personal identification, and payment details. The vulnerability existed due to weak security configurations in their Amazon Web Services (AWS) S3 bucket, which was left unsecured, making it accessible to anyone with the right tools. RailYatri patched the vulnerability once it was discovered, but the incident raised awareness about the security of cloud-based services.

2.5.4 Indian Banks’ ATM Vulnerabilities

In 2016, Indian banks were hit by one of the largest cyber breaches, which compromised over 3.2 million debit cards. This breach was traced back to vulnerabilities in ATMs operated by a third-party provider. The malware spread through these ATMs, allowing attackers to capture card data, leading to widespread fraud. The vulnerability was linked to unpatched ATM systems running on outdated software, showcasing the need for updating and securing legacy systems.

2.6 Preventing Vulnerabilities

To prevent vulnerabilities from being exploited, organizations can follow these best practices: