HIDS - FAQ | Office of Information Technology

HIDS - FAQ

Last Updated: 04/24/2017

General FAQ

Are there recommended ways to configure and use my HIDS?

Yes. The no-cost training will cover the recommend configurations for HIDS.  Please visit the recommended practices portion of this website for self-help information if you have already attended the training session.

Can I customize my host-based intrusion detection software?

Yes.  Administrators have full control over the installation and configuration of HIDS on the systems for which they have responsibility.

Do I have to attend an IT Security training?

Because of the complexity of running the software, OIT recommends administrators attend the no-cost training.

Do I have to go through training every time I need to install HIDS on a new server?

No. You only need to attend the training once.

Does IT Security get notified when an intrusion has been detected?

It is recommended that administrators include IT Security in alerts that are sent from their HIDS so that the IT Security Office (ITSO) is aware of issues and can be better prepared to help in the event of an attack or compromise.  The no-cost training module will help you configure that option.

How does HIDS work?

Host-based Intrusion Detection monitors the system for unauthorized changes to files and alerts the administrator of suspicious activity.

I’m already running a flavor of host-based intrusion detection software, am I exempt?

By running a host-based intrusion detection system, you satisfy the requirement and do not need to run a new HIDS. Please contact the IT Security Office (ITSO) to file an exception.

What are the benefits of running host-based intrusion detection software on my server?

HIDS examines a computer system for anomalous behavior as a means to identify an attack or compromise of the system.  Identifying the source and method of an intrusion will help us to understand what data is at risk and if other systems may be affected.

What constitutes Internet facing?

Any computer that can be accessed from outside of the campus network without using the VPN.

What do I do if the software detects an intrusion?

Verify the alert and contact the IT Security Office (ITSO). Because of the complexity of HIDS software, there is potential for false positives. The no-cost training module will cover alert management.  If the alert appears to be an indication of a compromise, contact the ITSO immediately.

Why is host-based intrusion detection software (HIDS) recommended?

HIDS is required for systems hosting private data and recommended for all Internet facing servers. Protecting highly confidential data is a top priority on the CU Boulder campus and HIDS will provide administrators and the IT Security Office with immediate knowledge of a potential system compromise.

Will OIT install Host-based Intrusion software on my server for me?

No.  The IT Security Office provides no-cost training that will guide you through installation and configuration of HIDS.