5 Warning Signs Your Business Has Been Breached4:00 PM EST Tue. Oct. 22, 2013
Cybercriminals choose the cheapest and easiest way to gain access to the corporate network. Fortunately, the path of least resistance also causes subtle changes in system resources and network behavior that an experienced network security professional can detect, said Barry Shteiman, director of security strategy at Imperva. Systems are constantly probed for configuration weaknesses and software vulnerabilities, but often all that is needed are stolen account credentials, obtained through a phishing attack against employees. Hackers are successful because systems are not being proactively monitored, Shteiman told CRN. These five signs should sound alarm bells that an intruder is already maintaining a presence on your systems.
Businesses are often caught failing to monitor the system administrators who have significant access to systems and ultimately the keys to the kingdom, Shteiman said. Database activity monitoring can help determine when data has been accessed without authorization. The technology is a best practice in protecting databases containing financial, HR or other business applications, Shteiman said. In addition to addressing compliance mandates, database activity monitoring can also detect if a user is reading or updating database files from the application layer. A system admin downloading a financial report should raise a red flag, Shteiman said.
Masking attacks are designed to throw off security staff and disguise the bigger danger taking place behind the corporate network. In recent months, the FBI has warned banks and credit unions that distributed denial-of-service attacks were believed to be disguising unauthorized wire transfers. The same tactic can be used against other businesses, Shteiman said. Hackers can infiltrate other areas of the network while teams handle support calls from the disruption prompted by a crippled application.
The Web server outbound page size is an interesting way to look for data exfiltration through SQL injection attacks, Shteiman told CRN. Using SQL injection, the attacker manipulates the application to deliver data from the database. This will result in huge HTML pages containing the content of the database, he said. SQL injection is one of the oldest and most frequently used Web attacks often carried out in broad campaigns using automated attack tools. A successful compromise can result in customer data exposure, such as account credentials, credit card data or Social Security Numbers.
A sudden spate of newly installed programs, automated processes starting and stopping, or system activity during abnormal times could all be signs of a serious problem on the network, Shteiman said. Once a dropper is placed on a system, a variety of programs can be installed to manipulate security software or make unauthorized changes to firewall configuration. A good attacker attempts to mimic valid network traffic and system processes, but every additional piece of malware running on a system increases noise level, hopefully tripping an alarm to suspicious activity.
Identifying suspicious access patterns is easier said than done, Shteiman said, but modern authentication platforms have built-in behavioral analytics to spot abnormal user activity. An employee accessing business data on vacation could be a sign something is wrong, or a worker typically based in Utah observed logging into a system from a location in China should set off a big red flag, Shteiman said. Other signs of a potential problem include data being accessed after hours, files getting copied all at the same time, or an account sending a large number of emails with attachments over a short period of time, Shteiman said.