Detecting A Cyber-Attack
CYBERCRIME HAS BEEN ON THE RISE WITH MANY HIGH PROFILE ORGANISATIONS APPEARING IN THE MEDIA. LARGE MULTINATIONALS ARE INCREASINGLY THE VICTIMS OF ‘HACKTIVISM’ (THE ATTEMPT TO MAKE A POLITICAL STATEMENT THROUGH CYBER HACKING) AND CYBER ESPIONAGE ATTEMPTS.
According to a 2011 report by Verizon, 41-65% of breaches remain undetected for months; some unaware until notified by authorities (Verizon, 2011). The 2012 report found that:
98% of data breaches were caused by external agents – up 6% from 2011,
85% of breaches took weeks or more to discover – up 6% from 2011,
92% were discovered by a third-party – up 6% from 2011, and
97% could have been avoided – up 1% from 2011 (Verizon, 2012**).
So what steps can organisations take to ensure that any breaches or cyber-attack attempts are detected early?
“Prevention is always better than a cure. Stopping attacks from occurring in the first place is always preferable to having to clean up after one or facing a potentially expensive financial loss or loss of customer confidence,” commented Paul Moroney, Solentive Software’s Principal Solutions Consultant.
“Most data breach attacks occur through remote access entry points that allow staff to work remotely. Weak authentication and access controls are a commonly targeted vulnerability by cybercriminals looking to steal login credentials to gain access to the network. Steps should be taken to mitigate against such types of attacks, such as the implementation of strict user policies,” explained Moroney.
It is important that measures are in place to quickly detect a data breach if and when it occurs. Such measures include:
Training IT staff how to spot signs of a potential breach – signs include user access level being higher than expected, data transfer activity being unusually high or occurring at unusual times, company computers running slower than expected, or unidentified processes running on the machines
Ensure usage logs are turned on in your network and is capturing relevant data such as timestamps, network traffic and full access information
Regularly review logs for irregularities – review logs daily if possible and compare against previous logs.
“If anything unusual is detected, it should be escalated appropriately, investigated and acted upon. Some breaches only deliver small packets of data over a long period of time and are therefore harder to detect. This means that any unusual activity that is detected, no matter how small, should be investigated and not ignored in the hope that it will simply go away,” advised Moroney.
2011 Data Breach Investigation Report – 2011 (Verizon*)
2012 Data Breach Investigations Report – 2012 (Verizon**)