How do you know if you have been hacked? What you should know
We all spend a lot of time talking about security awareness, prevention, and how we are keeping people out of our servers and workstations. However, how would you know if you did have a security breach? What would be some of the signs that would indicate that you had a breach? In most cases, what we all think is going to happen is that some alarms are going to go off in the IT person's office, or some warning is going to pop up on our screens, but in most security breach scenarios, nothing happens. A skilled hacker doesn't want you to know he is there. A skilled hacker will take precautions to keep the alarms from going off, and a skilled hacker does not desire to have strange behavior on your network. There are going to be side effects from the activity that the hacker is undertaking. Still, in most cases, especially if you have a more substantial infrastructure or system, the hacker is after the computing power available on your network more than anything.
Let's define what a data breach is; a data breach is when a cybercriminal, which could be external or internal, gains access to sensitive data or server resources. The most significant threat to your data is your employees, and that is something that needs to be part of your preventative measures. There are many ways this could be done, according to Trend Micro, some of the most common methods and steps that cybercriminals go through are:
- Research, cybercriminals come in many forms, but they are all schooled in the art of research; they know where the weaknesses are, such as the people and creating human error to gain access. Publicized system or network weaknesses, these could be published vulnerabilities from the manufactures or other resources. Cybercriminals will take the time to research your company, get to know your ownership and your employees, so be cautious, and meter what information you put on the public face of your organization.
- An Attack, which in today's technological world, can mean a lot of things, including a denial of service, malware, virus, or ransomware attack. Most of these types of virus attacks do require some kind of human intervention to be successful, so end-user training is critical. Cybercriminals know the weakest point is typically the human, so phishing attacks or spear phishing is more and more common because it is merely a matter of time before the human makes a mistake. On top of that, many of the tools skilled hackers use are automated, so it is kind of set it and forget it until it cracks the code or password.
- Network / Social Attack, this is where a cybercriminal takes advantage of the system or network weaknesses or application weaknesses. System or network weaknesses could be a result of not having proper patching in place, old equipment, or misconfigured equipment. All applications have flaws, so it is essential to research applications to make sure that you know how to set them up and configure them to be secure, especially if you are going to access them from outside of your network. The social attack is taking advantage of the human factor and exploiting the human to gain access through the use of social media or data sharing sites.
- Exfiltration, once Cybercriminals have gained access to your system or network, skilled cybercriminals can use other techniques to navigate through your network undetected. Technologies such as pivoting, exploiting shares or mapped drives this allow them to tunnel to additional resources and data shares on the system.
“Security breaches are becoming more and more costly, according to CSO Magazine”
Signs of a breach, yes, there will be signs as subtle as they may be, but if you are not watching for them or are not aware of the meaning of these signs, then they can be easily overlooked. A skilled hacker is hoping you will ignore these subtle signs, so this is an end-user education and training area. Some of the more commonly overlooked signs that you may have been hacked are according to InfoWorld Magazine:
- You have new or unwanted browser bars on your desktop.
- Internet searches are routinely redirected to someplace you were not expecting.
- You have frequent pop-ups
- Friends get social media requests that you did not send
- Your online password is not working, or your password needs to be reset frequently
- You discover unexpected software installs
- Your mouse moves between programs and makes selections
- Your Anti-Virus, Malware or other protections show disabled.
- You get a notice or call from someone that you don't know or was unexpectedly telling you that you were hacked.
- Confidential data has been leaked
- You observe strange network activity
- Network data is routinely moved or deleted.
Security breaches are becoming more and more costly, according to CSO Magazine in 2019 reported that within the next 24 months, more than 30% of companies would be a victim of a security breach. In the same report, CSO estimates that U.S. based companies will have the highest average cost of $8.19 million per violation. The price is going to vary, but in large part, it is being driven by state and federal reporting and management regulations. According to CSO, the average data breach is now about 26,000 records, which is an increase of about 4% over 2018. On average, the customer turnover rate following a data breach is about 3.4% depending on the vertical market and type of business.
Real objectives of hacking can vary widely, but regardless of the motives, one of the things that hackers need is the ability to hide, and your system may have the perfect hiding spots. Hiding on a network is critical to the hacker because, in most cases, the ability to gain access was by accident a crime of opportunity a user made a mistake, and that opened the door. Now once in the system, it is going to take time to navigate a path through your system to steal data or to use your network to host illicit websites or attack more substantial, more profitable targets. In the emerging IoT or Internet of Things, which is connected devices of convenience, there are new hiding spots to go along with the old favorite place hackers like to hide.
According to Entrepreneur Magazine, these are some hiding spots.
- Off-brand Apps, be wary of software and applications from companies that you may not have heard of in the past. Make sure that you thoroughly check and validate the company and the software before you load it. As a useful safety net, you might want to take the ability of your users to load software away, this will stop the spread of viruses, and it will help in your software compliance. However, don't forget about Smart Phones and mobile devices and apps employees may download.
- Your new smart refrigerator, yep welcome to the internet of things, connected devices such as your refrigerator can be accessed and used to hide on your network and access computers and other services on your network. Between December 2019 and January 2020, a smart refrigerator sent out approximately 100,000 virus-infected emails.
- Social Media accounts, this one shouldn't surprise anyone. Social media has been a favorite from the very beginning and will continue to be the favorite, best word of caution here is to not allow for social media to be accessed on company computer systems unless that is your job within the company.
- Fax Machines, this is an area that most companies overlook, you don't use them much, but they are still on and connected to the network.
- Phone systems are all connected to your network and, in most cases, have pretty light security applied to them, but they can provide the perfect hiding place.
I know what you are thinking; there has to be a way to detect security breaches. Early detection is key to limiting the damage to your company and your customers, but it isn't as easy as it sounds, and it has to be something you are specifically looking for once they are in your system. Step number one is you have to make security a part of your culture, which means you are going to have to deal with the ongoing battle between convenience and security; they don't necessarily go hand in hand. The more you open things up, the more at risk you are going to be, but the other side of the coin is that you have to make your people as productive as possible so you can't build security too tight. Creating a culture of security, security training, and security awareness is key to any long-term security strategy.
Security is something that has to be continuously monitored; new and emerging threats are popping up continually, and making adjustments in your security countermeasures is key to keeping the company safe, and that may buck the culture of your business. When that happens, users get upset, and the easy answer is to lower the protections to calm the noise, but there is a risk factor to that methodology. Having strong user policies and training is key to the overall mission of building a culture of security. Once people understand the problems, what solutions you are trying to implement to solve those problems than they tend to be more understanding when changes in the security models change based on known, new, or emerging threats.
Part of staying current with emerging cybercrime, it is essential to have an understanding of your enemy that you are facing. Understanding their methods, and their tactics along with how relentless the attacks can be, then you can put in place detection and countermeasures to help in the counter-attack. Simply put, there are five new malware viruses detected every second, which is over seven thousand new malware viruses a day! Not taking into account ransomware, traditional viruses, internet threats, or internal threats and, in most cases, email threats that your system has to protect you from every day. Set your expectations correctly; if you think that last year's protections are going to protect you this year, your expectations may be misplaced.
Staying modern is also key to an overall security plan, the older technologies simply have a hard time detecting and mitigating new threats, and in some cases don't recognize them at all and will pass them right through to the end-users. Companies' have increased spending over the last few years on security and countermeasures. However, there are thousands of companies that haven't and as hard as it may be to believe that is putting us all at risk. I have always been a believer that you have to have a layered security approach; I don't think that there is one silver bullet software or hardware package that will provide all the protection you need. In the modern technology age, when you have a high usage of hosted applications, mobile users, cloud-based technologies, and in-house systems, you have to use different strategies to protect all the potential system access points. There are advanced threat protection devices that will work in a combination of traditional security software and hardware security devices. These systems will supplement and work in conjunction with newer firewalls, anti-virus, ransomware protection, and threat detection software to help layer and protect your computing environment.
If you think you have had a security breach, what now, what steps should you take to protect yourself and your business? According to a 2019 Villanova University study, here are some of the processes you should undertake if you think or have verified that you have had a security breach.
- Evaluate the Impact; some of the items to evaluate are what the purpose of the breach was? Determining what information data or systems the hackers were after? Did they manage to get to that data and download it? If so, then what is the potential damage to the company from that information? Some prevention steps to this would be to limit access to data only to the data that a person needs to do their job. Load software that would limit the size of file transfers on or off your network. Remove the ability to load software on the local machines and to restrict the use of USB drives or other attached storage devices.
- Rebuild Security Parameters, change passwords, this would include passwords on attached devices as well, such as copiers, phone systems, firewalls, routers, workstations, laptops, service accounts, and user passwords. If you have a real idea that a breach has happened to take the time to change individual software passwords, many times, users will set them all the same, which would increase your exposure. If you are an Office 365 user, then make sure that you change those passwords as part of limiting and mitigating your exposure.
- Start to investigate the cause; there are always weaknesses, so backtracking the potential breach is essential to identify and implement countermeasures for future attacks. Keep in mind that in a large percentage of the cases it is going to come back to a user error, clicking on something they shouldn't have, or going to a website they shouldn't have. In this case, it is going to be a training opportunity along with continuous training and testing to see who are your weakest employees.
- Working with the authorities, this is typically an issue that is faced by public companies or, in some cases, non-for-profits. However, depending on the extent and expected loss, notifying the authorities is something you may encounter. Most law enforcement departments do have cybercrime units now. However, you may have to deal with State or Federal Law Enforcement if your local police department doesn't provide those services.
- Check legal implications, and although the United States has not adopted the European Union's GDPR requirements, if you employ or work with European Union companies, you may be subject to GDPR compliance. Within the United States, many individual states now have adopted increased legislation and regulations on how cybercrimes are disclosed and managed, including what information you have to provide to companies or individuals who may be affected by the breach.
Security breaches are very difficult to detect because typically, the external hacker needs internal help in some form or fashion to get in, and an internal threat is already in your network and has rights on your system. In most cases, this type of activity is difficult for software solutions to detect and block because it looks like regular network traffic. According to a Jolera report, the average time it takes to detect a security breach is six and a half months, then the average time to contain a breach is another sixty-nine days. The process of detection, evaluation, and containment is slow primarily due to determining how the breach happened, what did they have access to, and if anything was copied or removed from your network, or other companies or customers harmed in the process. Some software packages are now starting to utilized business intelligence to form patterns of behavior. These software applications will trend and managing network behaviors such as file transfers, login times of users, and other statistical data points to try and determine if uncharacteristic behaviors are happening on your network, which could indicate a breach.
When it comes to breach detection, awareness, prevention, and monitoring are still the best options. Awareness starts with learning and reporting suspicious activity such as abnormal application behavior, which could be slowness, database errors, unexplained users, or new reports. Other indicators might be can't access your files, email, or you are taken to a new landing page when you open your browser. These are just some simple things that you would want to report and have checked out by your IT team.
Prevention starts with having a current firewall in place, making sure that the firmware and software version on the firewall, routers, switches, and other network devices is current. Replacing older equipment with newer, and verification that all the security parameters have been set and are active, including intrusion detection processes. Utilizing current operating systems on your workstations and servers and putting yourself on routine maintenance programs to ensure that your systems are patched, upgraded, and have current service packs loaded. Anti-Virus needs to be active on all workstations, centralized distribution of new viruses that are updated every day when the users log into the network. Additional filtering such as website filtering and blocking, email filtering for attachments, active links, embedded links. The use of business intelligence to ensure that emerging threats are identified as quickly and blocked, along with country and proxy blocking. Password management with two-factor authentication, limiting the ability to load software on the local machines and some sort of IP and DNS protections.
Proactive monitoring, which I equate to the check engine light on your car when your check engine light comes on, you have a choice to ignore it or look at the issue and resolve it. Both of these systems are trying to tell you something. One about your car, the other about your network, and these shouldn't be ignored but create action items. When it comes to identifying if you have had a security breach, the monitoring aspects of your network will be the first sign that something is going on and requires your attention. If you are not monitoring the multitude of data points on your system and alerting on them, then you should be if security is something that concerns you and your staff.
Security is complicated; detecting a breach that has already happened is complicated but not impossible. However, as I always try to coach our customers is that prevention and sometimes having to put up with end-user noise is cheaper and more productive for the company than relaxing security. You can implement all the protection you want, but if you don't train employees, build a culture of security, monitor and update your systems on a routine basis, something is going to get through. Cybercrime like most crime is based on opportunity and not making yourself the easiest target on the block, that takes work, it takes effort, and it has to be a budget item every year.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies, which includes Liberty One Software. Scott has more than 36 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium, and small companies, and Winning Technologies' goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies call 877-379-8279.