Almost every day we read a story about yet another data breach. Some lead to more significant repercussions than others -- whether it's a financial loss and/or reputational damage. What many businesses may not realize is that the earlier they can detect a compromise, the less damage they will suffer in the long-run and that's why self-detection is critical. According to our 2014 Trustwave Global Security Report, 71 percent of organizations fail to detect a breach themselves. How can businesses decrease this percentage? First, they should know what to look for that may indicate a compromise.
Here are the red flags that may indicate you or your business has suffered a breach:
1. Changes in web behavior: When browsing the Web, if you are noticing an abundance of pop-up ads and/or your web browser automatically opening sites you didn't intend to visit, you may have been compromised. Also, if you discover your browser has new "tool bars" or is using a new search engine, you should be concerned. Oftentimes, malware focuses on web traffic so these kinds of changes are common indicators of a breach.
2. Evidence of tampering with anti-virus services: Malware does not want to be discovered, so it will often target your computer's antivirus system. If you find that your antivirus solution is not starting or fails to update, it could be because malware is preventing it from doing so, which is another sign of a breach.
3. Your computer is acting on its own: Malware can control every function of your computer. If your mouse is moving, words are being typed or applications are opening, and they're all happening without your control, you may have been compromised.
4. Geographic changes in login: Businesses should be monitoring from where their employees are logging in. If you don't have users based in Finland but identify people logging in from that location, it should raise a red flag.
5. Strange account activity: Any strange account activity should also raise concerns. For example, if employee "X" logs into a system that he normally doesn't; or, employee "Y" logs in afterhours on a regular basis; these scenarios should all raise alarms.
6. Unexplained or suspicious outbound data: Companies should also be monitoring what data is leaving their networks. Outbound network traffic that is not common or large spikes in traffic should be investigated.
7. Evidence of log tampering: Being able to spot these indicators of compromise depends on the logging of system, application and network events as well as conducting a detailed analysis of these logs. That's why the logs are often a criminal's first target after a compromise. In order to hide or erase their activity, criminals will attempt to delete the logs or flood the logs with innocuous events. If your logs have gaps in them or are filled with odd entries, you may have been breached.
If you are infected with malware, your goal is to contain it, eradicate it and recover from the compromise. Businesses should have an incident response policy and process in place to follow in such cases. Individuals should disconnect the suspected system(s) from the Internet and each other in order to contain the malware. Scan your system with a current anti-virus scanner to discover what malware has infected it and remove it. Finally, you will need a good back up of your data in case data is destroyed in the process of eradicating the malware.