Just about every day we read about money being stolen or confidential information being leaked due to cyber criminals. But, when a company realises it has been hacked, it is too late. ANDREW KIRKLAND gives users some tips on how they can identify if a computer has been hacked.
1. Changes in web behavior: When browsing the Web, if you are noticing an abundance of pop-up ads and/or your web browser automatically opening sites you didn’t intend to visit, you may have been compromised. Also, if you discover your browser has new “tool bars” or is using a new search engine, you should be concerned. Oftentimes, malware focuses on web traffic so these kinds of changes are common indicators of a breach.
2. Evidence of tampering with anti-virus services: Malware does not want to be discovered, so it will often target your computer’s antivirus system. If you find that your antivirus solution is not starting or fails to update, it could be because malware is preventing it from doing so, which is another sign of a breach.
3. Your computer is acting on its own: Malware can control every function of your computer. If your mouse is moving, words are being typed or applications are opening, and they’re all happening without your control, you may have been compromised.
4. Geographic changes in login: Businesses should be monitoring from where their employees are logging in. If you don’t have users based in Finland but identify people logging in from that location, it should raise a red flag.
5. Strange account activity: Any strange account activity should also raise concerns. For example, if employee “X” logs into a system that he normally doesn’t: or, employee “Y” logs in afterhours on a regular basis: these scenarios should all raise alarms.
6. Unexplained or suspicious outbound data: Companies should also be monitoring what data is leaving their networks. Outbound network traffic that is not common or large spikes in traffic should be investigated.
7. Evidence of log tampering: Being able to spot these indicators of compromise depends on the logging of system, application and network events as well as conducting a detailed analysis of these logs. That’s why the logs are often a criminal’s first target after a compromise. In order to hide or erase their activity, criminals will attempt to delete the logs or flood the logs with innocuous events. If your logs have gaps in them or are filled with odd entries, you may have been breached.
* Andrew Kirkland, Regional Director Africa at Trustwave
* Follow Gadget on Twitter on @GadgetZA