The network apocalypse, Part 1: Recognizing an IT network attack

May 2, 20164 Minute Read

Select article text to share directly to Twitter!

Dismiss

An IT network attack isn’t like a zombie attack, with the sudden, full-frontal charge of unmistakable killers that leave victims scrambling, leaving behind a trail of blood-curdling screams and dismembered body parts. Hackers are more like ghosts who slip in and out unnoticed. By the time you realize what they’ve been up to, they’ve taken over your place like the roommate you found on Craigslist.

Every company today faces the threat of an IT network attack, and the threat is rising. More than 70 percent of organizations say they’ve been hit by a successful cyberattack in the past 12 months, according to the 2015 Cyberthreat Defense Report from the CyberEdge Group, and security incidents grew by 66 percent from year to year. The cybersecurity landscape is constantly evolving, and the reality is that hackers evolve faster than efforts to detect them.

Risk transparency

Companies aren’t just falling prey to highly sophisticated cybercriminals who can hack any network with ease. The truth is that companies suck at stopping cybercriminals from attacking. A recent study from the Ponemon Institute, sponsored by HP, revealed that printer security is a highly overlooked security risk. The survey included more than 2,000 IT security pros in North America, EMEA, Asia-Pacific, and Latin America. Sixty percent of respondents said that a data breach involving a network-connected printer has likely occurred, and most respondents predict a data breach resulting from insecure network-connected printers in the next 12 months.

Despite these risks, only 34 percent of respondents say their organization has a process for restricting access to high-risk printers, including printed hard-copy documents. Consequently, an average of 44 percent of network-connected printers within their organizations are insecure in terms of unauthorized access to data stored in printer mass storage, and an average of 55 percent are insecure in terms of unauthorized access to printed hard-copy documents.

The IT network apocalypse and you

In the war between hackers and their unsuspecting victims, networks represent exposed wounds—the scent of prey. Not only are most organizations unequipped to defend themselves from a network attack, but they’re also clueless whether an attack even occurred. The first step to surviving an attack on your network is to identify the existence and nature of an attack before it’s too late.

When determining whether your organization has suffered an IT network attack, there are a lot of possible symptoms, each ranging in severity. Any anomaly, anything that seems unusual, no matter how small, needs your attention to keep attacks at bay. Symptoms (from low to high severity) include:

  • Disabled antivirus software or fake antivirus messages that pop up on employee computers
  • Browser changes or new toolbars in the browser
  • Unrecognized programs
  • An employee’s contacts being spammed with emails the employee didn’t send
  • A spike in an employee’s email
  • Unusual connections: for example, if you see many high ports being accessed, sustained connections from workstations, or a workstation making odd connections to an internet address, that should sound off the alarm
  • Odd log file entries, such as successful logins in the early morning hours
  • A computer has been added to a botnet, and/or if a user can’t access websites because their password has been changed
  • Large, unknown files, data bundles
  • Slow-running internet—this sign is often ignored

Beyond the symptoms mentioned above, there are a number of critical signs that something is seriously wrong. According to security company Anturis, critical risks include if a hacker has done any of the following: logged in to a service account, obtained elevated privileges in the Active Directory, created a local account off a machine, or made changes to DNS settings.

Surviving the apocalypse

Hackers, like zombies, are tough to stop, and just when you think they’re gone, they get back up and terrorize you. You may know your network has been hacked after identifying symptoms, but that doesn’t mean you automatically know where the breach came from. Identifying the source of a breach can be expensive, not to mention time intensive, requiring experienced security analysts, a comprehensive view of IT assets, and security data analytics, according to McAfee.

Without the right security tools in place, this process can feel like finding a needle in a haystack, especially given the fact that hackers are becoming increasingly adept at disguising their tracks. As a result, continuous monitoring of your printer network is key. Monitoring comes pre-built in newer HP business printers. A runtime intrusion detection feature monitors printer memory for anomalies, including bad code, and initiates a reboot when detected—the whitelisting feature validates firmware code before allowing it to be put back into the system. The printers also feed top security information and event management (SIEM) tools, including Splunk and Arcsight, which track and analyze security.

Identifying attacks also requires a strong understanding of normal user and network behavior, to set a baseline. If you don’t know what is “normal,” then it’s that much more difficult to identify an anomaly. Tight integration between security intelligence and IT operations tools is essential because a lack of integration leads to bottlenecks and visibility barriers.

Data breaches cost organizations millions upon millions of dollars per year in direct costs. Don’t be a victim.

  • Recommended for you
  • Recommended for You