7 Signs of an Attempted Data Breach— and How to Stop It in Its Tracks

Data breaches come in all shapes, sizes, and levels of exposure. They can range from a couple of log files unintentionally left available to the public to the leak of hundreds of thousands of users’ personally identifiable information (PII).

Don’t think that just because you have a secure network, a leak can’t happen to you. Many exposures occur not due to a failure in the strongest link (the network), but a failure in the weakest link (the people). Phishing, social engineering, spear-phishing, and the natural tendency of humans to trust one another—these are all areas that attackers can exploit to gain access to data they shouldn’t have access to.

In this article, we’ll outline seven ways to recognize an attempted data breach, and what you can do to stop it.

1. Phishing

You may already know the terms phishing and spear phishing. In fact, you may have been a target of just such an attack. With 76% of organizations saying they experienced phishing attacks in 2017, it’s more than likely that you (or one of your coworkers) has received a phishing or spear phishing email.

For those unaware, phishing is an attack where (most commonly) you receive an email appearing to come from a trusted institution, such as a bank or your workplace. In reality, the email is sent to you by attackers. The email will include a link to a form where you are instructed to enter PII, such as passwords, credit/bank card numbers, account numbers, etc. Once this information is provided, attackers can use it to carry out further phishing attacks, or for any other purpose.

Unfortunately, there is no technological cure for the phishing problem, only a series of treatments. Algorithms can scan emails and detect common scams, patterns of text, or hyperlink usages that are known to be used by phishers.

Avoiding phishing requires critical thinking on behalf of every single user. User education can help. For example, check to see if URLs look legitimate and search the web to see if phrases from suspicious emails are known to be used in phishing scams. Set up alerts and reminders to prompt mindfulness. Education will reduce the number of phishing compromised events, but because phishing relies on exploiting human weaknesses, it will never eliminate them.

Despite the inability to solve phishing completely, it is nonetheless important to be aware of it, as phishing can and does lead to compromises with catastrophic results. Similarly, it is absolutely critical to understand that phishers will eventually succeed. You should be able to detect when they have succeeded and should have an incident response plan in place.

2. Spear Phishing

Spear phishing is an evolution of the basic phishing attack. It is similar in that a fraudulent email or other message is created to dupe you into giving away information, but different because spear phishing targets a specific person. The message uses previously obtained PII to make it seem more authentic and increase the chances of success.

Unfortunately, as spear phishing is merely a more targeted form of phishing, there are no technical solutions which can completely eliminate it. Rather, the only way to counteract this type of attack is to be aware of the problem.

Don’t respond to any email asking for PII of any kind, unless you have been directly notified by a trusted source that such an email is incoming. Regularly examine router or proxy logs. Do there seem to be a lot of connections out to strange domains, especially ones that look almost, but not quite, like yours?

Are there a lot of very long URLs being accessed, or URLs with IP addresses in them? Those are some immediately obvious signs of phishing attacks, and you may wish to initiate breach containment procedures if you have them.

3. Social Engineering

Social engineering is the use of deception to convince people to share personal information, and it’s what enables attackers to forge emails like those mentioned above. In this case, our major weakness as humans is that we trust each other, which makes it all too easy for an attacker, posing as a legitimate contractor, technical support agent, etc. to obtain sensitive information from employees. Remember in the introduction, where we said that attacks can come not from a failure in the network, but a failure in the people? This is failing.

It is, therefore, paramount that authentication, authorization, and accounting (AAA) mechanisms are employed to verify not only the actions being performed, but by whom, and under what circumstances. This can be implemented on all major company systems, including web and database servers, routers, switches, employee computers, etc. In addition, segregating network access of contractors and temporary visitors to company property can permit tighter controls on what they can do, and what they can get others to do for them, reducing the attack surface.

4. Rogue Wi-Fi

This one is so simple that it’s easy to overlook, yet it’s important enough to be a key point of attack: Wi-Fi. Is the network you are connecting to actually the real office network, or is it a man-in-the-middle copy?

Setting copies up is all too easy for attackers, and can reveal a wealth of information about network activities, especially if insecure protocols (such as HTTP) are used. Setting up a rogue Wi-Fi access point is easy too, with devices the size and shape of a cell phone available at a minimal price, so it’s imperative that measures are taken to secure your network from such attacks

There are a couple of things that can be done to mitigate this, including hard-wiring sensitive systems (where available), using BSSID enforcement (when possible), and most of all, using a VPN to a known-secure server for anything you would not want leaked (which should be everything).

5. Login Oddities

One of the key signs of a breach or attempted breach is a stream of logins from odd locations or with nonstandard usernames. Most intrusion protection systems can catch this if configured correctly, so make sure that you have a security analytics system place. One thing to check for is the presence of odd usernames, such as “test,” “guest,” “admin,” “helper,” etc. in your authentication logs, especially if coming at odd times of day, or from unexpected locations.

If configured correctly, your systems should be able to ban the IP addresses from which these logins originate—but not always. Keeping a close eye (or monitoring program) on such logs is important. Change passwords regularly, and fully deactivate any accounts of employees or contractors who no longer need them, as those are the types of accounts attackers will try to exploit, with amazing success most of the time.

Another defense against login oddities, when combined with monitoring of logs, is “geoblocking,” the process of only allowing logins from a preset number of locations. Most cloud service providers support this, so make sure it is enabled. This should reduce the attack surface significantly, requiring an attacker to be onsite or at least nearby, thus dramatically increasing their chances of failure or discovery.

6. The Internet of Things

Now we get to the really nasty stuff—the devices you would never consider, like your printer, your smart lighting system, or your projector. Yes, we’re moving on to the Internet of Things (IoT).

Is your printer telling you to follow people on YouTube, for example? Are its lights changing color? You definitely have an IoT attack on your hands, and depending on whether you follow the “segregate everything” rule (see below), you might have a very large, very wide-ranging security failure. It is all too easy for an attacker to exploit a 10-year-old Linux kernel vulnerability in your fancy new printer. At that point, all your security measures become effectively worthless.

There is only one rule with IoT, and everyone should follow it: segregate. Put all IoT gear on its own VLAN, and dramatically restrict what it can talk to, and how. IoT is far too dangerous in a business environment to leave in its default configuration—so don’t. For example, make absolutely sure that none of your devices are broadcasting insecure wireless networks, as many printers and wireless projectors do. If you must implement IoT, test it and then test it again—and still don’t trust it.

7. SQL Injection Attacks and Other Input Validation Fun

The final method we will discuss is simple, but can become very bad very quickly. Attackers love networks without input validation. What happens, say, if someone types “; select password from employees where domain_username like %admin%;”? Oh dear, an attacker now has your domain admin password.

That’s an extreme example, but it’s an entirely valid one, and it shows the depth of disclosure that can occur if the input to things like search fields, data entry forms, etc. are not checked for validity. This is another instance where logging and alarming can be valuable.

Do you see semicolons and quotes in a search box? For most applications, this is not normal, so perhaps ban that IP for 25 minutes to give yourself some time to figure out what’s going on. SQL statements in a first name box? That’s downright bizarre, so perhaps lockout that IP and return a failure message.

Input validation is all too easy to get wrong though, so check everything. Sanity check all input, both client- and server-side. A search box should be able to search, but not search everything.

Conclusion

Security breaches can originate in many different forms, so it’s important that a multi-layered system is set up to protect your data and employees. Hopefully, this will allow you to avoid the embarrassing and potentially catastrophic consequences of a major data breach.

Educate your employees on how to spot phishing emails. Require multi-step authentication for contractors and anyone claiming to be in any position of power. Monitor all logs for suspicious activity. Validate everything.

Logz.io can help, as looking through logs is what Logz.io does.