One of the biggest challenges in responding to a cyber security breach is figuring out whether an individual or organization has been hacked in the first place. It can be a bit easier for the individual — noticing that your social accounts are getting hijacked, weird new charges on your credit card — but trickier for businesses. Part of the challenge is the difficulty of trying to find out when an organization’s IT infrastructure isn’t under some kind of attack. 90 percent of U.S.-based companies have experienced some kind of successful cyber attack according to a 2011 survey from the Ponemon Research Institute and commissioned by Juniper Networks.
We asked 9 IT security specialists what a new or aspiring data security specialist has to keep in mind when trying to determine whether a data breach has happened and what needs to be done once it actually has happened.
How do I know if I’ve been hacked? What can someone do once they have been compromised?
“We usually work with startups and SMBs. Most of them only find they’ve been hacked because either the hackers themselves make it public (or try to extortionate them) or someone in the technical team find suspicious activity in server logs some time after the incident. Once an organization have been compromised is important to assess the damage, notify the affected users/clients and get expert advice to secure their systems. Notification of third-parties is where most organizations fail, since they want to avoid embarrassment, however new laws in the US, Canada and the EU are making this step mandatory.“
Roberto Arias Alegria
IT Security Specialist
“The term “hacked” is a buzzword with no direct definition. Generally, it is safe to assume that you are always compromised, in some way or another. It is quite common for computers to be compromised by malware for years without any knowledge. Furthermore, user credentials may be compromised via web site or application compromise, as we’ve seen with the recent Adobe and Target breaches. As such, it’s important to change passwords and other credentials frequently. Never reuse passwords, always ensure that software is up to date, and that frequent virus scans are performed.“
John Poulin
Application Security Consultant, nVisium
“In most cases, it is very difficult to tell if you’ve been hacked. Most people that get hacked find out after the fact. Unless you are actively monitoring your computer’s communications and internal processes, chances are that you will not be able to tell. Long gone are the days when a virus was designed to erase a hard drive or otherwise maliciously hurt the user. Now it is about stealth and stealing data.
In the event that one discovers they are a victim of a hacker attack, all personal data should be scanned for malware, moved to a clean storage medium and all machines the person even thinks could have been hacked, should be re-imaged or restored to factory settings.“
Kai Pfiester
Cyber Security Specialist, Black Cipher Security, LLC
“In many cases you may never know. You have to be attuned to slight inconsistencies in how your computer is operating. For instance, whether a PC or laptop, if it is on but seems to be in a sleep mode and the fan is running high speed, you may be part of a botnet and your computer is being used by someone else to run programs without your knowledge. Most good hackers do not want you to know they have hacked you so will do everything in their power to avoid being caught. Statistically, right now, most companies do not find out they have been hacked for months or even years. Finding out your email has been hacked is pretty easy. You will likely have a friend contact you and ask about a weird message you sent.“
David Willson, Esq.
Risk Management and Cyber Security Consultant
“Typically people do not know they have been hacked until some kind of damage is done – this can range from a posting to Facebook that the user did not make to a drained bank account.
What do you do if you have been hacked? If you intend to prosecute you will need to have a full and complete forensics analysis performed to gather the necessary evidence. If you just want to get on with your life – wipe the hard drive and reinstall the OS from original install media. Then patch it so the bad guys do not get right back in and change your passwords.“
Paul Henry
Senior Instructor, SANS Institute
“Let’s face it, most of us are attached to a computer so long that they become something like a best friend, and who doesn’t know everything about their best friend? A compromised computer will start to act strangely, with often new software or toolbars in your browser window you never had before. In addition to this, malware doesn’t go through an extensive QA process so you are likely to start noticing degrading computer speed and erratic mouse and keyboard movements as it tries to inject itself further into your system and you data.“
Luis Chapetti
Software Engineer and Data Scientist, Barracuda
“From my experience, the first sign of being hacked is a call or email from a friend that wonders why I am spamming them. Another indicator is getting alerts from sites like PayPal or eBay that bidding or spending is occurring on my account without me doing it.
If hacked, change all passwords immediately! Contact credit card companies, cancel cards and get new ones, even if no fraudulent activity has occurred yet.“
Dean Wiech
Managing Director, Tools4ever
“With increasingly sophisticated malware that is evading detection by traditional, signature-based anti-virus technologies and first-generation sandboxing, it is very difficult to know if you’ve been hacked until it is too late. In fact, you may never know you were hacked. It depends on what the hacker is doing, how they are using the access to your systems and what kind of security protections you have in place. Once you’ve been compromised, report it immediately to your IT team or customer support for that device as well as any impacted financial institution or Internet service provider. There may be software updates, security tools or incident response teams to help you. In some cases, you might want to change your passwords and certainly implement added security like two-factor authentication and encryption for future protection.“
Dr. Engin Kirda,
Co-founder and Chief Architect, Lastline
Professor of Computer Science, Northeastern University
“Generally it’s pretty easy to know if you’ve been hacked. However, it really depends on the severity of the attack. You’ll obviously receive a call from your bank’s fraud department if someone has gained access to, for instance, your credit card details or Amazon account. Another red flag to look out for is a password reset notification sent to your email or an errant two-factor authentication text message that you didn’t ask for. Finally, if activity is happening on any of your online accounts like Facebook or Twitter, including posts you haven’t made or errant “likes”, you may be lightly compromised and being used as a tool to promote whatever the account hijacker wants to promote.
If any of the above happen to you, the best course of action is to change all of your passwords across all online accounts immediately, starting with your e-mail. Turn on two-factor authentication across all services that allow it, like Facebook, Twitter, and Gmail, so that a hacker would need to have access to your mobile phone to compromise your account. Finally, be careful who you share your passwords with and be sure to never write them down!“
Zach Feldman
Chief Academic Officer, New York Code + Design Academy
Sources
“Perceptions About Network Security: Survey of IT & IT security practitioners in the U.S.,” Ponemon Institute, June 2011,
http://www.juniper.net/us/en/local/pdf/additional-resources/ponemon-perceptions-network-security.pdf
