Blog / Monitoring Network Activity For Hidden Hackers
Complacency is a risk when it comes to monitoring network activity.
While an excellent cybersecurity program includes plenty of technical defenses like email filtering, firewalls, and the timely application of software security updates, most of the day-to-day work involves monitoring network activity and watching IT infrastructure for abnormal behaviour. However, monitoring isn’t so much a solution to a specific problem as it is a tactic that can be applied to your entire system. This in turn begs the question “what should I pay attention to?”, the answer to which is, well, everything. That may seem like a glib answer, but it’s accurate, since the more places you monitor, the better your chances to notice when something’s going wrong.
But, just as adding tasks to a workflow generally means it will take longer to complete, monitoring more of your IT infrastructure means spending more time evaluating even more logs. This alone isn’t a problem, though if you’ve ever stared at a dense spreadsheet or any other screen full of data then you likely understand how it all starts to blend together into a bit of a slurry after a while.
Patience is a virtue when it comes to monitoring network activity.
Now, the reason I’m bringing this up is because of a recent breach at Florida-based payment processing company, Slim CD. Or rather, because of a breach there that was recently revealed.
That’s actually an important difference because what’s unique here is that it took the company almost a year to notice the breach. To be fair, we don’t have many details about exactly what happened so we’re not going to opine on the quality of Slim CD’s cybersecurity or the competence or motivations of its personnel; people make mistakes and even if they’re colossal mistakes that don’t get noticed for years, mistakes aren’t maliciously motivated (and wouldn’t be “mistakes” if they were).
To provide some context, payment processor companies around the world are required to abide by the payment card industry’s global data security standards, aka PCI-DSS, and yes, that even includes companies operating from places like Russia, Iran, and China. That means that, in theory at least, Slim CD was abiding by the relevant monitoring rules. After all, becoming PCI-DSS compliant is a fairly involved undertaking that’s neither cheap nor quick, requires verification through an external 3rd party, and needs to be renewed annually. It’s unusual for businesses to spend so much money and effort to become compliant, just to throw away any risk and liability protections it grants by ignoring the essential duties it imposes. It would be like getting discounted insurance premiums for having a security system in your offices, then never turning it on; if something happens your claim will almost certainly be denied as the price-break on your premiums was contingent on the security system being properly used. So until it’s proven otherwise, we’re going to assume Slim CD was monitoring network activity properly.
Patience can be a virtue for hackers too.
Now, for a company to claim it was unaware someone had breached its defenses for almost an entire year may understandably seem implausible initially, but consider for a moment that while noticing unusual activity is easy, detecting it when it’s disguised as everyday activity can be much harder.
That’s because weird login activity is heavily scrutinized so unusual activity often stands out, but what if the attacker is patient, moves slowly and acts intelligently? If a hacker successfully gains access without being noticed, they can just do nothing to stay undetected, by which I mean literally nothing. As long as they don’t do anything unusual to get your attention and just silently watch from the background gathering surveillance, detection can be exceedingly difficult. Remember that most of the time attackers have a specific agenda and don’t just randomly click around a database, so it’s actually not very far-fetched to think a dedicated and patient one could remain hidden for a very long time.
If you’d like to learn more about monitoring network activity and detecting hidden hackers, contact a TRINUS cybersecurity professional and we’ll be happy to help out with some stress-free IT.
This quote comes from Measure for Measure: “It is excellent to have a giant’s strength; but it is tyrannous to use it like a giant.”
Be kind to one another,
Courtesy your friendly neighbourhood cyber-man.