The Obvious And The Invisible

When we talk to people who are new to Cyber Security (C/S), they tend to assume that all C/S attacks are obvious, and some are. But others are not.

A Denial of Service attack is disruptive. It is the cyber equivalent of filling up your front door and hallways and offices with mannequins: dummy people who get in the way of you trying to do work. Of course you notice that you can't access your website. The point is the disruption.

A Ransomware attack is unmistakable. It is the cyber equivalent of changing all the locks on your premises. You can't get in until you pay for the new key. Of course you notice that you can't access your data. The point is the lack of access--and the chance to pay to have that access restored.

But what of the humble network intrusion? It is the cyber equivalent of someone finding a side door that doesn't latch properly or a window whose lock is broken. This allows whoever found the way in to enter your offices and roam around at night, looking at whatever is left lying around. So long as the intruder is careful, you might go weeks or months or even years before you noticed something missing or moved or noticed enough things missing or moved for you to be convinced that you have an intruder.

The Cyber Attack sins range from unauthorized access to data to unauthorized modification of data and on to unauthorized destruction of data. Would having someone living in your attic be that bad? Why would someone want to look at your data anyway?

In the best case, your intruder is a thrill-seeker who just wants the bragging rights that come along with breaching your system. But you cannot count on that, for two reasons. First, one of the issues with thrill-seeking behavior is that it tends to escalate. What starts as a lark may turn into blackmail or identity theft. Second, once the thrill-seeker gets bored, they may pass along their recipe for breaking your security to others, until finally one of the others is not a thrill-seeker but a professional criminal.

To us, C/S is part of Risk Management. In Risk Management, you have to choose your battles. You cannot possibly prepare for every contingency. Since you are a business, you can only afford so much preparation, so you have to consider cost. Risks worth managing are either so likely that you would be foolish not to prepare for them (hardware getting out of date) or so severe that you would be foolish not to prepare for them (power outages, data loss). Some risks are easy enough to guard against and have potential consequences so great that it might make sense to consider managing them. Intrusion is in that class.

Generally, you guard against intrusion by checking your network hardware's logs. You are looking for two different kinds of activity: suspicious activity (attempts to get into your system from unrecognized outside computers) or normal activity that is abnormal (a day shift account logging in at 3am or the same person logging in twice at the same time).

Most cable modems, access points, firewalls, etc have such logging: turn it on. Then check it. Every day. Learn what is normal for your network and what is not. Look into what is odd.

Is this boring? You bet it is. Checking logs is the dullest part of my day. Does it pay dividends? Rarely, but those dividends are often huge. And the more frequent, smaller dividend matter too. Old machines you forgot to decommission, wasting your resources trying to do jobs no one wants done any more. New machines doing new things that no one remembered to disable.

Living in a world with clean logs means that when something odd or malicious happens, it is obvious because the logs are not clogged up with "normal" errors.

Not all C/S attacks are deliberate. Not all C/S attacks are obvious. But you don't know things are OK unless you check.

For more about this topic, check out our video on our YouTube channel.