Recommended Practices to Detect Unauthorized Access on Company Networks

Privacy and Data Security

The cyber threat landscape is continually evolving. Cybercriminals are using new and sophisticated methods to gain unauthorized access to networks and steal sensitive information. Cybercriminals often remain hidden on a network and perform nefarious activities, and even use anti-forensic techniques1 to hide their footprints.

One of the key findings of the 2018 Cost of a Data Breach Study2 conducted by the Ponemon Institute and sponsored by IBM Security revealed that the mean time to identify a data breach was 197 days and the mean time to contain the breach was 69 days. The study also showed that the faster the data breach can be identified, the lower the cost to organizations in rectifying the damage.

Establishing robust security measures and developing ongoing monitoring and compliance programs can be daunting for many companies, and notwithstanding even the best efforts, security incidents can occur. Companies should consider key security measures, as outlined below, as they plan for organizational preparedness.

Common attack vectors

Hackers and malicious software can find their way into your internal network in a number of ways, from web-based exploits (e.g., SQL injection, cross-site scripting) to phishing attacks to insider threats, or through insecure vendor remote access. Hackers will discover vulnerabilities and exploit them to gain elevated privileges on your systems that store sensitive data. The most common initial attack vectors or entry points into networks include:

  • Unpatched system and default configurations
  • Poorly coded or unsanitized web applications
  • Poor network segmentation
  • Insecure vendor remote access
  • Lack of email and web browser protections

Once inside the network, hackers will elevate their privileges by taking advantage of existing vulnerabilities on the internal network. For example, they may leverage vulnerabilities, such as excessive permissions and lack of access controls on the network (e.g., no segmentation); deploy malicious software using ports and services running on systems; or compromise administrative credentials.3 Without robust incident response procedures, coupled with visibility into your assets, these unauthorized activities will go unnoticed indefinitely or until law enforcement comes knocking on your door.

What organizations can do

Because of the complex and dynamic environment within our networks, there is no absolute security control to prevent an attack from occurring. But organizations can and should consider implementing a layered approach to their security controls to make it relatively more difficult for hackers to carry out their malicious activity.

Every company should assess their systems and implement individualized security protocols. Every data incident is different, and a company’s response should be tailored to the unique situation. Notwithstanding, below are some suggested enhancements to data security.

1. Consider implementing a solution to identify assets and resources to protect networks, including where sensitive data is being stored, processed and transmitted. Seek to ensure the solution has the ability to identify assets and resources in real time. Protect stored data by rendering the data unreadable or use encryption with strong key management procedures.

2. Consider implementing network segmentation and limit network traffic from the nonsensitive network, including the Internet.

3. Consider implementing a configuration standard, which includes vulnerability management, patch management, malware defenses, strong access controls, removal of excessive permissions, protection of highly privileged accounts, and encryption with robust key management procedures.

4. Consider protecting your external perimeter by identifying your network boundaries, scanning for unauthorized communications/traffic, and collecting and reviewing net flow traffic.

5. Consider implementing a backup recovery process and business continuity program.

6. Consider enabling, protecting and centralizing logs. Utilize a security information event management (SIEM) solution for event correlation and analysis. Fine-tune the SIEM to limit false positives.

7. Consider performing due diligence on third parties that have access to sensitive data or remote access to your network. Require the use of multifactor authentication.

8. Consider implementing secure coding techniques based on industry standards and perform periodic vulnerability scans, penetration tests and source code reviews to identify potential exploits to your systems and applications.

9. Employ knowledgeable staff and trusted external expertise to monitor your network and logs on a 24-hour basis, including staff who can perform forensic computer investigations. Develop incident escalation procedures in the event of a suspected or confirmed data incident and test them periodically.

10. Consider implementing a security awareness and training program.

These recommendations are not intended to be an exhaustive source for mitigating the risks of a data incident. Performing a comprehensive risk assessment4 is recommended to seek to identify gaps within your organization’s security protocols. Furthermore, some organizations may want to consider repeating the assessment at least annually in order to respond to the changing nature of today’s network environment.

Why it matters

The increase in cyber threats coupled with the level of sophistication used by cybercriminals is a huge concern for companies operating in a global environment. Data security incidents are ubiquitous, and it’s no longer a matter of if an incident will occur, but when. Data incidents are not only disruptive and costly for organizations; they also affect customer trust, impact the company’s reputation and create the potential for regulatory enforcement and litigation. Organizations should review their environment from a data security perspective. Performing a risk assessment is a great start to identifying any gaps and remediating them before your company is targeted by opportunistic hackers. Ultimately, organizations should prepare for a data security incident and implement proper procedures to quickly identify the attack, eradicate the hackers and recover their systems in a secure fashion.

1 Anti-forensic techniques are methods used to conceal or destroy information to avoid detection and access. Examples of anti-forensic techniques include encryption of data and network traffic, manipulation or deletion of logs and time stamps, overwriting metadata, and using stenography.

2 The study included interviews with more than 2,200 IT, data protection and compliance professionals from 477 companies that experienced a data breach. https://www.ibm.com/downloads/cas/861MNWN2

3 Administrative credentials run at high-privilege mode and can execute anything on a system, domain or network they have access to. Administrators can be local users or domain administrators.

4 Manatt recommends performing an assessment based on the NIST Cybersecurity Framework or Center for Internet Security.