12 Days of Cryptmas: Day 12 – Twelve compromised systems
A Compromised System is defined as any computing resource whose confidentiality, integrity or availability has been adversely impacted, either intentionally or unintentionally, by an untrusted source.
A compromise can occur either through manual interaction by the untrusted source or through automation. Gaining unauthorized access to a computer by impersonating a legitimate user or by conducting a brute-force attack would constitute a compromise. Exploiting a loophole in a computer’s configuration would also constitute a compromise. Depending on the circumstances, a computer infected with a virus, worm, trojan or other malicious software may be considered a compromise.
Symptoms of a compromised computer include, but are not limited to, the following:
- Exceptionally slow network activity, disconnection from network service or unusual network traffic.
- A system alarm or similar indication from an intrusion detection tool
- Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods)
- Accounting discrepancies (e.g., someone notices an 18-minute gap in the accounting log in which there is no correlation)
- Unsuccessful logon attempts
- New user accounts of unknown origin
- Unusual log entries such as network connections to unfamiliar machines or services, login failures.
- New files of unknown origin and function
- Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files.
- Unexplained addition, deletion, or modification of data
- Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console
- System crashes
- Poor system performance – System appears to be slower than normal and less responsive than expected. (Note: Unexplained disk activity might be due to disk-related system maintenance such as disk file clean-up while the system is idle, this is completely normal.)
- Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames / passwords.
- Port Scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts)
- Unusual usage times (statistically, more security incidents occur during non-working hours than any other time)
- An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account
- Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)
If the symptoms stated above are occurring, the first step should always be to contact your Managed IT provider immediately.
If you think that your system has been compromised, there are a number of things that you should not do. These are:
- DO NOT disconnect the machine from the network. This will prevent the investigator from examining the attack as it occurs and collect real-time data to be used against the attacker.
- DO NOT turn the machine off or reboot unless instructed to do so by a security team member. It is possible that the processes left by an attacker may not get restarted after rebooting, which may make it more difficult for a Network Security consultant to determine the root cause of the problem.
- DO NOT launch a return attack on a suspected source as most of the real attacks spoof their identity. Return attacks cause damage and inconvenience to innocent systems that share network or system resources with the system being attacked.
- DO NOT get into a verbal or textual exchange with the suspected attacker, as the actual identity is often purposefully obscured, and your response may abuse an innocent third party.
This time of year can be stressful; Your bank account doesn’t need the added stress of giving presents to scammers. Contact our team at Netier today to discuss how we can help manage security for you.