Introduction to Cyber Security Incidents
When the systems in the organization are compromised, the term cyber security incident is used and not breach, or hack terms are used. That means there is a difference between the two terms cybersecurity incident and breach or hack. Let us understand the difference between the two terms. The word incident sounds harmless, but it is never used to describe something positive. The incident is a word that is troublesome and so is the term cyber security incident.
If the information is threatened and not compromised, then it means it is a cyber security incident. For example, if a cyber-attack is successfully repelled by an organization, then it is an incident and not a breach. The events that indicate the compromise in the systems or data in an organization or if there are failures or the measures to protect the systems or data in an organization are called security incidents.
Detection of Cyber Security Incidents
There are several methods to detect security incidents.
- Privileged User Accounts Unusual Behavior: If there is an abnormality in the behavior of privileged user account, this indicates that someone is using the privileged user account to gain unauthorized access into the network.
- Servers and Data Accessed by Unauthorized Insiders: The systems and data that can be accessed by the insiders will be tested by them. If unauthorized users are trying to access servers and data, trying to access data that is not related to their jobs, abnormal times logging in from unusual locations, or trying to log in from multiple locations in a short period of time are all the warnings signs.
- Outbound Network Traffic Abnormality: Organizations should not only worry about the traffic that is coming into the network, but they should also worry about monitoring the traffic exiting their perimeters. Traffic exiting their perimeters include large files uploading by the insiders to personal cloud applications, large files downloading to external storage devices like USB flash drives, or a large number of email messages sent with attachments outside the company.
- Traffic Sent to Unknown Locations or Traffic Sent from Unknown Locations: Suppose an organization is operating in only one country, the traffic sent to other countries indicates malicious activity. Investigation of traffic to any unknown network must be done by the administrators to make sure the traffic is legitimate.
- Too Much Consumption: Performance improvement of server memory or hard drives means that the attacker is accessing the server memory or hard drives illegally.
- Configuration Changes: Changes like a reconfiguration of services, startup programs installation, or changes in the firewall that are not approved are an indication of possible malicious activity. The same holds true for the added scheduled tasks.
- Files that Are Hidden: Hidden files are considered suspicious because their filenames, sizes, or locations indicating the data or logs can be leaked.
- Changes that Are Unexpected: Unexpected changes are lockouts of a user account, changes in password, or group membership changes.
- Abnormal Browsing Behavior: Abnormal browsing behavior includes unnecessary redirects, browser configuration changes or pop-ups that keep repeating.
- Registry Entries that Are Suspicious: When the windows system is infected by malware, suspicious registry entry happens, and it is one of the main ways for the malware to make sure that it remains in the infected system.
Attack Vectors of Cyber Security Incidents
The path or means by which the hacker gains access to a computer or network server to deliver the malicious outcome is called an attack vector. The hackers can exploit the vulnerabilities of the system by means of attack vectors. Viruses, email attachments, webpages, pop-up windows, instant messages, chat rooms, deception, etc. are all attack vectors. Hardware and programming are involved in all of these methods. Any incidents can be handled by the organization, but the main focus should be on handling the incident using common attack vectors. The security incidents that use common attack vectors are:
- Removable Media or External Media: Removable media like CD, flash drive, or peripheral device executes the attack.
- Attrition: Attrition attacks make use of brute force methods to compromise, degrade or destroy networks, systems, and services.
- Web: Website or web-based application is used to execute the attack.
- Email: An email message or attachment in the email executes the attack. The recipient is tempted by the hacker to either click on a link directing to the infected webpage or to open an attachment that is infected.
- Improper Usage: The root cause of such an incident is a violation of the acceptable use policies of the organization by the user.
- Malware Based on Ads: Malware based on ads is also called malvertising. The malware is embedded in the advertisements on websites through which the attack is executed. Just opening the malicious ad can inject malware into the unsecured device. Trusted apps can also be affected by malicious ads.
- Hovering of Mouse: The vulnerabilities in well-known software like PowerPoint are exploited by mouse hovering. The shell scripts will be launched automatically when a user hovers over a link instead of clicking on it.
- Scareware: The user is persuaded to download and purchase unwanted and seemingly dangerous software by scaring him and this is done by scareware. Scareware makes the user believe that his computer has a virus and suggests the user download and makes him pay for fake antivirus software for virus removal. The system will be infected with malware if the user downloads and executes the program in the software.
The breach of security of the system affecting its integrity or availability is called a cyber security incident. The typical cases of cyber security incidents include trying to gain unauthorized access to system or data, processing or storing of data using unauthorized use of systems, making changes to the firmware, software, or hardware of the system without the consent of the owner, malicious disruption or denial of service, etc.
This is a guide to Cyber Security Incidents. Here we discuss the introduction and detection of Cyber Security Incidents along with attack vectors. You can also go through our other related articles to learn more –