Securing data is important for business, and with new legislation like GDPR coming into force soon, it’s something that must be taken seriously. It’s therefore vital that any activity which could signal attempts to steal or delete sensitive information is spotted and dealt with early.
Despite improvements in endpoint security in recent years, most experts now believe it’s a matter of when, not if, organisations suffer some form of cyber attack. Spotting the signs of an attack on data before it becomes a problem is something IT admins need to take seriously. There are five signs which should always prompt further investigation.
Although it may contain confidential information about a business and its clients, archive storage is generally given less attention than live systems. This can make it a tempting target for attackers. A sudden increase in requests to access archive information should always prompt an investigation. Access to archives should be controlled just as strictly as access to live systems.
Endpoint protection systems, from suppliers such as https://www.promisec.com/, should allow you to spot rejected logins. While one or two might be down to a forgotten or mistyped password, a large number could be evidence of a brute force attack on your systems and therefore needs to be taken seriously.
Unauthorised file access
Attempts to read files that the user isn’t authorised to access could indicate that credentials have been compromised. Companies need to be aware of who has access to what data, and any attempts to open files that have not been used before should arouse suspicion. New accounts should always be set up using a ‘least privilege’ model to prevent unnecessary access.
Data access anomalies
If a user suddenly begins accessing or modifying many more files than usual, then this too needs investigation. It could be legitimate, but it could also indicate an insider threat or even be part of a ransomware attack.
Increasingly, detecting unauthorised access attempts relies on behavioural techniques. If a user account signs in outside of normal working hours, or from a different location, or a different device, this can be an early warning that the login credentials have been compromised. It should at least prompt a check to see that the user isn’t on a business trip or working from another office.