Have You Been Hacked?

Maybe you’ve completed a pen test on your network and the penetration tester was able to get in without much trouble. You’ve followed their advice to improve your security posture and you’re feeling much better about things except...the report included the following worrisome words: “This test did not assess whether you have been hacked.” Can it be true that someone has hacked you and you don’t know? Of course. Here are some DIY actions that you can take.

By Ellen Koskinen-Dodgson

Ellen Koskinen-Dodgson is President and Managing Partner of TMC IT and Telecom Consulting Inc. She is an IT and Telecommunications Management Consultant, electrical engineer, author, speaker, media resource and Expert Witness.

Historical Logs

A good first step is to check your log files on servers, networking, and security systems. If they’ve been deleted, check the date that they were deleted or stopped and then restarted. Hackers like to delete logs to cover their tracks.

If your logs were not deleted, it doesn’t mean that you were not hacked. Have a skilled person read your logs to identify suspicious activity.

Internet Traffic Reports

Review your internet traffic reports to look for traffic when there should be little or no activity or even unusual levels of traffic during normal traffic hours. Look back at least 6 months.

Quick Detection

Even with an effective security strategy, there’s no way to guarantee that you won’t get hacked. It therefore makes sense to detect intrusion as soon as possible and take quick action.

Make it your job to understand and pay attention to log files, either manually or through automated monitoring, detection, and prevention systems. This is often very difficult to do as there are so many “urgent” demands on our time.

Isolate Your Back-ups

Back up your logs and keep all of your back-ups isolated from your network, except during backup. Then if you get hacked, the hackers won’t get access to your back-ups.

DR Site

DR sites are not just to get you up and running after a fire. Some organizations use their DR site to be ready to go with your top business software.

With your protected backups, you could be up and running with yesterday’ back-up data in very short order after you detect an intrusion.

Set Traps

Stationx CanaryTokens is a site worth exploring. Basically, you can create files that, when opened, trigger an email that the file has been opened, and from where. See https://www.stationx.net/ canarytokens/

There are various ways to use CanaryTokens. Among the many options, you could arrange to be alerted if:

• Someone opens a Word, Excel, pdf or email file that contains your trap token.
• Someone clicks on a targeted URL.

In all cases, you’ll increase your hit-rate if you choose an enticing name.

Despite the many options of where and how to set traps, many intruders know how to detect common traps. Happily, there are things that you can do to make your traps more difficult to detect.

If you’d like to comment on this article or explore these ideas further, contact me at ellen.