WarrenAlford.com

Cybersecurity
and
Quality Management



The Digital World of Challenges

Digital business exposes organizations to new threats and risks everyday. Today’s security and risk practitioners face unprecedented challenges due to the volume and velocity of digital interactions. Tools and techniques of yesterday are not consistently effective in the ever-changing digital world. Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to 2021. By 2020, more than 33% of attributable nation-state hack attacks will be perpetrated by freelance hackers. By 2019, the demand for cybersecurity professionals will increase to approximately 6 million globally. With such unprecedented growth, the cyber community is facing a unique set of challenges. Cyber Security professionals are on the frontlines of a real battle. According to the Bureau of Labor Statistics, the rate of growth for jobs in information security is projected at 37% from 2012–2022, faster than the average for all other occupations. This website provides resources for the InfoSec community including vulnerability assessment, risk management, penetration testing, quality management, incident handling, and offensive / defensive cyber measures.

"Did you know.......?"
#1 - Network breaches by cyber attackers average 160-180 days before being discovered by the victim.
#2 - Many attackers target what is considered the easiest point of attack (POA): People.
#3 - The majority of these attacks go unreported.

How can you tell if your computer has been hacked? Read the helpful information in Has Your Computer Been Hacked? below.


Has Your Computer Been Hacked?

If your system has been hacked, it will probably display one or more of the following.

On Windows machines......

High outgoing network traffic. If you notice an unusually high volume of outgoing network (especially when you computer is idle), it is possible that your computer has been compromised. It may either be used to send spam or used by a network worm which is replicating.

Increased disk activity or suspicious files in the root directories of any drives. After hacking into a system, many hackers run a scan for interesting files containing passwords or logins. Similarly, some worms search the disk for files containing email addresses. If you notice major disk activity when the system is idle and suspiciously named files in common folders, this may be an indication of a system hack or malware infection.

Large number of packets coming from a single address stopped by a personal firewall. After locating a target, hackers usually run automated probing tools which use various exploits to break into the system. If you run a personal firewall and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is, if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific service running on your system.

Your antivirus suddenly reports backdoors or trojans detected. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside your network perimeter.

On Unix machines......

Suspiciously named files in the /tmp folder. Many exploits in Unix rely on creating temporary files in the /tmp standard folder which are not deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as their "home".

Modified system binaries such as login, telnet, ftp, finger, sshd, or ftpd. After breaking into a system, a hacker usually attempts to plant a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are ‘stealthed’ against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.

Modified /etc/passwd, /etc/shadow, or system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in later. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.

Suspicious services added to /etc/services. Opening a backdoor in Unix is a matter of adding two lines of text. This is accomplished by modifying /etc/services and /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.