When should an organisation raise a security alarm?
Internet security solutions firm McAfee says when someone is trying to log-in at odd hours or when a system is re-infected within minutes after cleansing it for malware or when some id is trying to login into the network from multiple points.
McAfee, now part of Intel Security, has come out with a list of some typical signals that indicate a possible compromise, intrusion or attack on computer networks in organisations. In its latest report ‘When Minutes Count’, the firm lists out eight most common attacks that watchful organisations track and neutralise.
Here goes some of the signals.
Alerts that occur outside standard business operating hours (at nights or in weekends) signal a compromised host. Off-hour presence of malware indicates determined attacks, the report points out.
If a system is re-infected with malware within five minutes after cleansing, it signals the presence of a rootkit or persistent compromise.
If a user account is trying to login to multiple resources within a few minutes from or to different regions, it shows that the user’s credentials have been stolen or that a user is up to some mischief.
Internal hosts communicating with known bad destinations or to a foreign country where organisations don’t conduct business is one of the commonest attacks, the report said.
“Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures, indicate a problem,” the report warns.
The report assessed preparedness of different organisations “to detect and deflect targeted attacks”.