Skip to main content

Five early signs of data tampering

(Image credit: Image source: Shutterstock/BeeBright)

Enterprise IT departments must be constantly on the alert for suspicious network activity that could signal attempts to extrude, delete or decrypt highly sensitive data.   

Without the right tools to help there is a risk the number of data breaches, which has been growing in frequency and size over recent years, will escalate.  

Data tampering – the next big threat  

According to cybersecurity industry experts like Admiral Michael Rogers of the US Navy at the NSA and US Cyber Command a new trend called data tampering— unauthorized modification of data in critical systems such as databases containing personally identifiable information (PII) — is the latest cyber-threat to keep CIOs awake at night.    

In his view data tampering has the potential to become the biggest cybersecurity challenge for companies regardless of their size or industry, since it raises the specter that organizations will no longer be able to fully trust their own data.  

Data tampering may have a large number of root causes ranging from an act of revenge by a disgruntled employee to an attempt at industrial espionage or even a campaign by hacktivists to draw public attention to their cause by altering an organization’s data.   

Regardless of the motives, the consequences can be severe - especially if the organization operates in government, healthcare, finance or some other highly regulated sector.   

Damage to critical data, applications and systems through data tampering could cause lengthy disruption to revenue-generating business operations.  Worst case scenario it could even put people’s lives at risk.   

IT administrators need a way to spot data tampering long before it has a chance to misrepresent their employer’s intellectual property or modify a patient’s health records. 

Five early signs 

To help organizations address these threats, Netwrix has drawn up the following five early warning signs of potential data tampering to help CIOs reduce security, compliance and operational risks.   

Of course, one of these signs taken on its own need not always be cause for a major security alert.   

Nevertheless they should each serve as a good excuse to run some thorough checks to find out what’s really happening in the IT environment. 

1.  Anomalous spikes in failed activity 

Failed read attempts occur when users try to open files they do not have access to. A single failed read attempt might be accidental (for instance someone may simply have forgotten the password/login) or a disciplinary matter (for example if an unauthorized insider tries to access salary records or other confidential documents). Multiple failed logons by a single user from different endpoints, or multiple failed logon attempts by different users from a single endpoint are one indicator of a brute-force attack. Tracking unusual spikes in failed user activity will help security officers quickly investigate to determine whether the user accounts were compromised.   

2. Spikes in data access 

An excessive number of files and folders being accessed, read, modified or deleted by one person within a short period of time does need to be followed up. What was the user doing and why, and what else has he/she been doing lately? There is a high probability this will elicit evidence of insider misuse, data exfiltration or even a ransomware attack. 

3. Unusual data access activity 

Where you have several users trying to access sensitive data they have never tried to access before, or where normally inactive users are performing multiple actions within a short timeframe, this may indicate an intrusion attempt. To spot these anomalies, organizations need to keep track of who is accessing what data. To stop problems, administrators need access to detailed reports on all inactive accounts showing matters like path, status and last logon time. In this way unneeded accounts can be cleaned up to prevent their misuse in the future. In addition, access rights should be controlled, applying the least-privilege principle so that access is on a strictly need-to-know basis.   

4. Activity outside of working hours 

Mobile working has made user activity outside of working hours commonplace. Nevertheless, it remains an important insider threat indicator. IT security administrators should ask relevant managers whether the actions taken are justified (for example is an employee is on a business trip or working overtime). Left unchecked, user activity outside of business hours may pose a threat to data integrity. This is especially true for organizations that handle large volumes of highly sensitive personal data.    

5. Access to archived data 

Archive storage is a tempting target for unauthorized access (internal or external). It may contain extremely sensitive data such as personal records, intellectual property, trade secrets and financial statements. A suspiciously high number of reads or modifications of archived data is a valid reason to run a security check. The activity could signify malicious insider activity or indicate an outsider attack in progress. To mitigate the risk of data exposure or data tampering, carefully review user permissions and revoke excessive ones, so only tightly controlled group of users have access to organization’s archives. 

Organizations that lack control and awareness of what is going on across their IT environments are most at risk.    

Critical information that has been deliberately altered could impact strategic decisions and lead to both financial and reputational consequences.   

A person does not have to be an IT professional to put your organization at risk. Statistics show that regular employees are the most likely cause of data tampering.    

To address the data tampering threat and shield sensitive data from unauthorized access, organizations need to be able to quickly spot suspicious user behavior, view access anomalies and act to hold individuals to account. 

Only threat awareness and clear visibility into what is going on across all levels of IT infrastructure, free of data overload and false alarms can help companies detect unauthorized user activity in their critical systems and minimize the risk of security breaches.   

Image Credit: BeeBright / Shutterstock

Michael Fimin
Michael Fimin is CEO and co-founder of Netwrix, a provider of a visibility platform for user behavior analysis and risk mitigation that enables control over changes, configurations and access in hybrid IT environments to protect data regardless of its location.