If you’re being attacked, it’s critical that you know you’re under attack. Skilled hackers often go through a lot of trouble to cover their tracks. The best hack in the world is the hack that you never know about. If the hacker can make off with all your customers’ credit card numbers without you ever knowing about it, that’s a huge win for them.
It’s entirely possible to have a significant breach without knowing you’ve been breached. Intrusion detection is the art and skill of monitoring for potential computer security threats. You need to have good intrusion detection policies to ensure that if something is going on, you’ll know about it.
These are some of the most common things you’ll want to look out for.
==> Port Scanning
If someone’s going to try and breach your server’s security, one of the most common first steps they’ll take is to scan your ports.
Think of this like a robber who walks around your house checking the locks on your windows and doors. They’re trying to figure out what’s secured and what’s not.
If someone’s scanning your ports, there’s a decent chance that they’ll attempt something else in the near future.
==> A User Does Something He’s Not Supposed To
If a user suddenly logs into the admin area, alarm bells should go off. If someone who’s not logged in accesses something only someone who’s logged in is supposed to see, that’s a red flag. If you notice your database being accessed in a way that their user class generally shouldn’t be able to do, you may be facing a MySQL injection or other type of intrusion.
==> Payment Processing Anomalies
If you’re noticing anomalies in your payment processing, pay close attention. Did ten separate accounts and credit cards all order products to be sent to the same address? There’s a good chance someone’s using stolen credit cards to try to round up goods from your site.
==> Automated Monitoring Tools
Your web logs should be monitored by both automated tools and by a trained sysadmin. Automated tools have complex algorithms that’ll go over your various logs and detect whether or not something unusual is going on. If something unusual is going on, it’ll alert your sysadmin.
Your sysadmin should also be able to visually scan logs and figure out if something strange is going on.
==> What to Do When You Detect Something
Having these logs on hand can help you in a number of ways.
If you have definitive proof of malicious action, you can get the authorities involved. You can begin tracking down hackers for litigation or potentially criminal prosecution.
You can also figure out a more precise plan of action. If you know how attackers are trying to gain access to your system, you can begin to protect yourself.