T 2.141 Undetected security incidents

A large number of incidents and errors can occur during daily IT operations in a government agency or a company. There is a risk in such cases that security incidents will not be identified as such by the personnel, and therefore that an attack or an attempted attack will remain undetected. Even if the users and administrators have been adequately trained and sensitised to the issues relating to information security, it is still possible that they will fail to recognise a security incident when one happens.

Examples of this include:

• Reductions in the capacity of the Internet connection are attributed to the poor quality of service of the Internet service provider without performing a detailed traffic analysis. However, the real cause of the loss of capacity is a compromised server in the LAN which is being used as an illegal file server and consumes bandwidth because of this.
• A message appeared on the screen of an IT application when a user logged in stating that the last time the user was logged in was on Sunday morning even though the user did not work on the weekend. This did not raise any suspicions with the user, and therefore the user did not report this incident to the person responsible for security. The fact that an attacker had gained access to the profile of the user and had determined his password never became known.
• A notebook user who had not logged in to the local network of his company or government agency for a long time assumes the extremely slow response of his notebook when accessing the Internet, which he noticed over a week ago, to be normal and fails to notice that a Trojan horse is running on the notebook. He was not instructed to inform the person responsible for security when he notices any suspicious or unusual activity.
• A business traveller does not notice that the data stored on his notebook was secretly copied while he was in a foreign country. He did not become suspicious even though his notebook disappeared from his hotel room for a short time and then suddenly reappeared again.
• A burglary in a branch office of a company is assumed to be a case of drug-related crime because notebooks and flat-screen monitors were the only objects stolen. The fact that confidential information and access data for the systems in the Intranet were stored on the notebooks was not considered to be important, and the person responsible for security was not informed. For this reason, the company was not prepared for the subsequent attacks to the IT systems at the company's other locations and at its headquarters. The data found on the stolen notebooks was used to plan and carry out the attack.