Know the Signs


Posted on Thursday, August 10, 2017

It’s often difficult to determine if you have an (Information Technology (IT) security incident on your hands. Unusual or suspicious events on your system could indicate a technical problem with the system configuration, an untested application program, hardware failure, or simply user error.

Play it safe. Consult your IT support or Information Systems Security Officer (ISSO) for assistance. Or contact the Canadian Forces Network Operations Centre (CFNOC) +CFNOC@ADM(IM) CFNOC@Ottawa-Hull or 613-945-7777.

What are some of the things I should watch out for?
Any or all of the following signs could tell you that your system has been compromised.
• Suspicious entries in system or network accounting (e.g., a UNIX user obtaining root access without going through the normal process necessary to obtain this access)
• Unexplained new files or unfamiliar file names
• Unexplained modifications to file lengths and/or dates, especially in system executable files
• Unexplained modification or deletion of data
• Inability to login to your account
• System crashes
• Poor system performance
• “Door knob rattling” (e.g., use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts)
• Changes to your system hardware or software configuration without your knowledge, instruction, or consent
• An indicated last time of usage that does not agree with your actual time of prior usage

What information should I report? How should I report it?
Gather as much information about the incident as possible, including any supporting evidence, such as system audit logs. You can use the IS Security Incident Handling Form as a guide. Submit the report to +CFNOC@ADM(IM) CFNOC@Ottawa-Hull and your local ISSO and Help Desk.
At a minimum, include the following information when reporting an incident:
• How to contact you (name, work address, telephone and fax numbers, e-mail address)
• Location, time, and date of the incident
• A summary of the systems affected (include, if possible, names and numbers of hosts and Internet Protocol (IP) addresses)
• A sufficiently detailed description of the activity you are reporting, to give us an idea of what’s happened

When should I report an incident?
If possible, report an incident as soon as you discover something has happened. Information associated with IT security incidents tends to fade quickly with time (log files rollover, etc.). But even if the incident is somewhat dated, we encourage you to report it in case other sites may have been involved and people are unaware of the incident.

Why should I report incidents?
• We can help you determine whether your problem is in fact an IT security incident.
• We can provide technical assistance to help you resolve the incident.
• We may be able to correlate activities at your site with activities at other sites to determine trends.
• Your data will help us collect, analyze, and report statistics on Department of National Defence (DND) incidents, which will help us determine threat and risk information.
• We can notify users at other sites that they may have been the source, intermediary, or target of an attack.