Six Steps to Recovery
It's startling when malware hits your network, or an intruder enters by password cracking.
You've been hacked—now what?
Don't panic. The following are steps that your business can take to respond and protect itself.
1. Be Prepared
- Execute your plan. Have a plan for supporting every technology in your business even before installing and configuring it. To develop the plan, list all the scenarios that could hurt your business (security breach, power outage, software or hardware problem, etc.). Then define how you will resolve each scenario, and line up the service contracts, ongoing data backups, or other resources you will need. Communicate your plan to management and employees.
- Don't have a plan? Until you do, call on professional expertise. Security professionals include a Cisco Select Certified Partner with a Security Specialization, a Certified Information Systems Security Professional (CISSP), and a Computer Security Incident Handler (CSIH) certified by the Computer Emergency Response Team (CERT).
2. Do No Harm
- Preserve business assets. Think before pulling any plugs. Don't switch off the power unless you're willing to lose data and endure downtime. Don't cut off all Internet connections if just a few devices have been attacked.
- Exhibit a calm, professional demeanor that sets the tone for rational responses.
3. Reach Out
Early on, a security breach may require external notification.
- If the incident affects your business's compliance with a regulation (such as PCI, GLBA, or HIPAA), you may be required to engage a security investigator—such as a CSIH or CISSP—who will direct your breach responses.
- If your business wants to prosecute for damages, you may have to contact the cybercrime unit of local or national law enforcement, which will direct your responses.
4. Move Fast to Mitigate
- Quickly gather information to identify which devices have been affected and from what IP addresses. Use the diagnostic tools that you have immediately available—such as Cisco NetFlow records or other router traffic logs, firewall logs, syslog messages, and your observance of unusual activity, including abnormally slow systems.
- Define the damage done by comparing a device's configurations and data sets with its last-known stable and uncompromised backup.
- Contain the problem by isolating the affected applications and devices. For example, if your email server is spewing spam, you could stop its program or block all outbound port 25 traffic on your Internet gateway. If your FTP server is hosting an illicit MP3 site, you could take FTP service offline or block inbound FTP connections.
5. Clean Up and Restore
- Prioritize the systems to restore, based on business priorities.
- Reset passwords. Change the passwords for all affected devices, users, and applications. Don't forget the root password. Lock or change passwords on default accounts.
- Bring all software up to date with the latest patches.
- Clean the affected data and configurations by replacing them with the most recent good backup and higher-level security.
- Put systems back in service—and begin monitoring them regularly. Some malware (such as Clampi, Conflicker, and Storm) actually lies dormant after being "removed," waiting years for an opportunity to reactivate.
6. Prevent Other Attacks
- Defend in depth. Protect your network continually with integrated, multilayer security technologies.
- Periodically assess your vulnerabilities with a vulnerability scanner or security audit.