| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2008 Online Security
All rights reserved.
|
|
|
Forum : Technical
| Posted: 04/22/2004 | Intruder Alert: What To Do When You Have Been Hacked.
| | By Intruder Alert: What To Do When You Have Been Hacked. | As noted in the press, information attacks against businesses and institutions are steadily increasing. One only needs to watch CNN or read the local newspaper to find out about the most recent attacks (viral and direct hacking) against organizations. The increase in the frequency of attacks has been coupled with an increase in the level of sophistication of attacks.
So it is possible that even the most diligent IT staff will have trouble protecting their organization against all information intrusions. Given that some types of penetrations or attempted penetrations are likely to occur, it is best to be prepared in case such an incident happens. Here are six steps to help any organization prepare.
1. Have a plan. When computer intrusions occur, it¡¦s always best to have a tested plan in place that details a prescribed course of action.
Since a potential security breach can be detected by anyone in the organization, it is important the key contact information for the response team is well known throughout the organization. It is also important that you develop a protocol that is not dependent on any one person because that person may be absent or unavailable at the time of the incident. Just like fire drills, incident response plans need to be tested to ensure that the process you have put in place actually works.
2. Determine the Extent of the Exposure. Determine the machines that have been breached and catalog the digital assets that are stored on those machines.
Once this has been done, it is time to assess the organization's exposure due to the breach. Just as many companies have an emergency response team, so too should the company assemble an incident response team that is current on the issues associated with an information security breach. While not all team members may need to be present to do an assessment, the full team should include representatives from all key areas of the organization. This will certainly include IT and legal but may also include representatives from the intellectual property group, finance, contracts, engineering, human resources and any other group directly affected by the security breach.
It is important that designated representatives in each of these groups be known, available, and empowered to address the necessary business issues associated with their areas of responsibility.
It is important to discover the extent of the exposure and whether or not there are any immediate legal or contractual requirements associated with the machine and its function. Remember, security breaches are not just an IT problem, they are a business problem.
3. Preserve Evidence. If the machine does not provide critical services, consider removing it from the network. Any mission critical machine should always have a hot spare ready. Move the backup version or restore a clone from backup media into production only after applying the most up-to-date security patches.
When removing the machine from the network, unplug the network cable, but do not turn off the power to the machine. In order to do a proper forensic analysis, it¡¦s important to preserve the state of the computer¡¦s memory, including what programs were running on the computer, and with what other computers it was talking with. Turning off the power can result in a loss of this data, which can be crucial both in determining the extent of the damage and in tracking down suspects.
4. Determine any Applicable Regulations. Depending on the legal regulations in your industry and the type of breach, your organization may be required to file an official response. Please consult your compliance officer to see how you may be affected.
For organizations doing business in California or have customers in California (vaguely defined to include most companies), Senate Bill 1386 requires the disclosure of any breach or suspected breach of information security. Failure to comply with this law may put your business at risk from a civil standpoint.
5. Call in the Experts Where Needed. Many firms do not have the resources, assets or size to have dedicated personnel available to handle all security issues. In such cases it¡¦s important to employ a reputable security firm. Even if you have a security team in house, you may wish to consult a security firm for specialized forensics and investigation expertise. In most cases these firms have the specific incident response domain knowledge and they can work closely with your IT team as they investigate the incident.
Depending on whose statistics you use, between 65 and 90 percent of incident occur with a complicit insider involved. If the suspected breach comes from an insider or an IT employee, you may need the extra hands of an external team to be able to conduct the assessment.
6. Call in Law Enforcement. Information intrusions are a crime. Your local law enforcement or FBI can help out. Depending on your location, there may even be a local team who specialize in cyber crime.
|
>> All Technical Forum Articles
|
|
|
|
