You have just gotten the call from an associate at work that the network you're responsible for has been hacked. You're going to need to make some decisions very quickly as to what needs to be done. Individuals who haven't planned for such an event may actually be thinking, "Do I have a current copy of my resume?"
There's no room here to feel that you're invincible against such an attack. Just last December, Guidance Software, Inc., a company that develops forensic and incident-response software found this out the hard way when it was reported that a hack attack cost them 3,800 customer credit card numbers. Privacyrights.org listed eleven security breaches in just the month of December 2005. If you're faced with such a reality as these eleven companies were, hopefully you had the forethought to establish an incident response (IR) plan. It's really one of the most important steps, in that you are coming to the realization that an attack could happen to you -- and if it were to occur, the IR plan would detail how you would deal with it, what steps you would take, and who would respond. Such a plan would need to address the following questions:
1. What will be your initial response?
You really have two options here. First, you can let the system continue to run or you can pull the plug. Each needs to be considered. Leaving the system running may allow you to gather additional information about the attacker without him knowing his activities have been discovered. However, if real damage is occurring, you may have no choice but to pull the system offline to limit the effects.
2. Who committed this crime?
When dealing with malicious activity, you are going to want to try and answer this question. Was it someone inside the organization or was it an outsider? Answering this question is critical, because if it is an insider, you'll want to find out who it is in order to act immediately. If the attacker is not an employee and is not within legal jurisdiction, you'll face a host of other issues. Keep in mind that computer crime laws vary from country to country.
3. Will you attempt to prosecute the offender?
You may think that this is an easy question to answer, but just look at the statistics. The 2005 CSI/FBI Computer Crime survey found that only 34% of respondents reported intrusions to law enforcement. This number remains low for a variety of reasons. Large on the list is that many organizations don't want the negative publicity that comes with such a prosecution.
4. Are you required by law or mandate to report this breach of security?
There's a host of industries that are required to report security breaches and laws such as HIPAA require it. States such as California have strict reporting laws and have decided that the consumer has a right to know.
5. How did this occur?
This is something that you must know. Whether it was a weak password or vulnerability in a piece of unpatched software, you will need to find out what went wrong. Was there a policy in place to prevent such an event that simply wasn't being followed or was something simply overlooked?
6. What lessons are to be learned from this event?
At this step, you are going to want to implement changes to keep the event from happening again. Training employees in the revised practices should be part of this activity.
Now that you have a better idea of the activities that would take place if you were hacked, you may be motivated to get started in developing a good incident response policy and CERT.org is a good place to start. After all, a good defense requires planning and preparation. Being proactive may help you turn a potential disaster into a minor blip and serve to highlight your skills and value to the company.
Five common insider threats and how to mitigate them
About the author
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.