So You’ve Been Hacked  — Now What?

Tuesday, November 09, 2010

Global Knowledge


Article by Jill Liles

First, don’t panic. Here are six steps you can take to respond and defend against future attacks.

Be Ready

You should have a plan for every system before you even install and configure it. Until you do, call on a professional such as a Certified Information Systems Security Professional (CISSP) or Computer Security Incident Handler (CSIH).

 To develop a plan:

  • List all the potential scenarios that could hurt your business (security breach, power outage, software or hardware problem, etc.)
  • Detail how you’ll fix each scenario
  • Line up any service contracts, ongoing data backups, or other resources
  • Communicate the plan to the company

Don’t Make It Worse

Think it through before pulling any plugs. Don’t switch off the power unless you’re willing to lose data and endure downtime. Don’t cut off all Internet connections if just a few devices have been attacked.


Depending on your industry, a security breach may require you to notify people outside the company, particularly if the incident affects your compliance with a regulation such as PCI, GLBA, or HIPAA. 

If you want to pursue criminal charges or recover damages, you should contact your local law enforcement’s cybercrime unit or national law enforcement.

Move Fast

Quickly gather information to identify which devices have been affected and from what IP addresses. Use any diagnostic tools you have —such as router traffic logs, firewall logs, syslog messages — as well as your own observance of unusual activity.

Use these to compare against the last-known stable backup to determine the exact problem and isolate any impacted applications and devices.

Clean Up and Restore

Based on business priorities, bring systems back on line and begin monitoring them regularly. Replace any hacked data with the most recent stable backup. Change the passwords for all affected devices, users, and applications, including the root password and default accounts.

Prevent Other Attacks

Some malware can lie dormant after being “removed,” waiting years for an opportunity to reactivate, so be sure you continually protect your network, including installing the latest software patches and performing a regular vulnerability assessment.

Cross-posted from Global Knowledge

Free White Papers From Global Knowledge:

Top 10 Skills in Demand in 2010 

Top 10 Security Concerns for Cloud Computing

10 Essential Security Polices

How Vulnerable Are Your Cisco IOS Routers


Possibly Related Articles:
Enterprise Security
breaches Compliance Security Strategies Incident Response
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.