API Network * What to do after you are hacked


	HOME \| ABOUT \| SERVICES \| FREE ADVICE \| NEWS \| OPPORTUNITIES \| CONTACT US

You've been hacked!

... Ever had your wallet stolen? That's what being hacked is like -- but possibly 10,000 times worse (depending on what they stole/destroyed)

You're Hacked - Part 2

After you have finished with the IMMEDIATE part, then you can move on to the investigation and restoration part...

2. SECONDARY ACTIONS

A. Review application inventory

What was on the site? Content management system, image gallery, forum... There should be a sheet of documentation somewhere that tells which version of each is installed along with the location. Sadly, most companies to not have this. Most developers/installers don't provide it unless it's specifically requested.

B. Determine OS level.

This information should be on the same sheet as referenced in 2A but if the OS is maintained by others, it's possible this information will be in a separate file/sheet.

C. Determine exent of the attack.

Comb through the data that was obtained in 1C to determine the nature of the attack. (e.g., files, email, DB changes) In some cases, a hack can be a simple change to a configuration.php file. In others, the entire database can be polluted with robot injected spam.

D. Determine attack vector(s) used

This is important to determine if the site (domain) was the target or if the attack originated via the OS kernel. Most attacks arrive via unsecured ports or via an out-of-date OS. Also common are application attacks where security holes exist. e.g., An old version of an image gallery would allow anyone to upload files, then run them to propagate the attack.

E. Review business resumption plan/restore process

If the attack is complex, the site must be reloaded from scratch. This is the most efficient way to ensure the security hole(s) is(are) closed. (A simple attack is config-level defacement.)

F. Damage assessment -> build restoration plan

Based on all of the above, a restoration plan is created to reload the base software, then restore the data. In some cases, this may involve multiple people/vendors. Each should be contacted if their involvement is necessary.

3. RESTORE AND FOLLOW-UP

A. Execute the restore

B. 8D the Event

Emphasis on root cause determination and preventing recurrence

C. Document the process, just in case this ever happens again.

Previous...

	Seeking Synergy We really don't want short term clients. Does anyone? We are most eager to meet those who want to combine forces to create something larger than the sum.