You've been hacked, what do you do in the first five minutes?

VeeMost Technologies
2404 Fourth Street,
Cuyahoga Falls, OH

(330) 928-1100 Telephone
(877) 349-7938 Fax
info@veemost.com

VeeMost Delivers

What makes us stand apart is our dedication to maintaining a strong, caring and honest relationship with every client.

July 23, 2003

You've been hacked, what do you do in the first five minutes | Robert L. Bogue |

Sitting at your desk, you notice some odd activity in a log while you're looking into a user problem. The more you step through it, the more you are convinced that something is just not right. Your heart skips a beat when you realize that the system has been hacked. At this point, you enter a stage of shock as you ask yourself, “How could this happen?” and “What do I do now?”

Although you'll find plenty of advice on how to keep your systems from being hacked, there are relatively few articles that will help you sort things out in the aftermath of an attack. So for the next three weeks, I'll present a series of articles that will explain what you should do in the first five minutes, in the first hour, and in the first week after you’ve discovered that an interloper has compromised your systems. This article will focus on the most immediate actions you must take to secure your system: evaluate, communicate, and disconnect.

Evaluate
The first question that you must answer after an attack (or preferably before) is what your objectives are. In most cases, the objectives are simple: prevent further intrusion and resolve the problem. However, in some cases, you will want to be able to positively identify the intruder and, in others, you will be focused on figuring out which vulnerability the hacker exploited.

Identify the intruder
It may be necessary to positively identify the intruder so that you can refer the matter to the FBI for further investigation and possible prosecution. Of course, this is not the most expedient way to get the systems back online and prevent further infection. Identifying intruders can be difficult, particularly if they have covered their tracks well. Despite Hollywood’s portrayal of hackers easily being traced, someone who is routing traffic through several systems is not only difficult to find, but might be—in all practical terms—impossible to track down.

Identify the vulnerability
Another approach that some organizations take is to try to identify the specific vulnerability exploited. The thinking is that you want to patch the specific hole that allowed this intruder to gain access. By and large, this approaches the problem from a suboptimal perspective. A far better strategy is to attempt to identify all vulnerabilities and prevent any intruder from gaining access to your systems, rather than focusing on the one vulnerability this particular hacker exploited. Many of today’s security assessment tools will allow you to quickly test and resolve all vulnerabilities.

Jump to Page: 1 2

Back to the July Newsletter

--------------------------------------------------