First, don’t panic. Here are six steps you can take to respond and defend against future attacks.
You should have a plan for every system before you even install and configure it. Until you do, call on a professional such as a Certified Information Systems Security Professional (CISSP) or Computer Security Incident Handler (CSIH). To develop a plan:
- List all the potential scenarios that could hurt your business (security breach, power outage, software or hardware problem, etc.)
- Detail how you’ll fix each scenario
- Line up any service contracts, ongoing data backups, or other resources
- Communicate the plan to the company
Don’t make it worse
Think it through before pulling any plugs. Don’t switch off the power unless you’re willing to lose data and endure downtime. Don’t cut off all Internet connections if just a few devices have been attacked.
Depending on your industry, a security breach may require you to notify people outside the company, particularly if the incident affects your compliance with a regulation such as PCI, GLBA, or HIPAA. If you want to pursue criminal charges or recover damages, you should contact your local law enforcement’s cybercrime unit or national law enforcement.
Quickly gather information to identify which devices have been affected and from what IP addresses. Use any diagnostic tools you have —such as router traffic logs, firewall logs, syslog messages—as well as your own observance of unusual activity. Use these to compare against the last-known stable backup to determine the exact problem and isolate any impacted applications and devices.
Clean Up and Restore
Based on business priorities, bring systems back on line and begin monitoring them regularly. Replace any hacked data with the most recent stable backup. Change the passwords for all affected devices, users, and applications, including the root password and default accounts.
Prevent Other Attacks
Some malware can lie dormant after being “removed,” waiting years for an opportunity to reactivate, so be sure you continually protect your network, including installing the latest software patches and performing a regular vulnerability assessment.