So you've been hacked - what now?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123458824/so-youve-been-hacked-what-now

In 2011 the government claimed that cyber crime costs the UK economy £27
billion a year. It’s doing serious damage to both the public and private
sectors. CEOs and the rest of the board shouldn’t be asking ‘will we get
hacked?’, but instead ‘when will we get hacked?’. It has become an
inevitability. Businesses need to know how to respond.

But when you get hacked a ‘you have been hacked’ alert won’t suddenly
appear on your computer screen. There might be quite obvious consequences,
such as your website being defaced. But when someone has intent it’s likely
you’ll become suspicious because of subtle and not so subtle things
happening as a result of the hack.

There may be technical indicators such as machines running slowly, accounts
not working, software malfunctioning or unexpected activity in system logs.
However unless you’re watching diligently for these signs then more often
than not it is the other activities of the perpetrators that will first
raise suspicion.

What should you do?

Naturally our advice would be to call in the professionals and make sure
they are CREST certified, which is the industry standard.

In a recent case we responded to, before we were called in the company had
tried to kick the hackers out. This led to a game of cat and mouse and some
goading on behalf of the attackers.

However, if you can’t afford expert help then our first advice would be to
disable the affected systems to reduce further impact. Then, if you don’t
wish to get law enforcement involved, attempt to understand how it
happened. If you want to call in the police then the crime scene needs to
be preserved.

Without understanding how it happened there is a risk you will recover,
miss the original entry point and allow the attackers straight back in,
causing you further frustration and anxiety.

What are the laws, and do you need to inform people?

The data protection act (DPA) does not require you to inform the
Information Commissioner’s Office (ICO). However, the ICO advises you to
inform it in the case of a serious breach – further details can be found in
its briefing document.

If you process credit card data you’ll come under the Payment Card Industry
(PCI) requirements. Whilst not a law, there is a requirement in these
instances to inform the major card companies (VISA, American Express etc.)
within 24 hours. VISA and MasterCard also require you to undertake a
forensics investigation.

How do you find out what's gone and how do you plug the hole?

Finding out what went on and how to plug the hole will require a technical
capability to comb through available logs and other sources of forensics
data. We typically find that SMEs don’t pro-actively configure logging so
become reliant on the default logs provided by their computers, web sites
and databases. Only by analysing these will you be able to build up a
picture of the activity and identify potential losses. However, be prepared
to not always be able to answer this question fully, either through lack of
logging or if a savvy attacker has erased the logs.

How do you repair systems and rebuild trust?

The general wisdom is to rebuild the affected systems from scratch rather
than trying to repair. In reality, this might not be possible so it’s
critical you have understood how the attacker got in, that you’ve confirmed
the hole is closed and they are not resident via other technical
mechanisms. Then change all passwords, make sure all software is updated,
all logging is functioning and look to rebuild trust in the systems.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!