On the evening of Wednesday, May 28, 2008, I accessed the web portal for my personal email at home. Instead of the usual landing page where I would click ‘email’ and then login, I was greeted with a page that was not what I had expected, one that was the work of hackers.

Yes, my ISP at home is Comcast. The news this week that the pointers to Comcast.net DNS had been compromised was not a surprise. Web sites are coming increasingly under attack: Web sites in the private sector, political sites, even government sites. None have been immune from hacks and other attacks this past year. In today’s electronic environment, people are conscious of the threats to security of your computers, your enterprise infrastructure and your data. Most people have a solution in place that takes care of virus problems, firewalls, etc., but what do you do if your business or personal site is attacked? What steps should you follow?

Having a plan in place
As with everything in IT or on a home network, you need to start with a plan. For business, have an incident response plan in place. It should designate who is responsible and who the alternates are. Additionally the plan should include how you will:

• Detect the attack

• Analyze the incident and provide a vehicle to contain / eliminate the problem complete with workarounds

• Log the event, preserve evidence in the form of log files / transcripts

• Review what happened, adjust your best practices as required to prevent re-infection

• Educate users to raise security awareness and promote security policies.

For the user at home, you probably are the plan. You can start by contacting the tech support department at your ISP. Chances are if your system is infected, they have others who are too. Today, many ISPs offer home users security, anti-virus and Malware protection software for little or no cost.

I’ve Been Hacked!
Ok. You’ve been hacked. What do you do now? You should report the events. You see, these kinds of cyber-security events that have a real impact on your organization, such as when damage is done, access is achieved by the intruder, loss occurs, malicious code is implanted, etc. need to be reported. It is only by reporting these incidents that we can all be informed of the threats / attacks and the remediation of their actions. Say you notice something new, say, your firewall is getting attached or unauthorized access is attempted on multiple ports from the same IP address. These would be events that should be reported. OK, but to whom? Local law enforcement is probably not prepared to receive or analyze the enormous volume of data this could involve. Then who?

Who To Report To
While things are much better than they used to be, there is no single answer for which law enforcement agency to contact in the event of a cyber-security breach. It is the responsibility
of the FBI and U.S. Secret Service to share jurisdiction for computer crimes that cross state lines. However, most law enforcement agencies encourage people to pre-establish contact with someone in law enforcement who is trained in and responsible for dealing with computer crime, and work with the person or people you have the best relationship with, regardless of agency. A good place to start is with the FBI or U.S. Secret Service Field Office near you. They can direct you to the proper agency, if they are not the one. The United States Computer Emergency Readiness Team site (http://www.us-cert.gov/ ) is a great place to see what is happening and look at resources that can help you stay on top of breaking news and developments.

More Information
There is a great whitepaper that lists the kinds of information law enforcement will need, contacts names and numbers for government agencies and those in the private sector who can be resources as well. CIO magazine posted this whitepaper, complete with a form that you can fill out prior to contacting law enforcement. It is an excellent resource and can be viewed / downloaded at the following URL: http://www.cio.com/research/security/incident_response.pdf

What should you do now?
Be vigilant. These attacks are out there and are ongoing. They can be the acts of freelance internet hackers, those with a political agenda or even sanctioned by foreign concerns. Make sure your systems have adequate protection. This includes virus scanning software with a current subscription and updates, a firewall that is current and activated and real-time solutions for controlling malware and other cyber-attacks. And of course, apply the security patches for your operating systems and applications so you do not fall prey to something that has already been patched because the hole in security was still present on your PC. If you have questions or comments about this article, contact me (JohnBoline@hagerman.com).

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents © 2008 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden