Hagerman & Company, Inc. Technology Bulletin
IT Security:
What to do in case of a Cyber Attack
by John Boline
Service Manager,
MCSE, CNE, USE
On the evening of Wednesday, May 28, 2008, I accessed the web portal for my personal email at home. Instead of the usual landing page where I would click ‘email’ and then login, I was greeted with a page that was not what I had expected, one that was the work of hackers.
Yes, my ISP at home is Comcast. The news this week that the pointers to Comcast.net DNS had been compromised was not a surprise. Web sites are coming increasingly under attack: Web sites in the private sector, political sites, even government sites. None have been immune from hacks and other attacks this past year. In today’s electronic environment, people are conscious of the threats to security of your computers, your enterprise infrastructure and your data. Most people have a solution in place that takes care of virus problems, firewalls, etc., but what do you do if your business or personal site is attacked? What steps should you follow?
Having a plan in place
As with everything in IT or on a home network, you need to start with a
plan. For business, have an incident response plan in place. It should
designate who is responsible and who the alternates are. Additionally the
plan should include how you will:
 |
Detect the attack |
|
Analyze the incident and provide a vehicle to contain / eliminate the problem complete with workarounds |
|
Log the event, preserve evidence in the form of log files / transcripts |
|
Review what happened, adjust your best practices as required to prevent re-infection |
|
Educate users to raise security awareness and promote security policies. |
For the user at home, you probably are the plan. You can start by contacting the tech support department at your ISP. Chances are if your system is infected, they have others who are too. Today, many ISPs offer home users security, anti-virus and Malware protection software for little or no cost.
I’ve Been Hacked!
Ok. You’ve been hacked. What do you do now? You should report the events.
You
see, these kinds of cyber-security events that have a real impact on your
organization, such as when damage is done, access is achieved by the
intruder, loss occurs, malicious code is implanted, etc. need to be
reported. It is only by reporting these incidents that we can all be
informed of the threats / attacks and the remediation of their actions. Say
you notice something new, say, your firewall is getting attached or
unauthorized access is attempted on multiple ports from the same IP address.
These would be events that should be reported. OK, but to whom? Local law
enforcement is probably not prepared to receive or analyze the enormous
volume of data this could involve. Then who?
Who To Report To
While things are much better than they used to be, there is no single answer
for which law enforcement agency to contact in the event of a cyber-security
breach.
It is the responsibility
of the FBI and U.S. Secret Service to share jurisdiction for computer crimes
that cross state lines. However, most law enforcement agencies encourage
people to pre-establish contact with someone in law enforcement who is
trained in and responsible for dealing with computer crime, and work with
the person or people you have the best relationship with, regardless of
agency. A good place to start is with the FBI or U.S. Secret Service Field
Office near you. They can direct you to the proper agency, if they are not
the one. The United States Computer Emergency Readiness Team site (http://www.us-cert.gov/
) is a great place to see what is happening and look at resources that can
help you stay on top of breaking news and developments.
More
Information
There is a great whitepaper that lists the kinds of information law
enforcement will need, contacts names and numbers for government agencies
and those in the private sector who can be resources as well. CIO magazine
posted this whitepaper, complete with a form that you can fill out prior to
contacting law enforcement. It is an excellent resource and can be viewed /
downloaded at the following URL:
http://www.cio.com/research/security/incident_response.pdf
What should you do now?
Be vigilant. These attacks are out there and are ongoing. They can be the
acts of freelance internet hackers, those with a political agenda or even
sanctioned by foreign concerns. Make sure your systems have adequate
protection. This includes virus scanning software with a current
subscription and updates, a firewall that is current and activated and
real-time solutions for controlling malware and other cyber-attacks. And of
course, apply the security patches for your operating systems and
applications so you do not fall prey to something that has already been
patched because the hole in security was still present on your PC. If you
have questions or comments about this article, contact me (JohnBoline@hagerman.com).
All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents © 2008 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden