You are here
How to respond to a hacker attack
“We’ve been hacked!”
In our increasingly interconnected world, it is the scenario every organisation fears. Even after you get over the initial panic, distress, confusion, embarrassment and anger of being hacked, it is not always easy to know what to do, or where to begin.
The scenarios vary widely: e-mail or financial records compromised; suspicious activity on the company network; customers reporting credit card fraud or identity theft; users duped into clicking on a rogue link or providing on a fake site; unauthorised software running on your computers, siphoning data to some unknown destination. This is the dark side to the technology and connectivity that has transformed business and society for the better.
The good news is that getting hacked does not have to be a paralysing or near-death experience for your organisation. Sure, it can be stressful and costly. However, with the appropriate steps, most organisations are able to regroup and strengthen systems, refine employee practices and even build customer confidence.
Here are a number of critical steps organisations can take if their computer systems are breached.
1. Understand the why
A breach always presents an opportunity to re-assess your network security protocols and your organisation’s overall security culture. Understanding why you were targeted can play a useful part in helping you understand how you were breached. If it was a bank account or financial data, the answer may be obvious. In other cases, such as e-mail or file system hacks, it can be for a host of reasons. The attacker may be seeking access to your business plans or intellectual property. Or, the hacker may be harvesting your business contacts to send spam, or proposition your customers and business partners.
2. Perform a thorough security audit on affected accounts
The first few steps following identification of a data breach are vital. Tracking what systems have been compromised and to what extent can be slow and tedious, but it's important to be thorough.
If a machine or system is believed to be compromised do not power it off. Shutting the machine down can erase valuable evidence that will help investigators determine what's been stolen and where it has been sent. Often, one account is simply used as an access point to another. Your e-mail may be a path to your online banking credentials. You therefore need to secure the accounts you know were hacked, as well as the others it touches.
If there is any element of financial liability involved in a compromised account, thoroughly review any activity on that account, particularly for online services that let you make one-click purchases. For financial records, verify that no accounts or payment methods have been linked and no new billing or shipping addresses added.
3. Reset your passwords
Immediately change the password on the affected services, and any others that use the same or similar password.
“Password reuse is a common practice, and very hard to prevent, but it is also one of the greatest risks to network security” says ArkiTechs chief executive officer and network security expert Stephen Lee.
Applications and Web sites can set up password requirement, such as a minimum length or mandatory use of symbols and numbers, but they cannot force people into not reusing the same or similar passwords. Lee advises that, as a general rule, users and system administrators avoid reusing passwords.
“People seldom realise that reusing passwords increasing the potential risk and fallout if any one account is compromised.”
4. De-authorise connected apps
An important step in today’s mobile app-centric world is to de-authorise all associated apps that use the compromised account for login. For example, Facebook, Amazon, Twitter, Google, Dropbox and many others online services support a security protocol known as OAuth, which gives third party software applications with access to your accounts without you always having to provide login information.
If a hacker used OAuth to authorise another device or service, and remains logged in there, simply changing your password won’t be enough to get them out. The safest option is to disable all the apps you have given access to. The security and peace of mind is more than worth the hassle of having to re-authorise all your apps.
5. Call for professional help
There are several firms that specialise in post-breach forensic investigation. It’s always a good idea keep a directory of professional security experts on hand in case of emergency.
Local law-enforcement groups may not always have the resources to properly investigate a breach, but insurance processing still often mandates that an official police report be filed.
For government agencies, if you decide you do need official help, the Caribbean Telecommunications Union has a special desk for investigating government network intrusions. Other entities, like the Caribbean Network Operators Group (CaribNOG) maintain a regional directory of trusted Network security experts. Some local law enforcement agencies have also recently form special Cybersecurity units to better respond to incidents.
6. Check for backdoors
Professional help is important because some hackers don’t just stop at getting into your account. A common technique is to set up hidden entry points—backdoors—so that they can get back after you think you got them out.
Check network logs and e-mail rules to make sure nothing is being forwarded to another server or account without authorisation. For email hacks, double check your security questions and answers to make sure they were not changed.
Run a scan for malware and viruses that on all your machines using a reputable and up-to-date scanning tool. This is the most basic thing you can do, so be sure to be thorough.
7. Track the chain of custody
Part of your necessary due diligence in responding to a breach is to record every time someone touches a compromised computer or server and everything that's done to it. This can be very useful when providing information to law enforcement, insurance and security auditors.
8. Reset and strengthen
Once your security experts have assessed the scope of the problem, take all infected computers offline. Good cybercrime fighters typically save a digital snapshot of the information on compromised machines. This leaves you free to reset the machines and bolster your network security on to prevent unwanted re-entry or re-infection.
9. Regain control
Most of the major online services have systems to help you get recover your account after it has been taken over by someone else. Typically, will have to answer questions about yourself and your account.
10. Speak out
The reason why it is vitally important to disclose when you systems have been compromised, is the same reason for this very article, to raise awareness.
It’s important to realise that companies aren’t the only victims in data theft. The people whose information was stolen are also victims. So for businesses, even if customers initially expect the worst when they get the news about the breach, it is important to be open about incidents.
A well-composed breach notification statement is key to assuaging public concern. But the stronger statement is an organisation’s commitment to being open and transparent. Depending on the nature of breach, consider setting up a special Web site or hotline to provide further information and advice to affected customers.
If a company shows itself to be on top of its technological problems and if it communicates this well, it can actually strengthen the public’s perception of its trustworthiness.
Bevil Wooding is an Internet strategist with Packet Clearing House and he regularly advises governments and corporations on matters of cybersecurity. Follow on Twitter @bevilwooding or facebook.com/bevilwooding or contact via e-mail at: [email protected]
User comments posted on this website are the sole views and opinions of the comment writer and are not representative of Guardian Media Limited or its staff. Guardian Media Limited accepts no liability and will not be held accountable for user comments.
Please help us keep out site clean from inappropriate comments by using the flag option.
Guardian Media Limited reserves the right to remove, to edit or to censor any comments. Any content which is considered unsuitable, unlawful or offensive, includes personal details, advertises or promotes products, services or websites or repeats previous comments will be removed.