Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

How Do You Recover From Being Hacked?

Pentura : 01 March, 2010  (Special Report)
Hacking recovery depends on a number of factors as explained by Giri Sivanesan of Pentura who offers advice on what to do after discovering you've become a victim to a hacking incident
When your business discovers it has been hacked there are different mentalities on how to deal with it; for the Private Sector organisations the most important thing is to detect when a network or system has been hacked. Once an attack has been detected it then becomes important to identify the extent of the compromise, isolate any compromised networks or systems and contain them to stop the attack effecting other networks or systems.

National Security organisations may decide to take an altogether different approach and once they are satisfied it is being properly risk managed, let the attack continue in order to monitor its movements, understand how it is working and what specific information it is targeting. They may argue that in some cases immediately isolating a malicious attack may mean that they are unable to understand the full extent and modus operandi of the attackers, strategically useful to prevent future attacks.

The next step is to decide who you need to tell and what industry specific rules you should follow. The first point of call would be to notify someone in a security leadership position so that they can then decide on the next defensive step and whether to escalate the incident up to someone more senior.

If a virus is involved for example, it may be best to move up the chain of command to the head of security who will then decide on the severity of the problem and whether or not to notify the board.

Depending on the severity of the incident, law enforcement authorities should be notified. Many large private sector organisations frown upon this approach however, embarrassed to be caught out and resorting to tackling and containing the problem themselves. Unfortunately this can often lead to press leaks and public uproar causing considerable reputational damage and the possibility of fines. Recent incidents in the NHS and Manchester Police are prime examples of what can happen when Public Sector falls foul to hackers. These incidents have made top news stories and have made the public question just how safe their personal data is.

By notifying Law Enforcement authorities of a serious hacking incident, information provided can then be included in any ongoing investigations. There may have already been many similar hacking incidents and by pulling together disparate sources of information from multiple attacks, law enforcement authorities will be able to respond more effectively and protect organisations.

It is not always clear how widespread an attack is, it could be on an international level where organisations such as the Serious Organised Crime Agency (SOCA) will need to respond. SOCA have strong links with other law enforcement communities throughout the world and where necessary may be able to share information about similar hacking incidents to strategically prepare and protect organisations against future attacks.

UK Organisations that come under the umbrella of Critical National Infrastructure (e.g. communications, energy, finance etc.) could seek advice and guidance from the Centre for the Protection of National Infrastructure (CPNI).

Businesses should also look at damage limitation and how best to protect business branding and market position. There are certain people and organisations that should be informed straight away; I would usually encourage organisations to notify law enforcement authorities of serious hacking incidents even when the incident is particularly sensitive. Once the attacks have been identified, contained and eradicated and systems are running without any hiccups, a decision should be made by the board on when to go public. Going public before managing the situation may cause customers to panic and may even benefit competitors.

It is important to minimise the amount of damage done to your organisation, and to do this effectively you must be prepared. If an organisation doesn't have incident management, business continuity and disaster recovery policies in place then it will become more difficult to minimise the damage caused. If you establish and test these policies and there are clear procedures and governance structures in place then responding to hacking incidents becomes much easier. In general, the faster you respond to and contain an attack then the less damage it will cause. Most organisations can expect to be attacked by hackers at some point but by being proactive and ready for the attack beforehand usually reduces the impact attacks will have.

After the incident the best way to clean up is to know where your information systems were beforehand. Backing up regularly will allow you to restore systems and information to an accurate level and with minimal downtime, allowing you to get back to your baseline quickly. Computer forensics coupled with intrusion detection, operating system and firewall logs may be needed to fully investigate the full extent of an attack. Understanding what your vulnerabilities are and lessons learned from the incident should help you to minimise the likelihood and impact of it happening again. I n general, critical systems and assets should be cleaned first and so forth.

With the sharp increase in corporate espionage, it is also important to understand where all your information assets are and what impact hacking can have on these assets and your organisation. Espionage works when it is not detected so if you're not aware of your assets you may not know what has been stolen or damaged.

A well maintained information security policy along with underlying incident management, business continuity and disaster recovery policies are a must for businesses and organisations to recover fully from any form of a serious hacking incident.

Organisations must learn from their mistakes in order to manage the risks from hackers and minimise the impact hacking incidents cause. They must understand how the incident happened from the detection of the attack all the way through to the recovery. How well they responded to the incident and what they should have done better are some of the key questions that need to be asked at a board level and pushed downwards. By having a good understanding of what the risks and vulnerabilities are, what assets need to be protected from hackers and the impact future incidents can have on the organisation both financially and in terms of reputation is a good basis to win the financial support needed to implement proportionate controls against hacking.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo