by November 11, 2003 0 comments

Believe me, it happens. No matter how good or strong your security setup, there’s always a chance that it will be broken into and your systems compromised. If it were to happen to you, what would you do? How would you recover from the attack and, more importantly, how would you ensure that it does not happen again?

First, consult your security policy-assuming you have one to check for steps you need to take. If you don’t have a policy, then inform and consult your management about the attack to facilitate internal coordination of the recovery effort. Also note that intrusions are the kind of news that media looks for and your management would probably not want any word of this to be out. After all it does amount to a loss of credibility.

Next, consult a legal advisor and make sure all measures are taken as per the law. You may want to consult whether or not to legally pursue the intrusion. Note here that the legal liability could become an issue for you as well, if your systems are first compromised and subsequently used to further attack other systems or for some other illegal activity. If you’ve decided to take legal action, then contact the relevant law-enforcement agency. In India, based on the IT Act, the Cyber Crime cell of the police force should be contacted for this.

Finally, make sure you document the entire recovery process for future reference. This is required both from the legal perspective as well as for updating your security policy to prevent such incidents in the future. Now let’s get down to specifics on what you should do. Since recovering from an attack is very specific to the type of system you have, our guidelines are generic and cover steps for Windows and Unix-based systems.

Regain control 
Isolate the compromised computer by disconnecting it from the network and then regain control over it. In Unix-based systems, start up in “single user” mode so that no one else can access it during the recovery process. In Windows, log on as local administrator. It is also highly recommended to not use the original disk of the affected system but rather work with an image. This may not always be possible, but is the best way to work. Try and get an identical disk, make an image of the affected disk and work with that. Tools to make the image are available quite easily.

The next step is to analyze the intrusion and the extent of damage it has caused. This involves examining systems files and comparing them with the originals, reviewing logs and then running checks for presence of Trojans, rootkits, backdoors, common vulnerabilities and exploits etc. Although, systems files are most commonly affected, also check for changes in data files. Use your backups with caution at this stage because determining the precise time of intrusion could take a while and you don’t want to take a chance with what may lie on the backups.

In case a machine is compromised, many things may have been changed and it is not always easy to determine what. In this case, it’s best to re-install the system afresh. As is normally recommended, determine what services this machine needs to run and disable the unnecessary ones. Next install all patches that the vendor has provided so far, and then use some tools to check for common vulnerabilities to ensure they’ve been taken care of.

While the recovery process would teach you a few things about tightening up security, you should also review the security guidelines specific to the OS being installed. Both Windows and Unix systems have detailed guidelines and security checklists that should be followed. Apart from the OS itself, make sure that your own security policy is constantly reviewed and updated. It’s not much use having a static security policy. Install various security tools specific to your OS. Many of the tools available are what “crackers” use to get into your systems can be your best friend and prevent the attacks in the first place. 

Finally, be paranoid. It’s the only way to survive!

Kishore Bhargava

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.