Picking Up the Pieces After a Hacker Attack
Have a plan ahead of time to ensure a quick recovery
Even with the best security in place, your company's network or web
site might still get hacked. As one security consultant noted, you're in
an arms race, and the other guys are the ones inventing the new weapons,
so it's not unlikely that you'll get hit. It's nothing to be embarrassed
about -- it even happens to professional security firms. Symantec, for
instance, was a recent victim. So was Ken Conquest, an owner of TechroDyne
Inc., a network security software firm based in Euless, Texas. Some vandal
decided to hack into his Internet connection and bombard him with so much
fake traffic that he couldn't even send an E-mail to a client. "We
couldn't do any business anyway, so I just shut down the link and hoped
the hacker would get bored when he couldn't disrupt my business anymore."
Conquest does a lot of business over the Internet, since people buy
and download TechroDyne's software product from its Web site. So, shutting
down the link for a couple of days was a serious disruption. But Conquest
knew it was too risky to leave the link open -- the hacker might have dug
up information about his business on the server. "You never know if the
hacker is just a vandal, or someone trying to seriously damage your business,
so you don't take chances," he says.
You need a plan before a hack occurs so you can minimize the damage
-- then worry about plugging the hole and perhaps catching the perpetrator.
If necessary, pull your server off the Web until you get the situation
Here's the basic checklist of what to do if you get hit:
What about catching the hacker? It's not easy, because skilled attackers
can disguise their identity and even their origins. But network-monitoring
software can help you spy on the spy so that you can at least identify
an attack before it does damage, and perhaps pick up a few fingerprints.
Do not correspond via E-mail to anyone about the hack via a system that's
compromised. Don't keep any electronic information about it at all. Hackers
systematically do surveillance to see if they've been detected, giving
them a chance to hide their tracks or alter tactics.
Have a list of phone numbers handy for your web hosting service, technical
staff, web security company, police, and the national Computer Emergency
Response Team (CERT for short, 412-268-7090 www.cert.org). The latter is
a federally funded SWAT team with roots in the defense industry that monitors
hacking incidents and provides technical assistance. Check the web site
for resources, including tips on detecting and recovering from intrusions.
Notify law enforcement. A lot of people are worried about embarrassment
and spin control. But the FBI says they'll keep the security hack confidential
unless there's a trial.
Secure and preserve all evidence. That includes logs, original files and
copies of the damage they did, along with financial records.
Identify the origin and time of attack, if you can. Your site administrator
can do this. If you don't have an administrator, a computer-security company
or an FBI or CERT agent can walk you through the process over the
phone. Keep detailed and dated notes of what occurred.
Prepare for repeat attacks. Make sure network-monitoring software is installed
and functioning (more on that below).
Do a cost evaluation -- property, time, cost of buying new computer equipment
and hiring a private security consultant if you don't already have one.
Adjust your tech budget accordingly.
Take care of your staff. Entrepreneurs who've been through such attacks
know they can hurt morale. People will be worried that personal information
might have been disclosed, so you may need to take measures to make them
feel physically safe, such as changing locks. And everyone knows or soon
learns that insiders are prime suspects in a hack, so it's important to
reassure people and make them feel comfortable with each other again once
the source of the attack has been located. You may need to give an off-site
barbeque or other social event to promote bonding. Or just give people
some time off. One victim notes that repelling a hacker boosts the workload
tremendously, leaving everyone at a small company exhausted physically
The tools include easy-to-purchase software such as network-monitoring
software and network sniffers, which literally go out and sniff for suspicious
behavior, such as someone trying 10 different passwords to access a file.
Monitors and sniffers usually comes bundled when you buy a $1,000-plus
firewall; in fact, you shouldn't buy a firewall product that doesn't include
The monitoring component simply records all the traffic on your network
-- who is logging on, from what computer, what time they are on the network,
what files they access. It provides a an electronic paper trail, and is
useful for much more than locating thieves and vandals. For instance, it
tells you if there's gridlock on your network, and what servers are being
overused --that tells you the source of the gridlock. Don't worry if it
all looks like digital gibberish to you. "Even if you can't make heads
or tails out of the techno report the monitoring software gives you, a
security expert can," says Bill Hancock, a consultant to the FBI on network
security. Collectively, the records will give authorities a better chance
of finding and shutting down your attacker.
As for preventive steps, Chuck Shih at Gartner Group recommends carefully
scrutinizing any ISP, Web-hosting service, or network consultant before
hiring them. "Especially if it's a Mom 'n Pop local service provider, make
sure they have firewall technology in place on every server on their own
network, secure socket layers, encryption, as well as network monitoring
software that lets them constantly observe the traffic on their network,"
he says. And don't, under any circumstances, hire a company that
doesn't specifically have a network security expert on staff. You may end
up paying a little more for an established regional or national ISP instead
of your local, "personal-service" provider, says Shih, but it's worth it.
And remember the old-fashioned, offline safeguards. "Don't take hiring
network people lightly," Shih says. "Get references and check them out
By Rivka Tadjer