Anatomy of a hack attack

• Tags:
• Passwords,
• Hacker,
• Credit Card,
• Chief Executive

Sally Whittle ZDNet.co.uk

Published: 07 Jan 2008 16:39 GMT

• 
• 
• 
• 
• 

...decides to simply install a new server in place of the affected machine. "Sometimes that's the best decision to make, because you'll spend weeks sorting out the infected machine and you'll never be sure you've got everything," said Chess.

Monday, 10pm
The next task is to update all the organisation's security patches and run a complete check for malware, viruses or other attack scripts. The firewall and intrusion-detection system are updated, and a team of forensic computing experts arrive from a specialist consultancy to begin checking the logs and audits to see if any other systems have been altered or accessed. This team will be able to spot modifications or potential attack scripts far more easily than a general IT specialist.

Tuesday, 8am
After overnight testing and a comprehensive patch update, the web server goes back online, along with the new database server. Although there seem to be no problems, the systems and all logs are closely monitored for any sign of attack or irregular behaviour. The team are also closely monitoring the internet for any sign that the credit-card numbers accessed have been posted online, or offered for sale.

As an added precaution, all payment facilities are unavailable during the following 24 hours, until the team is certain the new servers are functioning properly and are fully secure.

Tuesday, 8.30am
Once the systems are back online, proceedings in the aftermath of the attack begin. First, the chief information officer meets with the chief executive and other senior government officials to discuss what information was taken, who needs to be notified of the attack and how the organisation might be affected. "This is the point in time where non-IT executives should be actively involved," said Chess. "It's not necessary to wait until the clean-up is finished, but you need to be certain that you have information to give them on these vital questions."

In this case, since the information accessed includes payment records (including credit-card numbers), it is decided that the agency should issue a public statement explaining what information has been accessed and what the potential consequences of this might be. Consumers are instructed that they will be issued with new user IDs and passwords for the website, and banks will cancel and reissue credit cards for consumers affected by the breach.

This seems like a lot of hassle, but security experts argue it's better than trying to bury the bad news. "Telling people the bad news is tricky but, if you want to retain their trust, it makes good sense," said Nazario. "It also makes sense because, if people are aware of the danger, it limits the scope of the damage, by putting them on their guard."

And finally...
Once these initial response steps are completed, the experts said anyone recovering from a hacking attack should:

• Review the attack with relevant IT staff: what happened; how can we be sure it won't happen again?
• Ask what vulnerability was exploited and what others might exist that are unknown
• Audit the IT security systems to see whether you need new firewall/intrusion-detection/antivirus technologies, or whether an application layer security device would prove worthwhile
• Ensure that your policies and procedures are kept updated, and incorporate any lessons learned from this attack into a policy for future incidents

Go to section: You've been compromised! The hacker's next steps The clean-up begins How to deal with the aftermath

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit