I was reading an article recently on securityweek.com that listed some steps that should be taken from the view point of a systems administrator. Considering how many people in the class wish to pursue that particular career I decided to write about it. The first step which could very well be the most important is to make a call to IT and tell them “Do not shut down the system.” I know that the first thing to come to someones mind would usually be to shut it all down to stop the attack, however if you do that then there is no way that you can trace the hacker or find out what it was that they were trying to steal from the company that your work for. So I know it may be tempting, but do not disconnect.
Next step is to gather as much information as possible about the attack and the hacker. You should find out things from all the departments and examine all possibilities. Some of the questions your should be asking yourself while gathering this information includes: How large is the problem? Is it one computer, or the entire network, or somewhere in between. Has IT noted any peculiar employee behavior? Are any logs suggesting suspicious behaviors? Any employees dismissed recently? What was hacked? What was not hacked? Does it appear that the data was not touched, or was the data stolen, but left intact to look like it was not breached? Is the breach open? Is it spreading and from where?
The next step would be to call in some extra help. The best person to get a hold of would be the closest “white hat” that you can find. These guys know all the things and probably more than whoever broke into your network. It is their job, 24 hours a day, to know the latest and to be experts in cutting edge technology. They will be able to help you find anything that you may have missed.
The final step you should take is to think about what your response should be in terms of reporting what happened to the company. You should think long and hard, depending on the seriousness of the situation, about whether or not to let your customers know what happened. If the attack was very serious and important information was compromised, like credit cards. The company should probably report it to the customers and try to ease their minds. Nothing reaps havoc on the mind like knowing if your credit card number is “out there” somewhere and in the hands of a shady character. Ways that you could help ease the person is by giving them a phone number to call that can help rebuild their credit and do flagging of unauthorized use of credit cards. . A company’s reputation, if founded on how customers are treated, will help soften the blow that may come to the company’s established reputation.