Security > In case of Intrusion...
In case of Intrusion...
Having a system broken into is costly and dangerous, but even
these costs and dangers can be minimized if you respond to a security
intrusion with good practices. By following the guidelines elsewhere
in these pages, you can cut down on the chances that your system
could be compromised -- but there is no way to completely
secure a system, short of cutting it entirely off the network.
If your system is cracked, here are some guidelines as to what
to do next:
If CIS staff detect an intrusion into your system, you will
be notified as soon as possible. Likewise, if you determine
that your computer has been cracked, please notify CIS
immediately. Besides providing advice to you as to repairing
and recovery, CIS can minimize the damage that your compromised
system could cause to your colleagues' systems and your peers
on the Internet.
Any computer that has been compromised needs to be isolated
from the network. This is to prevent the attacker from
regaining access to it, or from using it to attack other systems.
CIS staff may block a cracked system from accessing the Internet
or WHOInet if it poses a risk to other systems. These blocks
will be removed once the system has been secured.
If you have coworkers, employees, or colleagues at other
institutions who use your computer, these users need to
be notified if it has been compromised. This may seem
embarrassing or unnecessary if you believe that you can recover
the system quickly -- but they need to be aware of risks to
their data and work.
If any other systems allow trusted access to the compromised
system -- for instance, writable NFS shares or rsh
privileged access -- they must also be treated as potentially
compromised, and inspected carefully.
If possible, make a full backup of the compromised
system's system disks, as well as any data you will need to
recover. In the (admittedly unlikely) event of a criminal
investigation of the attack, backups are necessary evidence;
more importantly, they can help you rebuild the system. You
will need to restore data and documents from these backups
once the system is rebuilt.
It is the considered opinion of CIS, after a great deal of
experience repairing compromised systems, that the only way
to fully repair a cracked system is to wipe and reinstall
the operating system and applications. This includes the
formatting of all attached disks. This may seem like a severe
measure; however, it is necessary because attackers commonly
install corrupted copies of system programs when they break
in. These corrupt versions can hide attackers' activity on
your system, and can contain "back doors" to let the attackers
back in after the original holes have been closed.
When reinstalling the system, apply all vendor patches
and upgrades, to keep it from being compromised anew once
it is reconnected to the network. If possible, consider upgrading
to newer versions of your operating system or major applications;
frequently, these may be easier to secure or support. Also,
it is a good idea at this time to install any security software
-- antivirus products, TCP Wrappers, etc. -- which might have
helped to prevent the compromise in the first place.
Once you have restored the system, check all data files
and documents for corruption or alteration. Some attackers
and worms modify documents -- especially Web pages -- to gain
notoriety or to inflict further damage on their victims.
When the system is back to a usable and secure state, contact
CIS for reconnection to the network. Besides allowing
for the removal of protective blocks, this keeps everyone
involved in the know as to the state of your system. CIS can
also check the system over at this point to make sure that
all is well with its security before it regains network access.