CIS Home > Security > Workstation/Server Security > In case of Intrusion...

In case of Intrusion...

Having a system broken into is costly and dangerous, but even these costs and dangers can be minimized if you respond to a security intrusion with good practices. By following the guidelines elsewhere in these pages, you can cut down on the chances that your system could be compromised -- but there is no way to completely secure a system, short of cutting it entirely off the network. If your system is cracked, here are some guidelines as to what to do next:


  • If CIS staff detect an intrusion into your system, you will be notified as soon as possible. Likewise, if you determine that your computer has been cracked, please notify CIS immediately. Besides providing advice to you as to repairing and recovery, CIS can minimize the damage that your compromised system could cause to your colleagues' systems and your peers on the Internet.

  • Any computer that has been compromised needs to be isolated from the network. This is to prevent the attacker from regaining access to it, or from using it to attack other systems. CIS staff may block a cracked system from accessing the Internet or WHOInet if it poses a risk to other systems. These blocks will be removed once the system has been secured.

  • If you have coworkers, employees, or colleagues at other institutions who use your computer, these users need to be notified if it has been compromised. This may seem embarrassing or unnecessary if you believe that you can recover the system quickly -- but they need to be aware of risks to their data and work.

  • If any other systems allow trusted access to the compromised system -- for instance, writable NFS shares or rsh privileged access -- they must also be treated as potentially compromised, and inspected carefully.

  • If possible, make a full backup of the compromised system's system disks, as well as any data you will need to recover. In the (admittedly unlikely) event of a criminal investigation of the attack, backups are necessary evidence; more importantly, they can help you rebuild the system. You will need to restore data and documents from these backups once the system is rebuilt.

  • It is the considered opinion of CIS, after a great deal of experience repairing compromised systems, that the only way to fully repair a cracked system is to wipe and reinstall the operating system and applications. This includes the formatting of all attached disks. This may seem like a severe measure; however, it is necessary because attackers commonly install corrupted copies of system programs when they break in. These corrupt versions can hide attackers' activity on your system, and can contain "back doors" to let the attackers back in after the original holes have been closed.

  • When reinstalling the system, apply all vendor patches and upgrades, to keep it from being compromised anew once it is reconnected to the network. If possible, consider upgrading to newer versions of your operating system or major applications; frequently, these may be easier to secure or support. Also, it is a good idea at this time to install any security software -- antivirus products, TCP Wrappers, etc. -- which might have helped to prevent the compromise in the first place.

  • Once you have restored the system, check all data files and documents for corruption or alteration. Some attackers and worms modify documents -- especially Web pages -- to gain notoriety or to inflict further damage on their victims.

  • When the system is back to a usable and secure state, contact CIS for reconnection to the network. Besides allowing for the removal of protective blocks, this keeps everyone involved in the know as to the state of your system. CIS can also check the system over at this point to make sure that all is well with its security before it regains network access.