Difference between revisions of "I've Been Hacked-What Now"

From OWASP
Jump to: navigation, search
(Identification)
Line 8: Line 8:
  
 
==Identification==
 
==Identification==
 +
 +
Basic principles:
 +
 +
* Incident identification/notification may occur from a number of information sources (events):
 +
** Staff reporting unusual activity
 +
** Staff, clients or public reporting a problem
 +
** Technical teams/support discovering evidence of an incident on systems.
 +
** Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.
 +
 +
* Roles:
 +
** A Security incident owner must be assigned.
 +
** A point of contact must be available to respond to incidents at all times.
 +
** A security incident owner must track the security incident to remediation and resolution.
 +
 +
 +
* Examples of an incident:
 +
** Virus/malware infection
 +
** Unauthorised system changes
 +
** Unauthorised application/web site changes
 +
** Unauthorised disclosure of client information or information leakage
 +
** Theft or loss of company information/assets
 +
 +
* Examples of an event:
 +
** Reports from intrusion detection system/WAF/Firewall or log scraping system
 +
** Reports from vulnerability scanning/traffic monitoring/perfromance monitoring
  
 
==Assessment==
 
==Assessment==

Revision as of 05:38, 21 November 2008

Contents

My server has been hacked...what do I do now?

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.

Here are the current section ideas contributed by marcin

Identification

Basic principles:

  • Incident identification/notification may occur from a number of information sources (events):
    • Staff reporting unusual activity
    • Staff, clients or public reporting a problem
    • Technical teams/support discovering evidence of an incident on systems.
    • Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.
  • Roles:
    • A Security incident owner must be assigned.
    • A point of contact must be available to respond to incidents at all times.
    • A security incident owner must track the security incident to remediation and resolution.


  • Examples of an incident:
    • Virus/malware infection
    • Unauthorised system changes
    • Unauthorised application/web site changes
    • Unauthorised disclosure of client information or information leakage
    • Theft or loss of company information/assets
  • Examples of an event:
    • Reports from intrusion detection system/WAF/Firewall or log scraping system
    • Reports from vulnerability scanning/traffic monitoring/perfromance monitoring

Assessment

Containment

Evidence Collection

Forensic Analysis

Investigation

Incident Follow-up