The best business advice, opinion, news and expertise in Greater Manchester and further afield.

Friday, 5 August 2016

Member Blog: What you actually need to do if you're hacked

By Farooq Shah, Territory Account Manager at F-Secure UK & Ireland

Employees, even well-informed security conscious individuals, are often unprepared to deal with security issues. It can even be difficult to know whether they’re compromised, or just experiencing some kind of IT problem. And according to Janne Kauhanen, an expert with F-Secure’s Cyber Security Services, it’s pretty common for people to panic and stress out when they think they’ve been hacked. They can even make problems worse by not dealing with the situation correctly.

So before people freak out and throw their computer out the window or something, they should consider following this plan. Calmly taking these steps to begin limiting the damage and figure out what’s happened will save companies time, money, and headaches.

1. DON’T turn off the computer or device: 
One common mistake many people do, after panicking, is to turn off the device. After all, a compromised device can’t do any real damage without power. But this is something that actually helps attackers.Turning off the power will wipe out any information stored in the devices random access memory (RAM), which can be useful to investigators. “Turning off the computer is like destroying evidence – evidence that can help uncover who the attackers are and what they’ve done,” says Janne. You should also plug-in devices to make sure the battery doesn’t die before investigators have a chance to look at it.

2. TURN OFF your device’s network connections: 
“Physically, if possible,” stresses Janne. While turning off the computer is something that will benefit your adversaries, leaving it connected isn’t really an option. “Your device might be pwned, but at this point, you shouldn’t assume that the attacker has had the opportunity to move laterally through your network. So shutting down network connections will prevent the attacker from using your device to infiltrate deeper into the network.” Here’s a few connections many people use at work:
Wi-Fi
Bluetooth
NFC
Mobile Data Network (remove the SIM card)

3. Stop touching the computer: 
If you’ve followed the first three steps, you’ve accomplished quite a bit. You’ve successfully cut off the attackers from using your device to move through your company’s network. And you’ve done this without destroying evidence that others (such as your company’s CISO or a professional forensic investigator) can use to trace the attack and find out how and when the breach occurred, what the attacker has done, and with any luck, who they are. 

4. Write down what’s happened: 
Try to include as much detail as you can recall. Write down what tipped you off that there was a problem, what you were doing when you noticed there was an issue, what you’ve done since discovering the problem, any mysterious emails or other interactions you might have had recently, whether you’ve used any removable storage devices or other peripherals with your computer etc. “Dates and times of events are particularly important,” says Janne. “Devices contain lots of potential evidence, but keeping track of what happened when will help narrow the scope so everyone can work faster.”

5. Call for help: 
“Now’s the part where you need to get some help,” says Janne. Who to contact will be a bit different for every company. But no matter what, you need to bring this to the attention of more people, whether that be a CISO or an external security consultant.



2 comments: