What to Do If You Have Been Hacked
What is Incident Response?
Incident response is the process in which skilled computer security analysts respond to an incident involving computer technologies or data. These incidents may range from misuse of computer systems, threats and harassment, technical attacks, and modification or theft of proprietary data.
Computer emergency response is serious: the compromise of one host on a network may allow an attacker to elevate their privileges and gain access to critical infrastructure resources on the network. While an attack against a workstation may seem trivial, this may allow an attacker to intercept communication including passwords and confidential data. A compromise of a system can lead to the attacker launching attacks against external organizations. This means that DePaul, and you, might be liable or financially responsible for the actions of others.
Determining a Compromise
It is very difficult for even skilled experts to determine if a compromise has taken place. Computer systems and applications have grown extremely complex, and audit information can sometimes overwhelm even the most discriminating analyst. If you have reason to believe you may have been hacked, seek immediate assistance.
Be Positive!
Sooner or later, everyone connected to the Internet is involved in a computer or information security breach. We advise you to relax and not let the initial details of the incident leave you feeling guilty. There are many applications that are installed by default without using basic built-in security mechanisms. During the investigation, assist the incident response team however possible with information. Also, know that the incident responders may interview you to gather more information as to the security breach. These interviews are merely meant to correlate your actions with the security breach and verify what actions have taken place on a system.
How to Respond
A computer or application that has been compromised is equated to a crime scene: the more actions performed to the scene of the crime after the incident, the less likely information can be gathered sucessfully from the scene. As fingerprints contaminate chain-of-evidence in theft investigations, so do even the most innocent key-strokes and mouse movements contaminate a computer crime scene investigation.
If you feel that you are victim of a security breach, immediately cease access to the system. Contact your system administrator and CSRT to report the incident. We will open a trouble ticket and, depending on the scope of the issue, provide the necessary guidance until a member of our incident response team can visit you. While you wait for more information, it is wise to answer the following questions.
- How did this incident come to your attention?
- Does anyone else use the computer(s) involved in the security breach? If so, who?
- Is this computer connceted by an "always on" network connection such as a ethernet, cable modem, etc.?
- Is there any sensitive or proprietary data on this machine that may require immediate action to prevent further risk?
- Have I opened any suspicious emails or downloaded any suspicious programs that may have lead to this incident?
- When was the last time my virus scanning software was updated? When was the last time I patched my operating system and applications?
Reporting Incidents
To report a computer or information security incident, contact CSRT. Employ encryption software, where possible, when reporting via electronic mail.
Feel Free to Contact Us
If you have questions regarding computer or network security, feel free to contact us with those questions. We will help in any way possible. Also, sign-up for our computer and network security vulnerability alerting service; more information visit our Security Bulletins Website.
© 2001-2007 | DePaul University | Disclaimer | Webmaster
1 E. Jackson Chicago IL 60604 | 312-362-8000