Breached: What to Do When Your Network is Compromised

 

In addition to consulting with a professional cybersecurity specialist, following the five steps listed below will help ensure the integrity of your network.

 

 

First, glean as much critical data about the attack quickly and thoroughly. Verify which systems sustained damage, log the IP addresses the cyberattack used and distinguish the type of cyberattack, such as a virus, unauthorized remote access or a malware page added to your website. Make use of the administrative tools through the firewalls and routers, including syslog messages and traffic logs. Use traffic flow records to classify and investigate. Your Internet Service Provider (ISP) may be able to provide critical data as well.

 

 

While your first impulse may be to take the network offline, doing so could actually cause more harm to your operations. It could also damage relationships with clients and your company’s reputation in the business world. Once you have verified which systems were affected, strategically segregate and take those applications offline. If necessary, you can take down the computers or servers those applications rely upon, and this action will quarantine the contaminated servers and systems while allowing your business to continue. 

 

In addition, your team will need to identify the specific damage sustained on individual devices. They can do this by comparing the data sets and configurations of each server and computer with the last known accurate backup for each system.

 

Because you will need to remove any offending content or malware from your systems while preserving evidence, make safe copies of the unauthorized content or illegal applications, and separate them from your systems. Check with your legal counsel prior to taking this action. Some content, such as child pornography, should not be copied and must be reported to police first. 

 

 

Depending upon the harm to your network and the type of attack, you may need to communicate with partners, customers and authorities. For instance, if the cyberattack affected your ability to comply with government mandates, your company may be required by law to hire an investigator who will advise you through the process. If partner and client data were compromised, you will need to notify them of the issue. Consult with your legal counsel and public relations specialist before issuing a press release. 

 

While you may decide against making a public announcement about the network breach, you may want to report it to your antimalware and antivirus vendors. This will allow them to update their information of security threats.

 

 

If the network breach had an impact on more than one server or computer, you will need to address them in order of priority to scrub and restore them to their unaffected states. Systems critical to your business come first. Replace the configurations, compromised data and applications with the most recent unaffected backup. Require that all the passwords used in the affected areas be changed immediately. This includes resetting the root password. Concurrently, require your employees to change all of their passwords throughout the system and ensure that no passwords are set to admin or default.

 

 

The vulnerability may be an email download, configuration error or some other type of vulnerability. Increasing your network security should include the latest advances in email scanning and security patches. In addition, update all software and systems to the latest versions and ensure that the network security settings on all software and hardware are updated.

 

As your business returns to normalcy, you will need to monitor the system for a recurrence of the breach and add additional email scanning and other security protections.