Incident Response Updated 03/20/2015

Topics Definition of Terms Purpose Incident Response Flow Chart Tips to mitigate future incidents

Definition of Terms Incident Security Incident Incident Response A security breach or attack Security Incident A change in the everyday operations of your network, service, or website, indicating that a security policy may have been violated or a security safeguard may have failed Incident Response An organized approach to addressing and managing the aftermath of a security breach or attack

Purpose Provide systematic methods that website administrators should follow when responding to a security incident The incident response that will be outlined here may be interchangeable depending on the process that will work best for your agency and the nature of the attack that you will face.

Incident Response Flow Chart

Incident Response Flow Chart

Incident Response Flow Chart Upon confirmation, communicate the breach to other people who are part of your incident response team and your hosting provider to make them aware of the situation Gain an idea of the nature of the attack. Identify the type and severity Determine the intent of the attack

Incident Response Flow Chart Common signs that your website has been compromised Your website has been defaced Your website redirects to another site Your browser may indicate that your site may be compromised Your web logs has unexplained big spikes in network traffic

Incident Response Flow Chart Upon confirmation, communicate the breach to other people who are part of your incident response team and your hosting provider to make them aware of the situation Gain an idea of the nature of the attack. Identify the type and severity Determine the intent of the attack

Incident Response Flow Chart

Incident Response Flow Chart Begin containing the damage and minimizing the risk Record your actions thoroughly as this may be used for documenting the incident Compare the cost of taking the compromised site offline against the risk of continuing operations or keeping systems online with limited connectivity

Incident Response Flow Chart Require an immediate change of password for all site users and accounts – CMS, DBS, FTPs, hosting control panel Identify compromised data Review and examine logs Check for permission changes or elevated user permissions Check for new accounts, new URLs, new pages, new files and directories Check databases for suspicious content and values

Incident Response Flow Chart Identify compromised data Look for unauthorized process or applications that are currently running Compare your site to a clean backup copy Use version control, if available

Incident Response Flow Chart Depends on the extent of the security breach Restore existing system? Completely rebuild it?

Incident Response Flow Chart Recovery steps for sites that have clean and updated backup Restore clean backups Install any software/system upgrades, updates, or patches Asses installed applications and consider deleting those not in use Change the passwords one more time for all accounts Implement measures to prevent future access then bring your site back online Monitor for any signs of recurrence

Incident Response Flow Chart Recovery steps for sites that have clean but outdated backup Make a complete backup of your site, as reference. Mark it as “infected” Restore the clean backup Assess installed applications and consider deleting those that are not in use Upgrade all applications Identify the files that you'd like to copy from the infected copy and remove all traces of malicious code identified

Incident Response Flow Chart Recovery steps for sites that have clean but outdated backup Upload the clean content to your clean copy Verify that file permissions are appropriate Change the passwords one more time for all accounts Implement measures to prevent future access Bring your site back online Monitor for nay signs of weakness or recurrence

Incident Response Flow Chart Recovery steps for sites that have no backup available Make two full backups of your site. Mark each backup as “infected” Clean the site's content on one of the backups by removing all traces of the incident Verify that all file permissions are appropriate Clean up hacker-modified records in your databases. Perform a sanity check to make sure it looks clean

Incident Response Flow Chart Recovery steps for sites that have no backup available Correct vulnerabilities that have been found in your applications Change the passwords one more time. At this point, one infected backup copy should only contain clean data Assess installed applications and consider deleting those not in use Upgrade all applications Implement measures to prevent future access Monitor for signs of recurrence

Incident Response Flow Chart Analyze the incident and how and why it took place Assess the damage and make recommendations for better future response for preventing a recurrence of the attack

Incident Response Flow Chart Consider whether you need to notify and report the incident to other staff

Tips to mitigate future incidents

Tips to mitigate future incidents Enforce the use of strong passwords to all users who have access to your site Passwords should be unique and should not be reused throughout the web Routinely check that all systems are up to date and have the latest patches installed Understand the security practices of all applications before you install them on your site A security vulnerability in one application can compromise the safety or your entire site

Tips to mitigate future incidents Make regular, automated backups of your site Be aware of where backups are maintained, who can access them, and procedures for data restoration and system recovery Maintain also an offline copy of your backup Keep all devices that you use to log in to your site secure. Keep your operating system and web browsers up to date Routinely monitor and analyze site traffic and activity logs

End