Determining a Compromise
It is very difficult for even skilled experts to determine if a compromise has taken place. Computer systems and applications have grown extremely complex, and audit information can sometimes overwhelm even the most discriminating analyst. If you have reason to believe you may have been hacked, seek immediate assistance.
How to Respond
A computer or application that has been compromised is equated to a crime scene: the more actions performed to the scene of the crime after the incident, the less likely information can be gathered successfully from the scene. As fingerprints contaminate chain-of-evidence in theft investigations, so do even the most innocent key-strokes and mouse movements contaminate a computer crime scene investigation.
If you feel that you are victim of a security breach, immediately cease access to the system. Contact Information Security to report the incident. We will open a trouble ticket and, depending on the scope of the issue, provide the necessary guidance until a member of our incident response team can visit you. While you wait for more information, it is wise to answer the following questions.
- How did this incident come to your attention?
- Does anyone else use the computer(s) involved in the security breach? If so, who?
- Is this computer connected by an "always on" network connection such as a Ethernet, cable modem, etc.?
- Is there any sensitive or proprietary data on this machine that may require immediate action to prevent further risk?
- Have I opened any suspicious emails or downloaded any suspicious programs that may have lead to this incident?
- When was the last time my virus scanning software was updated? When was the last time I patched my operating system and applications?
Write down any further information you may have regarding the incident, and sign and date each page. This may be used for evidence if prosecution is required! All information is good information when assisting during a security breach.
To report a computer or information security incident, contact Information Security. Employ encryption software, where possible, when reporting via electronic mail.