1.Make Sure you have been Hacked
Not all strange system behavior is a sign of third party or malware intrusion. Sometimes the complex systems we operate go haywire because of changes we ourselves have made to them without being aware of the consequences.
If your website, computer or network is behaving strangely, not loading properly or giving you blank displays where data or a visual interface should be visible, first think back to any recent changes you might have made that could be responsible for the differences.
In a website hosting system, for example, changing so much as a single parameter within a site’s MySQL database template can lead to a completely downed website even though all the internal data is perfectly safe.
2.Speak to your Support Team
As a follow up to step one above and as a part of general policy, you should speak to your technical support team as soon as you have noticed strange things about your system. If you’re a website owner, this could be the people who manage your IT and hosting servers and if you’re the owner of a business or organizational network, this could be your IT support staff.
They can not only tell you about any changes they may have done to provoke a system failure, they can also help you investigate the wider scope of the intrusion you may be suffering.
3.Image your Servers or Drive
Imaging software for computer hard drives and the same sort of software for servers should always be close at hand. In case of a breach, before proceeding with cleanup and removal of all malicious factors, you should first image your drives or servers immediately in the condition they have at the time of their hack.
This will preserve a large body of evidence which can later be examined through digital forensics techniques, and this evidence vitally needs to be preserved so that you can formulate a better future intrusion response. Knowing if you were the victim of a genuine virus, entry by a human hacker who’s been modifying your code or something as simple as some spyware is crucial.
4. Disconnect from the Web (if possible)
As soon as you have imaged your servers, hard drives and all data or code collections, you should immediately disconnect your servers or computers from the wider web if at all possible.
This may cause chaos and disruptions for clients if you’re running a business website, but as a preventative step it’s vital. By keeping your machines and servers connected, you’re allowing the malware or human intruders who have breached them to continue maintaining malicious access, keep stealing data or causing further damage.
Unless you’re running security scans that require a web connection to work, your systems should be offline while you recover.
5. Change all Passwords
In addition to imaging of all data storage media and disconnection from external access, you should also be moving quickly to change all of your access passwords. They may have been the cause of your security breach and by leaving them as they are, you’re inviting future attacks even after you repair and reinstall everything.
Your machine itself, your hosting server access, your MySQL databases and your FTP should all have their passwords and the passwords of any sub-accounts on them reset immediately.
6. Perform Security Scans
Antivirus software, anti-malware programs and network intrusion protection software should all be tools that you keep close at hand for intrusion incidents. Once your intrusion has been detected and the above steps taken, perform scans that cover all the major bases against malware, spyware, intruders and scripting attacks.
7.Remove all Malicious Files and Code
Through the assistance of your IT support team, your service providers and the security software you have been running, you can start slowly identifying and destroying all the malicious code you find on your network, servers or computer itself. This can be a tedious process and if you’re not sure that you have successfully removed everything, you probably need to do a full re-install.
8. Back up Everything
Back up all of your valuable data as soon as possible after a data breach. You may have already performed a full scale imaging process on your entire servers or drives but specific section backups of key databases and data volumes are also a good idea because they allow you to compartmentalize valuable information for later analysis through digital forensics.
9. Re-install as much as Necessary
If the breach was very severe and especially if the breach affected a lot of data or code, you might have to perform a full scale re-installation of all your software. In a computer, this will require you to format your entire hard drive and re-install your operating system.
On your website hosting servers, you’ll almost certainly need to re-install all o your database management software, LAMP (Linux, Apache, MySQL and PHP) applications along with any other third party software you were running for your website.
Always re-install to the newest versions of whatever software you need to replace.
10. Document Everything
Finally, document everything. Document all of the steps you took, the processes you followed and the files you erased, re-installed and used to clean your machine. Documentation is useful for future digital forensics (if needed) and it preserves a chain of evidence that can be used as a future prevention reference.
About the Guest author: Stephan Jukicis,a freelance writer who generally covers a variety of subjects relating to the latest changes in whitehat SEO, mobile technology, marketing tech and digital security. He also loves to read and write about location-free business, portable business management and finance. Connect with Stephan on LinkedIn.