Incident Response Plan

Last modified by Jo Anna Martinez on 2016/01/20 09:57

Version 1.1  Updated September 16, 2013  PDF document can be downloaded in this link.

Purpose of this Document

This guide is meant to provide systematic methods that website administrators may follow when responding to a security incident.

Note: The incident response that will be outlined here may be interchangeable depending on the process that will work best for your agency and the nature of the attack that you will face.


Definition of Terms

Security Incident

A security incident or event is a change in the everyday operations of your network, service, or website, indicating that a security policy may have been violated or a security safeguard may have failed.

Incident Response

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack.

Incident

A security breach or attack is also known as an incident.


Initial Response

The initial response is to determine whether you are dealing with an actual incident. Listed below are common signs that your website has been compromised:

  • Your website has been defaced.
  • Your website redirects to another site.
  • Your browser may indicate that your site may be compromised.
  • Your web logs has unexplained big spikes in network traffic.

Once you confirm that your site has been compromised, communicate the breach to other people who are part of your incidence response team and your hosting provider to make them aware of the situation. If your provider was also
compromised, it may help them understand the scope of the attack.

Gain an idea of the nature of the attack. Identify the type and severity and determine the intent of the attack.

If you don’t have the technical expertise to handle the incident, call in your web developer or your hosting provider. Ideally, they should be familiar with your site and its configuration. Ask for a comprehensive report after they have dealt with the incident and make sure that you have changed all passwords for all accounts on your site.


Containment

Begin containing the damage and minimizing the risk. You should record your actions thoroughly as this may be used for documenting the incident.

Compare the cost of taking the compromised site offline against the risk of continuing operations. In the vast majority of cases, you should immediately take your site offline. You may point your website’s DNS entries to a static page that uses a 503 HTTP response code. By taking your compromised site offline, you can complete administrative tasks with less interference from the hacker and malicious code won’t be exposed to your site’s visitors.

If there are systems that are required to be available even with the possibility of further damage occurring, you can choose to keep them online with limited connectivity in order to gather additional evidence during an ongoing attack.

Scan your local computer for viruses and malwares. The attack may have come originated from a malicious software that was installed on your computer.


Eradication 

Require an immediate change of password for all site users and accounts. This includes logins for content management systems, databases, FTPs, and hosting control panel.

Identify the compromised data by:

  • Reviewing your logs for signs of intrusion, which files or applications have been affected, the methods of attack, the time and length of attack, and the overall extent of potential damage. Look for anything that appears out of the orinary. However, bear in mind that the intruder might have modified the logs and might be unreliable as a source of information.
  • Examining other log files for unusual activities such as failed/multiple login attempts, attempts to log on to default accounts, and activity during nonworking hours.
  • Checking for permission changes or elevated user permissions on your files and directories.
  • Checking for new accounts, new URLs, new pages, and new files and directories
  • Checking your database for suspicious content and values such as otherwise regular text fields that now show iframes or scripts
  • Looking for unauthorized processes or applications that are currently running
  • Comparing your site to a clean backup copy or a previous version. This will enable you to identify additions, deletions, and modifications to your file system.

Assess the identified threats and purpose to better understand what you are facing. Thoroughly search for remaining vulnerabilities. There may be several ways that the attacker has placed to get back into your site.

If you have version control, you can quickly identify what has changed and roll back to a previous version of your site.


Recovery 

How you recover your system will generally depend on the extent of the security breach. You will need to determine whether you can restore the existing system while leaving it intact as much as possible, or if it is necessary to completely rebuild it. If confidential user information has been obtained from your site, you may want to consider any legal responsibilities before cleaning your site or deleting your files.

For sites that have clean and updated backup

  • Restore clean backups. These are backups that have been made prior to the incident.
  • Install any software/system upgrades, updates, or patches available. Ensure that all your systems have the latest versions installed. This may include your content management system , applications, platforms, plug-ins, and templates.
  • Assess installed applications and plug-ins and consider deleting those that are no longer in use.
  • Make sure that all vulnerabilities are found and removed.
  • Change the passwords one more time for all accounts used on your site.
  • Implement measures to prevent future access then bring your site back online.
  • Monitor your site for any signs of weakness or recurrence of an attack.

For sites that have clean but outdated backup

  • Check that the backup was created before your site was hacked.
  • Make a disk image of your current site even though it’s still infected. This copy is just for safety. Mark the copy as infected to distinguish it from other files.
  • Make a complete backup copy of your site, including text files, media files, and databases.
  • Restore the clean backup.
  • Assess installed applications and plug-ins and consider deleting those that are no longer in use.
  • Upgrade all applications such as content management system, platforms, plug-ins, and templates. Be sure to check and install available security updates and patches.
  • Check for vulnerabilities.
  • Identify the files that you’d like to copy from the infected copy of your site. Remove all traces of malicious code identified. Upload the clean content to your clean copy.
  • Verify that your file permissions are appropriate.
  • Change the passwords one more time for all accounts used on your site.
  • Implement measures to prevent future access then bring your site back online.
  • Monitor your site for any signs of weakness or recurrence of an attack.

For sites that have no backup available

  • Make two full backups of your site even though it is still infected. Having an extra backup will help recover accidentally deleted content or allow you to revert and try again if something goes wrong. Mark each backup as infected.
  • Clean the site’s content on the new backup by removing the root cause of the incident and all traces of malicious code previously identified.
  • Verify that your file permissions are appropriate.
  • Clean up hacker-modified records in your databases. Just before you think you’re done, perform a sanity check on your records to make sure it looks clean.
  • Verify that all compromised files and data are cleaned.
  • Correct vulnerabilities that have been found in applications and plug-ins.
  • Change the passwords one more time for all accounts used on your site. At this point, our infected backup copy should only contain clean data.
  • Assess installed applications and plug-ins and consider deleting those that are no longer in use.
  • Upgrade all applications such as content management system, platforms, plug-ins, and templates. Be sure to check and install available security updates and patches.
  • Implement measures to prevent future access then bring your site back online.
  • Monitor your site for any signs of weakness or recurrence of an attack.

Post-mortem Analysis

Analyze the incident and how and why it took place.

Assess the damage and make recommendations for better future response for preventing a recurrence of the attack.


Incident Reporting

Document and catalog the incident. Consider whether you need to notify and report the incident to other staff.

Tips to mitigate future incidents

  • Enforce the use of strong passwords to all the users who have access to your site. Strong passwords have a combination of letters, numbers, and punctuations. Passwords should be unique and should not be reused throughout the web.
  • Routinely check that all systems are up to date and have the latest patches installed. Research all installed software/plug-ins to determine if your version contains a security advisory.
  • Understand the security practices of all applications, plug-ins, third-party software, etc., before your install them on your site. A security vulnerability in one application can compromise the safety of your entire site.
  • Submit your codes for vulnerability assessments
  • Make regular, automated backups of your site. Be aware of where backups are maintained, who can access then, and procedures for data restoration and system recovery.
Maintain also an offline copy of your backup.
  • Keep all devices that you use to log in to your site secure. Check for viruses and keyloggers, and keep your operating system and web browser(s) up to date.
  • Routinely monitor and analyze site traffic and activity logs.
  • Learn about new vulnerabilities and attack strategies employed by attackers.
  • Implement new technologies for minimizing security risk and vulnerabilities.
  • Promote security awareness to help prevent incidents from occurring again.

Incident Response Flow Chart 

incident response flow chart


Common Security Threats

Cross-Site Scripting (XSS)

Cross-Site Scripting is one of the most common application-layer web attacks. It allows an attacker to embed malicious scripts in a vulnerable dynamic page of a website to fool the user and executing the script on his machine in order to gather
data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for that of a valid user, or execute malicious code on the end-user systems.

SQL Injection

SQL Injection is also one of the most common application layer attack techniques used today. It takes advantage of improper coding of web applications to allow an intruder to inject SQL commands and gain access to the data held within databases.

Brute Force Attack

Unlike hacks that focus on vulnerabilities in software, a Brute Force attack aims to get access to a site by continuously trying combinations of commonly used usernames and passwords. Due to the nature of a brute force attack, it might take a long time to gain access to a site, depending on the complexity of the users’ password, the strength of the encryption, how well the intruder knows the target,and the strength of the computer(s) being used to conduct the attack.

Malware

Malware is an abbreviation for “malicious software”. Malware could be computer viruses, worms, Trojans, spyware, or adware.

Denial of Service (DOS)

In a small-scale denial of service attack, attackers look for URLs on a target site and make calls to the back-end database that powers the site. Frequent calls to web pages can quickly consume a site’s resources therefore preventing or slowing down access to its pages.

Tags:
Created by Wiki Master on 2015/03/27 23:42