Hi All,

Can we have a discussion on the procedures / steps to be followed once you realize that your web site is defaced or hacked?

My queries are : Can we contact the ISP for any help?
How to handle a situation like this:
I am from Country A, the web site is hosted at country B, and the attack originated from country C? Whom should I contact/complain in this case?

Please feel free to discuss your experiences and related issues?

Regards,

Morpheus

This seems like a good time to reiterate that Information Security is essentially risk management.  It also seems like a good time to remind everyone that the first step in responding to any incident is to plan for it ahead of time.  I know, everyone hates planning, but since that makes up the bulk of my job I'm going to beat that drum a lot.

From a risk management perspective, your company needs to decide how much damage is done when an attacker defaces your website.  You may find that it is best for you to host your own web site, or get a virtual server from an ISP in the U.S.  There is nothing wrong with using an ISP overseas, as long as you understand and accept the risks involved.

How are you going to know when you get defaced?  Is it acceptable for your company to wait until someone finds it and points it out to you, or are you going to run software that looks for changes in your webpages and alerts your administrators?

What is going to be your first order of business when you're defaced?  Probably putting the web site back the way it was.  That means you're going to need to do regular backups.  Make sure you're getting the log files in those backups too.  I know some of this may seem obvious, but you need to document your processes before you get attacked.  Since I'm only taking five minutes to type this up I'm sure that I'm missing some things.  You'll have to take some time to ask yourselves these kind of questions ahead of time and figure out what your answer is going to be.

Once you've got the planning down, how do you respond to the attack?  You need to gather evidence, but the managers are going to want the web page put back to normal right away.  Have a script written up BEFORE you get attacked that will copy the web site and all of the access and error logs to a seperate folder.  That way you can quickly get the evidence and start restoring your website. 

Take a look at your folder full of defaced web pages and log files.  What I like to do is create a second copy of it and then zip all of the originals into a file and encrypt that file.  That way you're only examining the copied files.  The same principle used when examining a hard drive that may have been used in an incident.  Comb throught the logs and find out what exactly happened and how you can prevent it from happening again.  Is there a misconfiguration that allowed the attack?  Is there an OS vulnerability that didn't get patched?  Make sure you get these things fixed on all of your servers, not just the one that was defaced.

Now that you know what happened, you've set things right, and you've hardened against future attacks you can start looking at legal action.  Honestly, your company probably wont want to pursue this course of action.  It costs a lot of money and they aren't likely to get much of it back in the form of punative damamges.  If you're being repeatedly attacked by the same source the company may look at legal action as a way to combat future attacks.  Also you could take the approach that you're going to take legal action for every attack and try to gain a reputation as a company that will bite back.  These are questions for upper management to decide.  As far as contacting ISPs or law enforcement officials this is all work that needs to be done by your lawyers.

Let me say something about documentation.  First of all during the whole incident you need to be keeping meticulous records of what you've done and how you've collected information.  This will help you to improve your processes in the future, and if you take legal action it will help your case.  My standard is that I keep detailed notes and copies of all supporting documentation such that an outside auditor could completely reproduce my work without any additional input from me.

The other thing you need to document is your process.  All this information that I've talked about in this email needs to be documented.  How often are you going to backup your files?  Document it.  Where are you going to copy the defaced files to?  Document it.  Document the script that is going to copy the files.  Document the exact position of your buttocks in the chair that you sit in.  After the incident you'll want to have a post incident review where you examine what went right and what went wrong.  Use the information from the post incident review to improve your process.

I hope all of this helps.