This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "I've Been Hacked-What Now"
From OWASP
(→Identification) |
|||
| Line 8: | Line 8: | ||
==Identification== | ==Identification== | ||
| + | |||
| + | Basic principles: | ||
| + | |||
| + | * Incident identification/notification may occur from a number of information sources (events): | ||
| + | ** Staff reporting unusual activity | ||
| + | ** Staff, clients or public reporting a problem | ||
| + | ** Technical teams/support discovering evidence of an incident on systems. | ||
| + | ** Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS. | ||
| + | |||
| + | * Roles: | ||
| + | ** A Security incident owner must be assigned. | ||
| + | ** A point of contact must be available to respond to incidents at all times. | ||
| + | ** A security incident owner must track the security incident to remediation and resolution. | ||
| + | |||
| + | |||
| + | * Examples of an incident: | ||
| + | ** Virus/malware infection | ||
| + | ** Unauthorised system changes | ||
| + | ** Unauthorised application/web site changes | ||
| + | ** Unauthorised disclosure of client information or information leakage | ||
| + | ** Theft or loss of company information/assets | ||
| + | |||
| + | * Examples of an event: | ||
| + | ** Reports from intrusion detection system/WAF/Firewall or log scraping system | ||
| + | ** Reports from vulnerability scanning/traffic monitoring/perfromance monitoring | ||
==Assessment== | ==Assessment== | ||
Revision as of 10:38, 21 November 2008
My server has been hacked...what do I do now?
This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.
Anyone interested in contributing is welcome.
Here are the current section ideas contributed by marcin
Identification
Basic principles:
- Incident identification/notification may occur from a number of information sources (events):
- Staff reporting unusual activity
- Staff, clients or public reporting a problem
- Technical teams/support discovering evidence of an incident on systems.
- Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.
- Roles:
- A Security incident owner must be assigned.
- A point of contact must be available to respond to incidents at all times.
- A security incident owner must track the security incident to remediation and resolution.
- Examples of an incident:
- Virus/malware infection
- Unauthorised system changes
- Unauthorised application/web site changes
- Unauthorised disclosure of client information or information leakage
- Theft or loss of company information/assets
- Examples of an event:
- Reports from intrusion detection system/WAF/Firewall or log scraping system
- Reports from vulnerability scanning/traffic monitoring/perfromance monitoring
