This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "I've Been Hacked-What Now"
From OWASP
(→Assessment) |
m (→My server has been hacked...what do I do now?) |
||
Line 5: | Line 5: | ||
Anyone interested in contributing is welcome. | Anyone interested in contributing is welcome. | ||
− | |||
==Identification== | ==Identification== | ||
Line 25: | Line 24: | ||
* Examples of an incident: | * Examples of an incident: | ||
** Virus/malware infection | ** Virus/malware infection | ||
− | ** | + | ** Unauthorized system changes |
− | ** | + | ** Unauthorized application/web site changes |
− | ** | + | ** Unauthorized disclosure of client information or information leakage |
** Theft or loss of company information/assets | ** Theft or loss of company information/assets | ||
* Examples of an event: | * Examples of an event: | ||
** Reports from intrusion detection system/WAF/Firewall or log scraping system | ** Reports from intrusion detection system/WAF/Firewall or log scraping system | ||
− | ** Reports from vulnerability scanning/traffic monitoring/ | + | ** Reports from vulnerability scanning/traffic monitoring/performance monitoring |
==Assessment== | ==Assessment== | ||
− | + | Incident severity : | |
Risk Rating | Risk Rating | ||
Line 46: | Line 45: | ||
** Non-repeated scans or probing from an external uncontrolled network | ** Non-repeated scans or probing from an external uncontrolled network | ||
− | * ''' | + | * '''Medium''' |
** Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint | ** Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint | ||
** Repeated active probing or parameter manipulation from an external or internal source. | ** Repeated active probing or parameter manipulation from an external or internal source. |
Revision as of 14:56, 21 November 2008
My server has been hacked...what do I do now?
This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.
Anyone interested in contributing is welcome.
Identification
Basic principles:
- Incident identification/notification may occur from a number of information sources (events):
- Staff reporting unusual activity
- Staff, clients or public reporting a problem
- Technical teams/support discovering evidence of an incident on systems.
- Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.
- Roles:
- A Security incident owner must be assigned.
- A point of contact must be available to respond to incidents at all times.
- A security incident owner must track the security incident to remediation and resolution.
- Examples of an incident:
- Virus/malware infection
- Unauthorized system changes
- Unauthorized application/web site changes
- Unauthorized disclosure of client information or information leakage
- Theft or loss of company information/assets
- Examples of an event:
- Reports from intrusion detection system/WAF/Firewall or log scraping system
- Reports from vulnerability scanning/traffic monitoring/performance monitoring
Assessment
Incident severity :
Risk Rating
- Low:
- Events that cannot be 100% identified as attacks and have no effect on operations;
- False activation of intrusion detection systems, WAF alerts etc
- Non-repeated scans or probing from an external uncontrolled network
- Medium
- Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
- Repeated active probing or parameter manipulation from an external or internal source.
- Malware/rogue code/virus that has been successfully contained or removed