It’s a horrible feeling.  You’d rather get kicked in the shins than find out your network has been attacked.  Regardless of what kind of attack, the reaction is the same: shock, disbelief, shame, and finally anger.  Don’t Panic! Here are a few steps every systems administrator can take to get back on track.  Your title may not be systems administrator – but if you are the go to person in your firm, this still applies.
  •  Yank out the plug!  If a hacker has entered into your system at all it was likely through your network.  Your first step should be to prevent the spread of any potential harm.  This applies to the information thief and the malicious virus spreader alike.  Realizing that it’s not as easy as unplugging a toaster, you need to know the location of your server.  If you’re lucky enough to have your servers on site, you can actually unplug them.  Many companies are now hosting their servers in the cloud.  Move to an isolated network and then turn it off.  Why disconnect from the server? Sure you want to eventually find out who hacked you and how they broke through your security defenses.  Right now though the most important thing is to close the open door before more havoc occurs!  If for example your keep things like payroll on your server, you want to stop the mayhem immediately.  (Side note – you should probably considerate separating critical items in the future.)
  • Time for a fresh start!  Your hacker may have damaged files, corrupted your data or any number of nefarious things.  The quickest route to getting things back to normal is usually restoring a backup.  What?  You say you haven’t been doing backups?  Call us.  Let’s assume though that you’ve been a good person and backing things up regularly.  If you have a little more background and feel confident you may be comfortable spinning up another instance of your server stack. If that sounds Greek to you…don’t do it.
  • So you’re up an running again.  You’ve either rolled back your server to a previous backup or cleaned it up.  Now you get to play Magnum P.I.  (If you don’t get that reference…well you’re missing out.)  Your detective work will depend on what kind of hack you’ve been a victim of.  Regardless, you should examine all of your log files to see where something went askew. (account activity and logins)  Take a note of which files were affected and when.  Check to see if your customers were also hacked through a phishing attack sent from your system.    Always keep in mind though that if the attacker was savvy he/she may have tampered with your log files as well.  So consider the possibility that they have been falsified.
  • NOTIFY ANYONE AFFECTED   You are morally and legally bound to tell any stakeholders, customers, employees etc if their personal data has been affected by a data breach.  Even if they have not YET been affected, telling them to be aware as soon as possible may help reduce the spread of an otherwise ugly situation.  The best approach is transparency.  Dropbox had a significant data breach in 2012.  Unfortunately the 68 million users affected were not aware of the breach until 4 years later!  Can you imagine the negative PR repercussions?  In the spring of 2016 a hacker attempted to sell 117 million passwords they had stolen from LinkedIn.  Then in June 655,000 patient healthcare records, including – Social Security numbers, addresses, and insurance details.
  • Lastly, it is time to take a good hard look at your security protocols.  One of the most common ways of being hacked is to not keep up with your software and security patches.  These are out there for a reason.  Take some time on a regular basis to make sure all your software is up to date.  You can also implement a DMZ setup by using a proxy or load-bouncer.  They are setup to control and manage the traffic flow to your server – but it also means only designated folks can talk to your server.  One final thing that you may find very helpful is to store your log files on a completely different server.  When a hacker comes knocking – even if they do crash your system, they can’t hid their trail by manipulating the log files.