Employees, even well-informed security conscious individuals, are often unprepared to deal with security issues. It can even be difficult to know whether they’re compromised, or just experiencing some kind of IT problem. And according to Janne Kauhanen, an expert with F-Secure’s Cyber Security Services, it’s pretty common for people to panic and stress out when they think they’ve been hacked. They can even make problems worse by not dealing with the situation correctly.
So before people freak out and throw their computer out the window or something, they should consider following this plan. Calmly taking these steps to begin limiting the damage and figure out what’s happened will save companies time, money, and headaches.
- DON’T PANIC: This might seem like common sense, but Janne says this is typically the first reaction people have. “I can’t stress enough how bad a security incident is for a company,” says Janne. “At the same time, employees shouldn’t blame themselves or overreact by deleting things like personal information or browsing history they want to hide from employers (everyone uses their work computers for personal stuff, so it’s not worth hiding). Staying calm and focusing on doing what you can do to help the situation is the best reaction.”
- DON’T turn off the computer or device: One common mistake many people do, after panicking, is to turn off the device. After all, a compromised device can’t do any real damage without power. But this is something that actually helps attackers.
Basically, turning off the power will wipe out any information stored in the devices random access memory (RAM), which can be useful to investigators. “Turning off the computer is like destroying evidence – evidence that can help uncover who the attackers are and what they’ve done,” says Janne. “So really, doing this helps whoever has hacked your device by making investigative work more difficult.”
Ultimately, you’re helping the attackers get away, requiring your employer to invest more time and money into conducting any post-breach forensic work. So don’t turn off the power to the device. You should even plug-in devices to make sure the battery doesn’t die before investigators have a chance to look at it.
- TURN OFF your device’s network connections: “Physically, if possible,” stresses Janne. While turning off the computer is something that will benefit your adversaries, leaving it connected isn’t really an option. “Your device might be pwned, but at this point, you shouldn’t assume that the attacker has had the opportunity to move laterally through your network. So shutting down network connections will prevent the attacker from using your device to infiltrate deeper into the network.” Here’s a few connections many people use at work:
- Mobile Data Network (remove the SIM card)
And obviously, don’t continue to use any kind of removable storage device (including phones and tablets) that’s been in contact with the affected device (physically or via a wireless network).
- Stop touching the computer: If you’ve followed the first three steps, you’ve accomplished quite a bit. You’ve successfully cut off the attackers from using your device to move through your company’s network. And you’ve done this without destroying evidence that others (such as your company’s CISO or a professional forensic investigator) can use to trace the attack and find out how and when the breach occurred, what the attacker has done, and with any luck, who they are. So enjoy a moment to yourself, take a deep breath, and pat yourself on the back for successfully responding to the incident so far.
- Write down what’s happened: Now that you’ve taken a moment to collect yourself and your thoughts, you need to create a record of what happened. You probably don’t want to use your computer to do this, so just grab a pen and paper. Try to include as much detail as you can recall. Write down what tipped you off that there was a problem, what you were doing when you noticed there was an issue, what you’ve done since discovering the problem, any mysterious emails or other interactions you might have had recently, whether you’ve used any removable storage devices or other peripherals with your computer, etc.
“Dates and times of events are particularly important,” says Janne. “Devices contain lots of potential evidence, but keeping track of what happened when will help narrow the scope so everyone can work faster.”
- Call for help: “Now’s the part where you need to get some help,” says Janne. Who to contact will be a bit different for every company, and maybe even every employee. But no matter what, you need to bring this to the attention of more people, whether that be a CISO or an external security consultant.
We’ve prepared an illustrated guide to take you through these steps, and it includes a space to write in contact details for your cyber security point of contact.