6 Steps to Take After Your Server Has Been Compromised

April 4th, 2012 by INetU | View Comments

Tags: , , ,

When maintaining a secure server, make sure to take the following precautions: Keep your software up to date, use strong passwords, follow the principal of least privilege and employ defense in depth.

Sometimes the precautions don’t always work. No one ever wants their server to be hacked or compromised, but unfortunately it can and does happen. With a little preparation, you can quickly respond to a hacked server so you can smoothly recover your server – ultimately limiting the amount of data exposed or lost and minimizing your downtime. Below are 6 steps that you should immediately do after your server has been breached; they don’t have to be completed in order but will definitely help in mitigating future risk.

Step 1: Know Who is Involved – Of everyone responding to the security threat, make sure everyone knows what their own role is and what the roles of others are. Understanding how to communicate amongst each other will help all of the subsequent steps.

Step 2: Assess the Scope – Understand what has already been observed, what has already been done and what is currently happening. This quick assessment will help determine which steps should be performed next and in what priority to prevent future network security issues.

Step 3: Contain the security breach – These immediate steps will help prevent further damage or information loss. If the attacker is actively on your system, you may need to kill their processes immediately to limit further damage. This may involve blocking the network to a specific block of IP addresses, especially if data is actively being streamed off of the server to the attacker’s machine.

Step 4: Maintain State – Your classification and impact analysis of the compromised system will help determine if the security breach should be contained or the state maintained first. For further forensic work, it is best to leave the system unaltered (or as unaltered as possible). You can copy log files or take an image of the disk for further analysis. This also prevents the attacker for altering the logs.

Here is a simple example of how to clone a block device or partition: On the secure system, run nc -l -p 9999 | dd of=/dev/incident-xyz.dd. Then on the compromised system, run dd if=/dev/sda | nc <ip of secure system> 9999. You can also use dcfldd, which provides hashing on-the-fly among other useful features. To limit the amount of empty space being transferred, you can also use gzip between dd and netcat on both servers.

Step 5: Notifications – Follow the appropriate process for notifying the impacted, may include PCI or HIPAA regulations or federal and state laws depending upon the nature of the data exposed (or potentially exposed).

Step 6: Remediate – Putting the same vulnerable hacked server back online will likely only lead to another incident, so any workarounds or patches should be applied before bringing services back online. This may include data integrity checking or a complete system re-install.

Throughout this process, make sure you communicate with the rest of the team, keep a cool head, make sure you document what you are observing, and what actions are being taken with your network security issue. If you believe your server has been compromised and still don’t know what to do let us know, we can help.

Complimentary Webinar: How Hackers Hack & How to Protect Yourself

April 27th, 2011 by Jeanine S. | View Comments

Tags: , , ,

Register today for our live PCI DSS Self Defense Webinar: How Hackers Hack & How to Protect Yourself!

The INetU IT Expert Series

On May 3rd, INetU Managed Hosting teams up with PCI experts Dr. Anton Chuvakin and Nick Percoco from Trustwave to deliver a compelling webinar on PCI DSS Self Defense.

Are you aware that hackers target your web infrastructure daily? If a hacker steals your cardholder data, you could face fines and charges up to $60 Million! Learn how to protect your private data from hackers when INetU Managed Hosting joins Dr. Anton Chuvakin and Nick Percoco. Our expert team will provide you with valuable information about obtaining and maintaining a PCI DSS compliant web environment!
Click to Register!
Are you aware that hackers target your web infrastructure daily? If a hacker steals your cardholder data, you could face fines and charges up to $60 Million! Learn how to protect your private data from hackers when INetU Managed Hosting joins Dr. Anton Chuvakin and Nick Percoco. Our expert team will you with provide valuable information about obtaining and maintaining a PCI DSS compliant web environment!

Stop Using Insecure Passwords Now!

January 13th, 2010 by Jeff P. | View Comments

Tags: , ,

Here are some disturbing statistics:

  • A recent Hotmail security breach revealed that an overwhelming number of users are using predictable, insecure passwords:
    • 61% of passwords were either only lowercase letters or all digits (examples: iloveyou or 123456).
    • 20% of passwords were six or fewer characters.
  • An estimated 1 in 9 people use one of the Top 500 passwords posted on WhatsMyPass.com
    • 1 in 50 people are estimated to use one of the Top 20 passwords, among which are password, 123456, and qwerty.
    • Many of the Top 500 passwords are simple dictionary words, curse words, or common first names.
  • 60% of web users only have one password that they use for all of their online accounts, including Facebook, PayPal, email, and banks, according to a recent study.

A typical strong password guide looks a little something like this:

  • At least 8 characters long
  • At least three of the following:
    • lower case letter
    • capital letter
    • numeral
    • special character

But this really seems to miss the point. For example, go to Microsoft’s password checker and type in this password: qwerty123456! The checker gives this password strength “Best.” But is it really?

Read the full post »

Combating SQL Injection Attacks

December 16th, 2009 by Jason C. | View Comments

Tags: , , , ,

What is URLScan? URLScan is a free tool provided by Microsoft that restricts certain kinds of HTTP requests that IIS will process. Though there are many different uses of URLScan, today I will only be covering SQL Injection blocking.

SQL Injections occur when attackers enter malformed SQL statements into data input fields. The attacker can modify or retrieve data from your database and, in some cases, they can even access data stored in your filesystem outside of SQL Server. If you find that you’re a victim of SQL Injection attacks and you’re not equipped to make all of the necessary changes to your application (or if the implementation of these changes could take a long time to implement) then URLScan may be a good fit for you until you can fix the root cause of the attack.

As of this writing, URLScan 3.1 is the latest edition and can be downloaded from Microsoft. A URLScan ISAPI filter is configured for all websites on your server after performing a default installation of URLScan. This ISAPI filter intercepts request for IIS and processes security rules defined in the URLScan.ini file against the requests.

The blocking of SQL injection attacks is handled by the DenyQueryStringSequences security rule. The rule matches IIS requests against a list of character sequences that you provide. If the request matches certain character sequences specified in the security rule, then the request is dropped, logged in the URLScan Logs, and a 404 status is returned. You can configure URLScan to only log requests that match your defined character sequences instead of blocking them. I would recommend starting off with the logging only mode so you can determine whether or not valid traffic may be blocked. If valid traffic is being blocked, you’ll need to modify the character sequences you are choosing to block.

Below is a configured DenyQueryStrinSequences security rule. I have added some of the most common SQL commands used in SQL Injection attacks:

Read the full post »

Who Are Your Internet Neighbors?

December 9th, 2009 by Rich H. | View Comments

Tags: , , ,

Do you know who your internet neighbors are?

Would you buy a lot, build a house, and move your family in if the next-door neighbor was a notorious drug kingpin? Of course not!

It’s important to consider that “where” your business “lives” online is just as important. I’m not talking about your URL or domain name; I’m talking about the Net block your IP addresses are assigned from, and who the company providing them is.

Spam, adult-oriented sites, and gambling sites generate lots of revenue. They can afford the same servers, support, and bandwidth your business can. They also attract a lot of negative attention in the form of Distributed Denial Of Service (DDOS) attacks, hacking attempts, and probably the worst: blocking and filtering from legitimate networks and mail servers.

When network operators and email system administrators see lots of spam or non-legitimate traffic from a given network, they’ll often block it. Sure, some legitimate traffic is blocked along with the bad, but it’s typically impossible or too costly to differentiate the good from the bad. If the owner of a Net block has a reputation for continuing to do business with clients that generate “negative attention”, an administrator will often block/filter all of the net blocks owned or operated by that provider.

This all happens behind the scenes and often completely unknown to you.

Read the full post »

« Older Entries
©1996-2011 INetU Inc, All Rights Reserved.