Your ToDo List
Your ToDo list will contain 2 types of tasks: Preparation tasks and Action tasks. Preparation tasks make NO CHANGES to your web site or any related or underlying components AT ALL.
It is essential to clearly understand this point, because your preferred FIRST action MUST be make sure that the hacker has no way to continue accessing the system; ANY OTHER action that changes the web site may alert the hacker that he has been discovered before his access has been blocked, and you do not want to trigger the hacker into either perpetrating MORE damage, or covering his tracks.
Remember: once the event has happened, it must be treated not only as a reason to fix, but equally as a motivation to harden and secure.
- Prepare: Reaction plan
- Prepare: Battle sheet
- Action: Take your system offline
- Prepare: Clone your system to a testbed or staging server
- Prepare: Scan your website for vulnerabilities; identify and confirm suspected intrusion point
- Action: Fix the vulnerability
- Action: Bring the fixed version of the site back online; whenever possible, you should redeploy the sanitized version of your website to a clean OS/Web Server setup
- Prepare: Monitor your new and improved website
- Prepare: Make a Reaction Plan for FUTURE events.