Secure the System

If the compromised system provides services to customers, a service recovery procedure should be started to reinstate the interrupted services in a secure fashion. Remember that it is better to interrupt a service to protect customer information from tampering or disclosure, and to prevent a system from becoming a bridge for further break-ins, than to leave it up and risk these events.

You must rigorously determine what has been compromised and what has not. If you do not thoroughly clean your system after a security incident, you probably will be doing it again. If the compromised system cannot be verified as being secure (i.e., binaries checked for modification, passwords changed, security holes patched, etc.), then the services should be recovered by some means other than returning the compromised system to production. If necessary, remove the system's media for investigation and replace it with new media for a system rebuild. Customer data which may have been compromised should also be identified. Check the system to identify any changes to customer data that may affect system operation (programs in customer areas that may run with administrative privileges, for example.) If necessary, lock out specific accounts or data areas that pose a risk. In some cases, it may be possible to resume production with a new system created from backups of the compromised system. The restored system should be checked to make sure that there are no security vulnerabilities restored that may have been in place prior to the detected incident (a back door may have been in place prior to the detected incident, allowing the intruder entry.)