Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Should One Respond to a Network Break In?

Posted by Cliff on from the set-phasers-to-WHAT-cap'n dept.

Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city. What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"

7 of 96 comments (clear)

  1. Call 911 by H8X55 · · Score: 3, Funny

    Call 911 and let the Patriot Act take it from there... No one from that company will be trying to pwn you again.

    1. Re:Call 911 by ian+rogers · · Score: 2, Funny

      And make sure to use the word "pwn" while on the phone with 911. :)

  2. Personally... by Anonymous Coward · · Score: 5, Funny

    I always celebrate. Oh wait, you mean as the victim? Hrm..

  3. Big Friendly Letters by SDMX · · Score: 3, Funny

    DON'T PANIC.

  4. Let the readers decide by kmahan · · Score: 2, Funny

    You could always just post the IP on Slashdot.

    Some might consider that overkill though.

    --
    Invalid Checksum. Retrying.
  5. Re:Simple by EricV314a · · Score: 2, Funny

    And this is why consultants should demand their fee UP FRONT

  6. Re:First and foremost, cover your ass. by Anonymous Coward · · Score: 1, Funny

    Upon learning that your systems have been penetrated, proper incident response is as follows:

          1. Scream. Hold head between hands and moan.

          2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.

          3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in response. Take hefty swig of Jack Daniel's.

          4. Remember advising boss to please not open random e-mail attachments. Recall boss' blank stare in response. Suck on barrel of .357 revolver for 5 minutes or until sufficiently calmed down.

          5. Remember pleading with boss to allow filtering executable attachments. Recall boss' response. Almost pull trigger.

          6. Resist urge to yank server out of rack and dump out nineth-story window.

          7. Advise boss of break-in. This starts the long chain of blame-passing that ends when the CEO sacks 5 random people in middle management and below.

          8. Sit back and watch the spin machine start the vital post-incident response protocol of figuring out who might know what happened and silencing them.