Cisco Blogs

You’ve Been Hacked? Here’s What to Do

August 17, 2011 - 8 Comments

5 helpful steps for responding to and recovering from a network attack

Strange pop-up windows, unauthorized software, sluggish systems, mysteriously changed passwords, programs running automatically, or unofficial content posted to your website are all signs that your small business network has been hacked. If you suspect that your network security has been compromised, don’t panic! It’s important to remain calm, retain your professional demeanor, and act decisively.

In addition to seeking guidance from a security professional, these five steps can help you quickly respond and safely recover from a network attack.

1. Verify the attack on your network. You should gather as much information as quickly as possible. Confirm which systems were compromised, determine the IP addresses that were used in the attack, and identify the type of attack, such as unauthorized remote access, a virus, or a malware page tacked onto your website. Use the administration tools available in your routers and firewalls, such as traffic logs and syslog messages. If devices on your network can provide traffic flow records, these records can help to investigate, classify, and provide future protection guidance. Your Internet service provider (ISP) and any out-of-house IT provider may also be able to provide useful information. In addition, a security professional can help you gather and make sense of all the information collected.

2. Contain the damage and preserve your business assets. Your initial reaction may be to take your entire network offline but that could actually cause additional damage to your company’s operations, not to mention relationships with customers and reputation in the marketplace. Instead, strategically isolate and take offline just the impacted applications; or, if necessary, take down the servers or computers those applications live on. This will quarantine the affected applications and devices while still allowing your company to continue to do business.

Also, you need to identify the exact damage done to individual devices. Compare the configurations and data sets for each compromised computer and server with the last known stable and clean backup for each system.

You may need to delete any offensive content left on your site or wipe your systems clean of malware, but you also need to preserve evidence of the crime that was committed against your company—a practice recommended by the Anti-Phishing Working Group (APWG). The APWG also recommends making safe copies of the illegal content or unauthorized applications, separate from any systems that could be further damaged by that content. Make sure to check with your company’s legal counsel before doing so. Some content shouldn’t be copied, particularly child pornography, and must be immediately reported to authorities before you proceed with cleaning up those systems. Cisco partners specializing in security matters and Certified Information Systems Security Professionals (CISSP) can be most helpful in recovering while preserving information for possible legal actions.

3. Decide if you need to make a public statement about the incident. Depending on the kind of attack and the damage your network sustained, you may need to communicate with customers, partners, or authorities. For example, if the security breach affects your compliance with a governmental regulation, you may be required by law to hire a security investigator who will guide you through your response to the breach. If customer or partner data was affected, you’ll need to notify them that their information was compromised. Again, consult first with your lawyer and public relations professional before issuing any sort of public announcements.

Even if you don’t need to make a public announcement about the security incident, consider reporting it to the vendors of your antivirus and antimalware solutions as they keep updated logs of security threats. You may also want to consider notifying local or even federal units for cybercrime law enforcement.

4. Clean up and restore the affected systems. If more than one computer or server was hit in the security attack, you should first prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems, of course.  Replace the current, compromised data, configurations, and applications with the most recent clean backup. Change the passwords for all affected systems, users, and applications, including the root password. At the same time, require that all passwords companywide be changed, even on systems that weren’t impacted by the attack. Make sure, too, that no passwords are set to a default or “admin.”

5. Close the vulnerability used to access your network and amp up security. Make sure you fix the hole that was used to gain access to your network, whether it was a configuration error, an email download, or other vulnerability. You should also increase your network security. For example, check for new security patches and update all systems and software to the most current versions and make sure the security settings on all of your network hardware and software are set appropriately.

As you put your systems back online and resume normal business operations, you will want to monitor for any reoccurrence and might consider adding additional security protection, such as an intrusion prevention system (IPS). The Cisco SA 500 Security Appliances include an IPS as well as advanced web and email security options.

Security experts strongly encourage planning ahead and having an incident response plan that you can act on in the event your network is compromised. These five steps can serve as a foundation for your response plan, which can also be an important component of a small company’s disaster recovery plan. If you need help creating an incident response plan that reflects your company’s operations, consult with a network security expert, such as a security specializing Cisco Certified Partner or a Certified Information Systems Security Professional.

Has your small business been hacked? How quickly were you able to get back online?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hi there, I found your site by way of Google whilst searching for a similar topic, your site came up, it looks great. I have bookmarked it in my google bookmarks.

  2. Businesses should be always well prepared for the worst case scenarios. Looking ahead and knowing how to deal with unexpected compromise of security is vital. Thank you very much for great article.

  3. its really great information for me

  4. I found your post very valuable in terms of exact steps to follow to minimise the damage or risks when your database has been hacked.

    It is natural to go into panic mode when something so potentially deterimental to your organisation occurs and there is then a great possibility that important aspects of effective ‘cleanup’ can be missed. Your advice to remain calm and decisive is invaluable as this will allow you to focus on the task at hand more effectively.

    I particularly like point number 4 above as it is so easy to ‘get comfortable’ again even when the risk or threat could easily re-occur. I would probably only have thought of changing passwords on affected systems instead of changing the entire organisations passwords had I not read your article.

    As you recommend, I however do think that it would be safest to seek the assistance of professionals to avoid re-occurence at a later stage.

  5. I agree with you Michael upon hacking the entire system should not be taken offline as it impairs brand reputation specially in small and medium sized enterprises. I liked your idea of fixing the security loop hole that triggered the hacking attack. Nice Tips I have learned a lot

  6. So, great advice and I would add that you ought to reach out to Law Enforcement now, before you suffer a breach. Speak to them about what happens post-breach and any ideas they may have. Reach out to your local FBI office and ask to speak with the InfraGard Coordinator. They are there for you and can explain the nuances of reporting a breach, the “to-do and what “not to-do” things. As the former InfraGard Coordinator for the FBI in Atlanta, the FBI takes these type of incidents very seriously.

  7. Well i admire the fact that this issue of hacking has been highlighted. I have some doubts on the first point that states we should not take our entire system down. Well in small businesses mostly there are very few computers with two or sometimes just three servers. The network is shared and the applications and software used are mostly accessible on all the systems. These days the virus intrusions replicate themselves in every machine that has the access to the Network so i think it would be wise to take the system down and quickly install backup copies in all the computers to recover fully from the attack. I liked the idea of taking some evidence of the attack by creating copies of the virus programs. Thanks for the great tips.

  8. Those 5 tips are really useful for me especially for recovering network attack, sometimes people just give up when they get hacked, they do not know what they will do, but this way can help much people to bring back their network back to normal. The prevention is good way i think