There are three major rules for handling security breaches:
Don’t panic. No matter what has happened, you will only make things worse if you act without thinking.
Document. Whether your goal is to get your system running again as soon as possible, or you want to collect evidence for a prosecution, you will be better off if you document what you do.
Plan ahead. The key to effective response is advance planning. If you plan and practice your response to a security incident, you’ll be better equipped to handle the incident when and if it ever happens.
After a security breach, you are faced with many different choices. Should you shut down the computer, disconnect the network, or call the cops? No matter what has happened, you will only make things worse if you act without thinking.
Before acting, you need to answer certain questions and keep the answers firmly in mind:
Did you really have a breach of security? Something that appears to be the action of an intruder might actually be the result of human error or software failure.
Was any damage really done? With many security breaches, the perpetrator gains unauthorized access but doesn’t actually access privileged information or maliciously change the contents of files.
Is it important to obtain and protect evidence that might be used in an investigation?
Is it important to get the system back into normal operation as soon as possible?
Are you willing to take the chance that files have been altered or removed? If ...