Best Practices - 5

Response
  • Systems that have been infected by a worm or attacked by an intruder should be disconnected from the network immediately.
  • Find out how the attack happened. Although some worms trumpet their existence, others, as well as cracker intrusions, will require some detective work.
  • Remove worm files and Trojans from infected systems using updated anti-virus programs or by removing unknown files. For more peace of mind, wipe the system and reinstall the operating system.
  • Apply all necessary patches and implement workarounds. Consider disabling at-risk applications and services.
  • Find out where attacks originated, and notify administrators there of possible breaches. Legal action should be the last resort.
  • Dont attempt to strike back with honeypots and the like, although passive tools that hinder worms and attackers are good options.