Before you reconnect the network to the Internet, you need to patch all the vulnerabilities you can. In most cases, it won't be clear what vulnerability was exploited to gain access to your network, so the goal is to patch them all. In some environments, you'll need to have patches approved before they can be implemented. But in many other environments, patches can be installed as needed. In either case, you should load all the patches you can. In particular, you should apply security patches to all systems, making sure that your firewall is up to date, external systems are appropriately tightened, and that all the internal systems are patched. If you skip this step thinking you'll get to it later, you may find that your network is compromised again shortly after you've cleaned everything up. The amount of effort required to really clean up from a security breach makes it imperative that you do everything that can be done to prevent further compromise. Reconnect your systems
The physical process of reconnecting the systems to the Internet sounds trivial: You plug things back in and they start working. Of course, it's what happens as soon as the systems are logged back in that is important. As soon as the devices are reconnected, they'll start making outbound connections through the firewall. You need to monitor those connections to see where they're going. Most people discover that a lot of applications and utilities on their workstations are talking to the outside world. Every connection should be investigated to see whether it's valid. This is particularly true for connections that aren't destined for port 80 (the HTTP port). To investigate the destination IP address, you can use nslookup. Type NSLOOKUP at a command prompt. Next, type SET TYPE=PTR and press [Enter]. Finally, take the IP address, reverse it, and append in-addr.arpa. After you enter this whole thing, you can look for an answer. For example, if the outside address is 216.37.52.229, you would type 229.52.37.216.in-addr.arpa. If you don't get the answer you want, start dropping off the end of the IP address until you do. For example, our next command would be 52.37.216.in-addr.arpa. Cleaning up pays off
When a network has been compromised, a lot of work is required to ensure that it doesn't happen again. But despite all the effort, it's not a good idea to cut corners. No cost can be placed on the problems that can result if you don't completely clean up compromised systems and monitor the results after they are reconnected. In the next article in this series, we look at what to do in the week after a hack attack.
