Think you’ve been hacked, phished or otherwise compromised? Keep calm - let's work through it. No jokes here - just step-by-step instructions.
The first-aid.... of cyber hacks is the (3+1) Rs
The text in this page may look daunting, but it is just the expansion of:
- Remove the device from the network - Isolate the device
- Reset Account Passwords - Deny attacker ability to use your credentials
- Report Hacking promptly – Alert the rest of the network and community
- Recover - follow any specific recovery instructions from the security team.
Remove the device from the networkIf it is an ANU owned device or service that has been hacked:
- Keep device powered ON. When a compromised device is turned off, lots of useful cyber forensic information is lost that may help cyber security analysts, slowing down the investigation and recovery.
- Physically disconnect device from wired networks. Pulling the network cord out of the back of the device helps deny attackers ongoing access to it.
- Put the device into 'Flight Mode'. Flight mode turns off Wifi and 4G/5G networks - which helps deny attackers ongoing access.
- Unfortunately, ANU cannot provide technical support or forensic services for personal devices. Follow the advice from the ACSC website https://www.cyber.gov.au/acsc/individuals-and-families/recover-and-get-help
Reset Account Passwords
- Reset your ANU password. By changing your ANU password at https://identity.anu.edu.au/, you are denying an attacker ongoing access to your ANU account.
- Strongly consider resetting other passwords. After reporting the incident as per below, consider what other accounts, professional and private you have accessed from the compromised device and consider changing those passwords, and notifying the service provides (esp. financial institutions).
Report Hacking Promptly
Promptly report the hacking to the Service Desk. Ph: 612 54321 or https://servicedesk.anu.edu.au/. This allows quick identification, containment and prevention of any broader attacks, it will also decrease the time to resumption of normal working for yourself.
Be prepared to answer the following questions:
- Who is reporting? (name, Uni ID, role/position and contact details) We need to be able to contact you; a personal mobile phone number is preferable; unless it is the device that has been hacked.
- What device/account/service/data was impacted (asset #, machine name, Uni ID)? By describing what has been hacked, incident responders are able to contain the infection and facilitate a quick recovery of business as normal for you.
- Why do you think you have been hacked? It can sometimes be difficult to determine the source of a hacking attack. Any information you can give on why you think you have been hacked is invaluable for cyber security analysts. Trust your gut. We’d prefer you to report something that can be explained away as safe rather than ignore something that might be malicious.
- How was the service compromised? By letting us know what occurred (phishing, malware infection, data loss, etc.) in as much detail as possible, we are more able to determine how the incident occurred and how best to recover.
- When? By letting us know when you believe the attack happened and also when you noticed, you are providing valuable time line information to the cyber analysts.
- Is the incident ongoing? Is the hacking/compromise still occurring? Do you have reason to believe that the attacker still has access to the device?
- Where was the device when the hacking occurred? ANU network/wifi? Home network? Hotel? Public wifi? Overseas? This enables the incident responders to better target their recovery efforts.
- Do you require any further assistance? Sometimes, a reporter may not require an further assistance, but is assisting the cyber team by reporting the incident. Please let us know what you did to recover from the incident.
- Follow instructions from Service Desk or the cyber incident responders when contacted. After receiving your incident report, an initial assessment and technical investigation occur which may require your input - it truly is a collaborative effort. This assessment is not about blame – it is about determining the technical conditions and actions needed to protect you and our network. The Service Desk or Cyber Security team will contact you via email or phone to let you know if there are any further actions required.
- Again, strongly consider resetting other passwords as per above.
- Monitor your device and account behaviours. After an attack has been cleaned up, attackers may attempt to re-exploit your device. Extra vigilance is required after clean-up.