Life after the hack

• 10:00 The daily scrum has just begun.
• 10:01 Phones rings : someone noticed your site has been defaced and is warning you
• 10:02 Twitter and Reddit start buzzing about the hack
• 10:05 Phone ring all over the place, with journalists and the various C-level execs on the other end, your mailbox is filling with warnings
• What is your next step ?

This is a situation most of us hope never to encounter but, sadly, the question is not really whether it will happen, but
when, and what the level of consequences will be. Are you prepared ?

The goal of this session is to give you pointers on the contingency procedures you should apply, what to do from the
initial minutes after problem discovery to months later, including concepts like:

• providing a safe fallback mode
• maintaining presence with a hacked site
• using forensics tools: snapshots, fingerprints, logs
• rebuilding, not restoring
• restoring production
• developing and evolving a disaster prevention and recovery plan
• communication and public image damage control

None of this is specific to a given Drupal version. These procedures have been used on Drupal 6 and 7 intrusions, and will work similarly for Drupal 8 and other technologies.

fgm has been involved in restoring service to hacked Drupal platforms since 2010, and performing security audits since then. He authored or co-authored several Security Advisories and related fixes, and is currently a provisional member of the Security Team.