=Intrusion Countermeasures= 
If an intruding hacker fails to penetrate a system’s defenses (i.e., they are Spotted or Locked), then the system goes on alert and activates certain defenses. The nature of the applied countermeasures depends on the capabilities of the system, the abilities of its security defender(s), and the policy of its owner/admins. While some nodes will simply seek to kick the intruder out and keep them shut out, others will actively counterattack, seeking to track the intruder and potentially hack the intruder’s own PAN.
==Security Alerts== 
Security alerts come in two flavors: passive and active.
===Passive Alerts=== 
Passive alerts are triggered when an intruder hits Spotted status. The system immediately flags a visual or acoustic cue to anyone actively monitoring the system and possibly the owner or admins. It immediately launches one or more passive countermeasures (see below). Depending on the system, extra security hackers or AIs may be brought in to help investigate. If the intruder is not encountered again or located within a set time period (usually about 10 minutes), the alarm is deactivated and the event is logged as an anomaly.
Depending on the security level of the system, someone may analyze the logs at some point and try to ascertain what happened—and prevent it from happening again.
All intruders suffer a –10 modifier for tests involving a system that is on passive alert.
===Active Alert=== 
An active alert is triggered when an intruder hits Locked status. The system immediately alerts the owners, admins, and monitoring security agents. Additional security assets (hackers and AIs) may be called in. The system also launches active countermeasure against the intruder (see below). Active alerts are maintained for as long as the intruder is present, and sometimes for a lengthy period afterwards just in case the hacker returns.
==Passive Countermeasures== 
Passive countermeasures are launched as a precaution whenever an intruder acquires Spotted status.
===Locate Intruder=== 
A security hacker or AI monitoring a system may attempt to track down the source of the passive alert.
See Zeroing In, above.
===Re-Authenticate=== 
When a passive alert is triggered, a firewall can be set to re-authenticate all active users, starting with the most recent. At the beginning of the next Action Turn, everyone on the system must take an action to log back in. For intruders, this means making an Infosec Test, modified by –10 for the passive alert, to satisfy the system that they are a legitimate user.
===Reduce Privileges=== 
As a protective measure, some systems will immediately reduce access privileges available to standard users, and sometimes security users as well. One common tactic is to protect all logs, backing them up and making sure no one has rights to delete them.
==Active Countermeasures== 
Active countermeasures can only be launched if the intruder has acquired Locked status.
===Counterintrusion=== 
A security hacker or guardian AI can proactively defend a system by attacking the intruder’s source. For this to occur, the intruder must first be successfully traced. Once this occurs, the security forces can then launch their own intrusion on the hacker’s home ecto/mesh inserts and/or PAN.
===Lockout=== 
A system that has locked onto an intruder may also attempt to lock them out. Lockout is an attempt to remove the compromised account, sever the connection between the two, and dump the hacker from the system.
Lockout must be initiated by someone with security or admin privileges. An Opposed Infosec Test is made, with the intruder suffering a –20 modifier for being Locked. If the character defending the system succeeds, the intruder is immediately ejected from the system and the account they used will be placed on quarantine or deleted. That account will not be usable again until a security audit approves it and replaces the authentication. Any attempt to access the system from the same mesh ID as the intruder automatically fails.
===Reboot/Shutdown=== 
Perhaps the most drastic option for dealing with an interloper is to simply shut down the system. In this case, the system closes all wireless connections (if it has any), logs off any users, terminates all processes, and shut itself down—thereby locking out the intruder. The disadvantage, of course, is that the system must interrupt its activities. For example, shutting down your mesh inserts or ecto means losing all communication with teammates, access to augmented reality, and control over slaved/linked devices.
Initiating a reboot/shutdown is only a Complex Action, but the actual process of shutdown takes anywhere from 1 Action Turn (personal devices) to 1 minute (large hardwired networks with multiple users), determined by the gamemaster. Rebooting a system takes the same amount of time to get started again.
===Trace=== 
For high-security systems, a popular countermeasure is to track the infiltrator’s physical location via their mesh ID (see Physical Tracking, above). In most cases, habitat physical security is subsequently alerted and forwarded the position to take care of the criminal.
===Wireless Termination=== 
An alternative to shutdown or rebooting is simply to sever all wireless connections by shutting down the wireless capabilities of the system. The system will lose all active connections, but any intruders will be dumped. Wireless termination is a Complex Action to initiate and completes at the end of that Action Turn. Re-starting wireless connectivity takes 1 Action Turn.
===Sidebar: Joint Hacking / Securing=== 
Hacking will sometimes involve teams of attackers and/or teams of defenders. A hacker might be backed up by their muse or another team member with moderate Infosec skills. Hard networks are often defended and monitored by teams of highly-skilled security hackers and AIs. When intruding in or defending a computer system, operators must decide whether to act individually or in concert.
Each approach has its tradeoffs. A team that chooses to breach or maintain a system’s security as a team effort must allocate one character (usually the team member with the highest Infosec skill) as the primary actor (see [[Dice and Making Tests#Making%20Tests-Teamwork|Teamwork]]).
Each additional character and muse adds a +10 modiﬁer for each test (up to the maximum +30 modiﬁer) but cannot spend time on other actions than those performed by the team leader. When acting in concert, teams may switch team leaders at any time, in case group members are specialized for certain tasks.
Alternately, both intruding and defending teams may choose to act individually but for a joint goal. Each hacker must make intrusions on their own, with individual repercussions for detection and counterintrusion, which runs the risk of affecting all intruders if any one is Spotted or Locked. On the other hand, a team of intruders can pursue multiple actions simultaneously in a coordinated manner and may temporarily overwhelm available security. The same holds true for system defenders, who may accomplish more by splitting their actions, leaving some to monitor while others launch counterintrusion attacks and other countermeasures.

[ [[Home]] | [[Game Rules]] | [[The Mesh]] ]