When it comes to fending off and recovering from ransomware attacks, some frequently touted strategies may be over-promoted. Making cloud-based backups and dialing law enforcement upon discovering a breach may suit some organizations, but not all, according to Domingo Rivera, the Cybersecurity and Infrastructure Security Agency (CISA)’s cybersecurity advisor for North Carolina during a recent webinar. “I would never tell everyone that everybody should contact law enforcement because that’s not my place,” Rivera said. “It is certainly a very, very individual decision that has to be made by management having all the information.” As for advice that should be given across the board? In Rivera’s view, that includes applying multifactor authentication (MFA), laying out a response plan, training staff on cyber threats and quickly adopting software updates and patches. Cybersecurity awareness-focused nonprofit the National Cyber Security Alliance hosted the Sept. 13 webinar. Discussion centered on advising businesses about individual actions and government supports for combatting ransomware. MFA VERSUS THE HUMAN FACTOR Social engineering may be attackers’ strongest offensive ploy. Shifts to remote work and e-learning have made this threat greater, giving bad actors more opportunities to try to trick employees and students who may be using less secure home networks and relying more heavily on email communications, said Stephen Kennen, president of North Carolina-based managed IT services provider Proactive IT. Continual training then becomes essential to keeping users alert to threats. Individuals who fall to phishing attempts can inadvertently download malware or reveal their login credentials to scammers. Cyber criminals gaining access to email accounts can be particularly pernicious, because the attackers can spread their reach by masquerading as the account owners and use this guise to trick additional victims. Kennen urged organizations to require users to go through MFA when seeking access to systems and programs. Organizations ideally would apply MFA to all applications requiring logins but should at least do so for email and remote access services. RESPONSE PLAN Swiftness is essential when responding to an attack, and organizations will be fleeter footed if they can avoid spending time during a crisis debating their plans of action and hunting down contact information. Organizations need to know ahead of time what steps each team member will be expected to take and have decided whether their first move will be to contact the FBI, their insurance carrier or another party as well as have the contact details ready, Rivera said, adding that CISA provides response plan templates. Organizations also need to know how to quickly track down relevant employees, such as those with the passwords to impacted systems or who can access backups. Rivera recommended hammering out tricky policy and business strategy questions well in advance. That includes pre-deciding whether the organization is willing to pay ransoms, how long it can endure operations being offline and how much data the organization can afford to lose. Kennen spoke similarly, saying organizations need to ask themselves, “Can your business be down for a day? Three days, a week, an hour? Can it never be down?” Organizations considering resisting ransom demands and shaping response plans must know how long it will likely take them to restore systems from backups and whether a week-old backup is good enough or if they’d need more recent data. BETTER BACKUPS Backups themselves can become infected, Rivera warned. Cyber attackers are known to quietly lurk in systems for months after penetrating them. Should companies unwittingly create backups of systems that are already compromised, the malware will also be preserved — meaning that efforts to restore their operations from these files will also be restoring the problems. Tracking down exactly when the breach first happened then becomes essential to knowing which backups to trust. “Part of that response [strategy] is trying to find this patient zero, to make sure that your backup itself is not infected,” Rivera said. Testing backups and recovery practices and keeping those backups secured becomes essential, said Kennan. Victims sometimes believe that paying ransoms will enable them to re-establish operations faster than they could if restoring from backups. Kennan — who’s company provides backup and recovery services — said that strong backup management strategies allow firms to rapidly recover their networks, however. “I can recover an entire network of servers and PCs in less than a day … if you’ve got it properly backed up and managed,” Kennan said. “People don’t understand what a good backup is. They think it’s being backed up to the cloud — [and assume] you’re safe because it’s offsite.” Backups stored on the cloud are not inherently safer than those stored on-premises, so long as firms apply proper security steps to either environment, Rivera said. Individual business concerns will inform the best approach for each organization. “The cloud was not necessarily created to make you more secure,” Rivera said. “If you’re worried about access by bad actors, having the server in the cloud may not create that big of a difference.” Following key cyber hygiene recommendations can help organizations reduce the chance of successful attacks, while adopting backup best practices and preparing response plans ready them for quicker recovery should cyber criminals slip through. Organizations may find that they do not follow their response plans to a T once forced to put the strategies into action, because no one can anticipate all eventualities. But having such a guide ready can still give teams a launching point for their response activities and save valuable time, Rivera said.

Originally posted at: https://www.govtech.com/security/response-plans-backup-strategies-underpin-cyber-resilience

Read Full Article