There is a cultural barrier to continued investment in cybersecurity, Johnson admits. “We are a reactive society, but cybersecurity is ultimately seen for what it is: an investment. An ounce of prevention is worth a pound of cure.”
8. Check, check, and check again
“Many people approach backups from a storage perspective, not a point of view,” said Mike Golden, senior manager of cloud infrastructure services delivery at Capgemini. “You can back up all day, but if you don’t test your recovery, you don’t test your disaster recovery, you open yourself up to problems.”
This is where most companies go wrong, Golden said. “They support it and go and they don’t check it.” They don’t know how long backups will take to download, for example, because they haven’t tested them. “You never know every little thing that could go wrong until it does,” he says.
It’s not just the technology that needs to be tested, but the human factor as well. “People don’t know what they don’t know,” said Golden. “Or there is no regular audit of their procedures to ensure that people are following the policies.”
When it comes to people following the necessary maintenance procedures and knowing what to do in a disaster recovery situation, the mantra, Golden says, should be “trust but verify.”
What steps should companies take if they encounter a ransomware attack
The Cybersecurity and Infrastructure Security Agency (CISA) of the US has a framework for companies to follow that includes important steps to take after a ransomware attack.
Estimate the extent of the damage: The first step is to identify all affected systems and devices. That can include on-premises hardware and cloud infrastructure. CISA recommends using out-of-band communications during this phase, such as phone calls, to avoid informing attackers that they have been detected and what actions you plan to take.
Separate systems: Remove the affected devices from the network or turn off their power. If there are several affected systems or subnets, take them offline at the network level, or take down switches or disconnect cables. However, powering down devices may destroy evidence stored in volatile memory, so it should be a last resort. In addition, isolate and protect the most important systems that have not been touched throughout the network.
Check affected systems for recovery: Prioritize systems critical to health or safety, revenue generation, and other critical business resources and systems that depend on them. Restore from offline, encrypted backups and gold images tested for infection.
Create your own notification system: Depending on your cyber incident response and communication plan, notify internal and external teams and stakeholders. This can include the IT department, managed security service providers, cyber insurance company, company leaders, customers, and the public, as well as government agencies in your country. If the incident involves a data breach, follow the legal notification requirements.
Storage and termination: Collect system images and memory snapshots of all affected devices, as well as relevant logs and related malware samples for early indicators of corruption. Identify the variant of the ransomware and follow the recommended remediation steps for that variant. If data is encrypted, contact law enforcement for decryptors that may be available. Protect networks and accounts against further compromises, as attackers can still have their original access credentials or obtain additional ones during a breach. In addition, extended analyzes should be performed to identify persistent infection mechanisms so that they do not reactivate.
How long does it take to recover from ransomware?
According to Sophos, only a minority of ransomware victims recover in a week or less. On average, 35% took less than a week. About a third took between a week and a month. And the last third, 34%, took a month or more to recover. Only 7% of victims recovered in less than a day – and 8% of victims took three months or more.
Recovery times are greatly reduced, however, if the company has good backups.
If a company’s backups are also compromised, only 25% of companies recover in less than a week. But if the backups were not corrupted, 46% of the companies took less than a week to get back on their feet.
Best Ransomware protection methods
CISA has a detailed list of best practices for preventing ransomware.
Backups: CISA recommends keeping offline, encrypted backups of important data and testing these backups and recovery procedures regularly. Enterprises should also have golden images of critical systems, as well as configuration files for critical operating systems and applications that can be quickly deployed to rebuild systems. Companies may also consider investing in backup hardware or backup cloud infrastructure to ensure business continuity.
Incident response plan: Businesses should establish, maintain, and regularly implement a cyber incident response plan and related communication plan. This plan should include all legally required notices, organizational communication procedures, and ensure that all key players have paper copies or offline versions of this plan.
Prevention: CISA recommends that companies move to a zero-trust architecture to prevent unauthorized access. Other important preventive measures include reducing the number of services exposed to the public, especially services that are frequently targeted such as Remote Desktop Protocol. You should perform regular vulnerability scans, regularly patch and update software, use multi-factor authentication that resists phishing, use identity and access control systems, change all default usernames and passwords, use role-based access instead of root access accounts, and check security settings for all company devices and cloud services, including personal devices used for work. CISA also has specific recommendations to protect against common access vectors, such as phishing, malware, social engineering, and vulnerable third parties.
Source link