How to Test Your Environment Against Cyber Threats

Over the last several years, the frequency of cyber threats and attacks has increased. It is estimated that there is an attack every 39 seconds and an estimated 30,000 websites a day get hacked. And the vast majority of these things are the result of an error:

• misconfiguration,
• not following policies or procedures,
• not adhering to best practices, 
• in some cases, just being duped or tricked by a threat actor.

So the reality is that the cyber threat is not going away. We will continue to see attacks happening more frequently, especially as the world moves further and further into being digital and connected in almost every way. 

Backups are Cyber Attack Targets

Companies that think they are safe because they have backups may be surprised to learn that 94% of attacks target backups. This is critical because it means that contrary to popular belief, just because you have backups does not mean that you are safe. Misconfiguring backups or not following a solid industry best practice backup strategy, or having an immutable cloud backup policy, can all undermine your efforts and your data protection.

Which Industries Are Under Attack?

Small business is a  growing sector for cyber threats and attacks. That’s largely because small businesses tend not to have the money and resources to invest in the enterprise-grade protections and security services that they need.

Healthcare is another big one. Every month there are more stories about hospitals being compromised. This is really due to the fact that it causes such a visceral reaction. It interrupts a vital service, which is what the threat actor wants, right? The more critical the thing they can interrupt, the higher the likelihood that they get paid or get some benefit out of that disruption.

Government agencies are always going to be a big target because they usually lag behind the commercial world in data security and technology. 

Financial institutions for obvious reasons. The principal motive in a cyber attack is almost always money, so disrupting hospitals, power grids, and things like that get people’s attention quickly and exerts a lot of influence over another nation or municipality. So we can expect the cyber threat to these industries to remain high and for attacks to occur at an ever-increasing rate.

Watch the video or jump to sections of the lightly edited transcript below following the links to key sections:

What is a cybersecurity perimeter?

How to identify vulnerabilities to cyber attacks?

What are Enhanced Data Protection backups?

Why do some companies experience repeated cyber infections?

The case of secondhand spearfishing

Are you testing your cyber readiness?

What about BCDR and DRaaS?

Follow cyber insurance policy directions

Q and A about cyber threat readiness

What is a cybersecurity perimeter in today’s remote world? How does it work and how does it impact our business? 

Jones
00:06:59

Traditionally the enterprise boundary was in the corporate office. There were corporate firewalls and everybody and everything, for the most part, sat behind them. Well, now the perimeter has literally moved to everybody’s houses.  You’ll see, based on the backgrounds Kelly and I are, are in our homes, which means the perimeter has extended out to our personal domiciles now. So the concept of the enterprise firewall, the thing that’s protecting the crown jewels, is no longer true because we have endpoints that are located outside of that now. So really, the endpoint has become the new perimeter for modern business, especially post-pandemic where everybody is now working remotely or large portions of the staff are working remotely. 

Now we have to really be concerned with the asset and the identity. The identity is the user that is using that asset.  We also have the concept of the cloud, right? So we’re pushing more and more computing and workload into cloud services through SaaS and PaaS providers like AWS and Azure.  Those also represent a portion of the perimeter now as well.

A lot of companies feel that by moving to the cloud, that security is just inherent, intrinsic, and automatic. But that could not be further from the truth! SaaS and PaaS providers are really providing you that software as a service, that platform as a service.  They are not always security-centric. That’s really up to you to ensure that you’re managing that portion of your perimeter properly.  That’s to say that again, we’ve gone from one central or maybe a couple of central, enterprise-grade firewalls that were defining the perimeter to now having your perimeter literally be all over the world, being very disparate, in the cloud, in people’s homes, as well as your legacy offices and data centers. This problem has complicated the concept of the cybersecurity perimeter, quite severely. 

Kelly
00:09:37

It’s funny that you mentioned SaaS and PaaS and even infrastructure as a service because we have data in a lot of different clouds or environments. So Software as a Service, things like Salesforce and some of those applications that you just log into via web portal and you don’t have anything on-premises to run those platforms is a service. You might be running development architectures or something to support applications and infrastructure as a service. You don’t want any of your own hardware, your own environment, or networking, all of that’s in the cloud, which is the AWSs and the Azures, they can provide all of these to some degree. Especially when it comes to backups and disaster recovery, the misconception is,  “It’s in the cloud, I don’t have to worry about it. It’s already protected, just like it is for cybersecurity.” They’ve even produced shared responsibility models where they say exactly what they will and will not protect and what’s the responsibility of the customer. People often don’t pay attention to those. Again they get the misconception that it’s in the cloud, it’s protected. So, Steven, thinking about this, when we think about DRaaS, how do we apply that to public cloud or how do we run our backup and spin up and et cetera? 

Steven
00:10:59

From the backup perspective, we always want to get in the mindset that it’s your data. You need to make sure that it’s protected, don’t rely on anybody else, or don’t assume that your data is protected. You always want to make sure that you have not only a good backup copy in whatever cloud solution you’re using, but also make sure that that’s located offsite as well.  That way, if something were to happen in the cloud environment, you can bring it up in the Global Data Vault infrastructure, and we can provide you access to your servers. Now, the product that we use, Veeam, has the capability of injecting that data back into Azure, back into AWS, using a proxy that’s built into the software. It’s not as hard as people think. 

Kelly
00:11:59

The key here is just to treat the data like data, right? Make sure that you’re controlling it, that you’re protecting it no matter where it resides. That’s ultimately your responsibility.  We just happen to provide pretty cool tools to protect it from both a cybersecurity and a disaster recovery perspective. And we can do that with an all-in-one solution with what we’re discussing here. So, Jones, the next slide is about vulnerabilities and identifying where you are vulnerable. Based on experience, these are all interconnected and they all play a little bit of a different part. 

Identifying Where You Are Vulnerable

Jones
00:12:45

Insider Threat
The first thing is employees! Employees represent an extreme amount of vulnerability for various reasons.  You have a couple of different avenues here. One is malicious intent. We classify that as an “insider threat.” This opens a large vulnerability in your organization because you have somebody that is historically trusted. They have permissions and access to sensitive data. If they were disgruntled or wanted to hurt the business, that is a large vulnerability because you have somebody that has a large amount of access and ability from the employee perspective.

Accidental
You also have employee vulnerability which can be classified as accidents, the lack of following a policy or a procedure,  just taking shortcuts, or being sloppy. In these cases, even if they’re not intending to harm the business, again, they still pose a threat.

Smart Devices
Next, we have smart devices. Think IOT. These are more common in larger enterprises, and they are typically around things like HVAC,  elevators, and maybe lighting if you’re in a very modern building.  Smart devices also pose a risk if they’re not segmented properly, or managed properly. They are small computers although we tend not to think of them as such. Thermostats,  lighting controllers and things like that are actually computers. They have processors inside, they have code, and they have storage.

We’re seeing more and more smart devices being used as a mechanism for infiltrating a network.  And again, when not segmented properly, these things can be really disastrous.

Remote workstations.  Post-pandemic and even during the pandemic,  everybody worked from home. That meant that you had a corporate laptop in an unclean network behind an unknown ISP. That posed a huge risk to every organization, especially ones that did not have robust or mature remote work posture or capabilities because they had to figure out how to allow the entire company to remotely access and work. Many of them were left playing catch-up on the security side. Endpoints are more or less the same thing. Endpoints can include everything from workstations, and laptops to mobile devices,  cell phones, tablets, and all of those things. 

Kelly

If you think about it, pretty much all business on the network is done with an endpoint by an identity or user. That endpoint is the portal into your network. If you have a thousand users, you have a thousand portals into your network. And you are relying on these users providing good hygiene, good practice following policy, following procedures, combined with this endpoint that needs to be patched and maintained and all of those fun things. You can start to see where the vulnerabilities stack up and multiply here. And then, of course, we have the network and our vendors. I’ll leave backups for Steve New to cover, but the network is now extending into people’s homes. 

Jones
00:16:45

It’s in coffee shops, it’s in our pockets with our smartphones.  Then we have third-party risk from vendors. We have products that we install that are managed by vendors and central locations. Think about RMM (remote monitoring and management) tools. There’s a famous case from last year where an RMM provider was compromised and customers who were using that provider’s product were ultimately impacted and affected through no fault of their own. It was a risk, introduced by a third party.  These are all things that are interconnected. They’re absolutely all related,  and they end up compounding the level of vulnerability and risk to the organization if each one of them is not handled and addressed properly.  Steven, do you want to speak to backups? 

Enhanced Data Protection Backups

Steven
00:17:45

Backups are the first thing targeted during a cyber attack because they don’t want you to have them as a ‘get out of jail free’  card. They want you to pay the ransom. They’re going to go in and either encrypt your backups with the same encryption method they do for all your data, or they’re going to delete the backups if they’ve already been encrypted. The first thing that is targetted during a cyber attack is the backups, which are deleted. Dataprise provides something called “Enhanced Data Protection” or “EDP” data. This is data that lives outside of your repository that we can bring up if you are infected. 

What most people don’t know is that these threats reach out via the internet to a proxy server or some sort of server, and that’s how it actually gets encrypted. It checks in. So we turn off the internet. More than likely, when we restore your servers, we will need to ensure that those servers are not infected and that the threat does not live on those servers. That’s very important. The first thing we do is disable your tenant when you come in, and then we go ahead and start spinning up your environment from your EDP backups, which is essentially our ransomware protection for your organization. 

Kelly
00:19:42

Now that we’ve talked about where we’re vulnerable and the answer’s pretty much anywhere, the common denominator is the person, right? It’s the weakest link because we can set methods, and we can set policies, and have controls in place to manage the software and the hardware. We are the fleshy parts that are gullible or susceptible, and we have feelings and emotions and we click on things because we don’t want our Amazon accounts to be suspended and things like that. So it’s really us. When we identify these areas of risk, the suspected risk is always the people.  

We have a couple of case studies here.  Obviously, we’re going to protect the identities of those affected, but, one of them was repeating reinfection,  and one of them was,  an executive assistant who fell victim to a spearfishing attack.

Repeated Cyber Infection

Steven
00:20:52

You must make sure that your backups are not infected.  If you don’t scan your backups before you restore your systems, you can get infected over and over again if the threat still lives on your servers.  One of our client companies had a security guard who was surfing the internet from a kiosk in the lobby every night.  The kiosk computer did not have protection on it and they clicked on something which downloaded a threat to the kiosk computer. Nobody knew that was happening. The company got hit by ransomware, we brought them up, we got them working again, we scheduled a fallback, and then after we scheduled the fallback, they got hit again. 

Everything was encrypted again by the hacker’s script within 48 hours. After working with this customer, we dove deep into the situation to determine where and what system in the infrastructure kept encrypting the data. The company’s security team got involved and they found that a security guard was using a computer in the lobby kiosk to surf the internet and inadvertently download malicious code. That computer had no virus protection because it wasn’t even supposed to have internet access.

That’s an example of why you want to make sure everything in your organization is protected, every PC, every conference room tv, and ever device in the lobby kiosks.

And then after you recover from the DR event, you need to make sure that all threats are cleared from your systems so that you don’t get reinfected. Because unfortunately, the people that create ransomware and malware are in the business of extracting money from you. They’re not going to provide you the decryption key until you pay them, or until you get a good backup that was not infected. 

Kelly
00:23:40

It’s really important to maintain not only accurate documentation of your environment, but something to tell you if there is a device out there that isn’t protected. I think more modern tools today can do that. I mean, I always talk about the days when SQL slammer was around and I had to crawl around under desks in a million square foot building looking for rogue SQL servers and things like that. It was awful.  Oftentimes, it’s not just what you can see, but it’s not what you can’t see. Jones, this assistant’s  assistance scenario, it was something that was right there in front of her face and, and it still  happened, right? So walk us through that if you would. 

Secondhand Spearfishing

Jones
00:24:23

This is another real-world scenario. Again, names change to protect the innocent but we had a client that was spearfished. It was the CEO actually, who got spearfished through his executive assistant. Like most executive assistants,  she had “send on behalf of,” and read-write access to the CEO’s mailbox. The CEO was the ultimate target. The nefarious piece of this attack was that the attacker actually compromised the executive assistant a week before they launched their master plan. They took that week, very smartly to watch. That’s all they did was sit there and watch email communications in and out from the CEO. The whole goal that they were after was to commit wire fraud. 

They wanted to craft an email so they watched for a week the CEO’s communications for a week before grabbing actual snippets of his emails. By doing this, they avoided the bad grammar, misspellings, and red flags that would be obvious if they tried to fake the email by themselves. Instead they repurposed the CEO’s existing communications. They crafted an email and sent it from the actual CEO to the CFO asking that individual to wire $250,000 to an account. This was actually not unusual. The CEO did ask for this to be done on other occasions. The only thing that ended up actually preventing this attack from being successful was the fact that the CFO had a process in place to call and validate or verify that the request was legitimate. 

So when he called the CEO and said, “Hey, I got this request. You want me to wire 250 grand to this account,” the CEO said, “I have no idea what you’re talking about.” That ended up squashing it. This is really highlighting the importance of people and process.  Pick up the phone and call to ask if this is legitimate or normal.  We see money, hundreds of thousands of dollars disappear.  If it makes it overseas, often the US government can’t interdict and that money is just gone. This is a growing trend, especially in the real estate sector. This was a real masterclass of patience and attacking weaknesses and people. Again, it was really just this one small process that this company had put in place that prevented them from losing a quarter million dollars. 

Kelly
00:27:52

It’s often the process, and this was more of a business process, to not willy-nilly transfer money around, in addition to a process to prevent a cybersecurity incident. Having that readiness in many areas is really important. 

We’re going to talk more about cyber readiness. We’ve talked about BCDR planning in other webinars, Stephen can hit on those again, but when we think about cyber readiness, how do we generally go through that? 

Organizational Cyber Readiness

Jones
00:28:39

Strategic Planning

There are a couple of key areas that I think are really important that I cover with clients who are really interested in upping their security posture or having a real,  conversation around cyber readiness. I always start with strategic planning. Without a plan, you don’t know where you’re going, so this is always the first stop: really understanding where a client is trying to end up.  What does it take to get there?   A strategic plan for cyber readiness needs to involve all of your business units in some capacity or another. You can’t silo this just into the security department. This really needs to be strategically thought out and planned across the entire organization. 

Best Practices

And then from there, we roll into security best practices. There are best practices that have been identified for almost everything you can think of out there. Really starting with those as a foundation is, in itself, a best practice, right? Not to say that every business can follow every best practice exactly. There may be many business reasons why a specific best practice doesn’t work or cannot work. But if you’re at least starting from that and understanding what the best practice is, and then if you have to deviate from that to do some lesser set of practices or steps, then at least you understand what the overarching goal was and can then mitigate any risk that’s introduced by not following the best practice.  Shortly after that is continuous employee education. I can’t stress this enough. 

Continuous Employee Education

Kelly
00:30:32

We’ve talked about this on a couple of occasions already in this webinar: humans are the weakest link. They are 95% of the cause of security incidents. Cybersecurity and high-tech work changes rapidly. For employees where this is not their job, they stand an even lesser chance of keeping up with all of the new trends in phishing emails and how threat actors are going after and compromising MFA (multi-factor authentication), right? We’ve just spent multiple years trying to convince everybody to enable MFA and told them that MFA is going to help your posture. Now the bad guys are right there saying, “okay, they’ve got everybody in MFA, but if we do this type of attack, we can get around that.  It’s an arms race.

We need to keep a continuous employee education program running because things change rapidly. The employees who are interacting with your systems and who are the ones ultimately being targeted give threat actors access to your environment. They need to be aware of what the real-world challenges are out there. I don’t think it’s enough anymore to just preach to your employees that phishing emails exist. Phishing emails are really, really sophisticated now. We run simulated phishing campaigns on all of our clients, — or the ones that have subscribed to that service with us. We routinely get directors of security, and CISOs falling for them. We can send some pretty smart,  phishing emails, and we even fool the folks who are trained to look out for this stuff. 

So where does Megan in accounting stand if this is not her world, right? Continuous employee education – I would almost argue that this is probably more important than the others, but it’s something that you absolutely need to be focused on and something that cannot just be a once-annual thing. Everybody’s using information systems, everybody’s dealing with data.  This really needs to be something that your business prioritizes. 

Penetration Testing

Next is penetration testing.  Throughout most of my career, I feel like customers have viewed this as a luxury or a nice-to-have.  I argue that kicking the tires on your security program in a safe and controlled manner before the Chinese and the Russians are kicking the tires on your security program is really smart. It’s worth its weight in gold and can be the difference between finding a problem while you can still fix it, and finding a problem after it has been exploited.  It’s too late then. I would argue that a penetration test needs to be conducted annually. If we were in person, I’d ask you to raise your hand, who here drives a car and has to get it inspected every year to get that sticker changed? Yeah. All of us. So, why would your network be any different? Why would you not have a set of professionals evaluate your network,  and give you a thumbs up or a thumbs down, or help you point out what problems are?  

Kelly
00:34:17

I think too that we often forget to go back and check things. You do something at one point, and something in the environment changes. Or you may modify a firewall rule for something, and it never gets removed, and it’s forgotten about. You have a penetration test, it passes, and you make a change in the environment six months from now, you still have a rule out there that’s going to allow somebody into your network. You can resolve a lot of that just by going back and reviewing things regularly. 

Jones
00:34:50

That is an absolutely fair point, Kelly, and I would even underpin that once more with,  I have yet to work with a customer that could 100% tell me every device they had and where it was.  That right there alone is why penetration testing is important. To your point, your network changes throughout the year. Lots of people are making lots of different changes.  It’s really important to understand what you look like to the outside world where your vulnerabilities exist.  I’ll cover one more with the incident response plan, and then Steven, I’m going to turn it over to you for the BCDR arena. Your incident response plan is also critical, right? This is the high-level guidebook that is going to guide your business when you have a crisis or a security incident. 

Incident Response Plan

I liken this to firefighters. Incident response is really firefighting, right? Would you want your local fire department to show up to your house on fire, get off the truck and nobody knows how to unsnap the ladder, or which way you unroll the hose, and is it clockwise or counterclockwise to get it on the hydrant? You don’t want that. You would be mortified if that was happening in your front yard while your house was burning.

But that’s how most companies treat incident response.  They do not have a plan. And if they do, it’s not kept updated. It’s not tested. So you’re having a major crisis, a major incident, and you’re sitting in a conference room and everybody’s arguing over who’s supposed to be doing what or who has the ball, or who’s supposed to be doing this or that, or the other thing.

An incident is time and money. The longer you wait to address these things, the more damage is being done to your environment, and to your data. To Steven’s point earlier, bad actors go after your backups. They can find vulnerabilities to get at your backups if you’re unable to move quickly, swiftly, and efficiently. That is exactly what an incident response plan is: who’s supposed to be doing what? Who’s supposed to be saying what?  Which organizations and other partners are we engaging under which circumstances? It is the guidebook that tells you during your crisis what to do, so you don’t have to think about it.  Over to you, Steven, for BCDR, and maybe a little bit of how that’s connected to what I just described with the incident response plan and of course, the DRaaS. 

BCDR and DRaaS

Steven
00:37:41

The incident response plan is tied into your BCDR plan because you’re going to need an incident response team. Each member of that team needs to have a defined role on what their job function is: You’re going to contact your backup provider, and you’re going to contact the FBI to let them know you’ve been attacked. We all need to make sure that this team has defined roles. And then the BCDR plan is going to use that team to engage that process, depending on what your incident is. Your building could have gotten hit by a tornado. Obviously, you’re not going to need the incident response team to contact the FBI for that, letting them know you’ve been hit by a security event. So a BCDR plan is very critical, depending on the disaster that happens. There are several different types of disasters that we’ve discussed, and I would recommend that you create a runbook filled with these different types of scenarios. 

You’re also going to need to test these scenarios. What servers do you need to bring up? What stakeholders need access to the servers? What employees need access to the servers?  Obviously, if your building got hit by a tornado, for example, you’re going to need a list of all the equipment that you have that you need to replace and your business continuity disaster recovery plan. Then you will need to have a contact list of everybody you need to contact based on what disaster occurs. If your building got hit by a tornado, the first call you’re going to make is to your backup provider. 

We’re going to initiate recovery on our side and start bringing your servers up.  That’s when the BCDR plan and runbook are critical. You need to work with your backup provider to test your DR because when a disaster hits, you want to ensure that everything comes up, and you have no “gotchas.” An example of why this is critical is that say, you have a server that needs a public IP address that runs SharePoint services. You also need a public IP for your Exchange server. You need to update your MX records for your Exchange servers and stuff like this. You need to document in both your BCDR plan as well as your DR plan and avoid any gotchas during an actual event. 

Kelly
00:41:15

Hey, Steven, how many customers would you say that have been victims or suffered some type of incident or disaster have a functioning BCDR or any plan? 

Steven
00:41:30

That is going to be a very low number. I’m not going to say that every single one of them has had a functioning BCDR plan or a DR plan in place, or even a runbook on what to do. You have to understand that whenever people call us, they are in panic mode. Their building no longer exists. They’re building caught on fire, they just got hit by ransomware. Everything is encrypted. They are losing millions of dollars a day in revenue. That’s why it’s critical to your company that you have these in place. 

Kelly
00:42:42

BYOD or “bring your own devices” is all about mobility. The phones, laptops, tablets, and anything that connects to a network becomes a point of vulnerability or something that you need to have a plan for. Resilient infrastructure.. is that just limited to firewalls these days? Real quickly, Jones, do you want to take us through that? 

Resilient Infrastructure

Jones
00:43:20

Resilient infrastructure is no longer confined to just firewalls. There are lots of other resources that need to be factored in. Again, many of our clients are in hybrid infrastructures where part of their deployments are in the cloud. Part of them are on-premise, which means when certain things fail, you need to ensure that your business, and infrastructure is resilient enough to reroute traffic and to continue operations, manage detection, and response. This is more than just antivirus anti-malware. This is really looking at behavior-based detections. We’re not as much reliant on definitions, right? We’re now profiling processes and executables to determine what bad activities look like and what the precursors to those bad activities look like. 

This is all happening in real-time.  Your modern,  endpoints like CrowdStrike or Microsoft’s new defender platform,  carbon black, and things like that, all of these are considered EDR or NextGen endpoints. And then Steven touched on this a little bit, which is tabletop testing of all of your things. I would say this is one of the biggest areas that companies tend to neglect. If you have an IR (incidence response) plan, you’re not testing it. If you have BCDR plans, you’re not testing them.  if you have backups, are you testing them to ensure that they actually restore? Because all three of us have horror stories about customers that did not test. They assumed that they were OK. A crisis happens, and guess what? Backups don’t work or they weren’t getting what they thought they were getting because they never tested them. If you’re going to go through the process of creating any of these policies, processes, or procedures, it is a hundred percent incumbent on you to test them periodically. 

And to go along with that is vulnerability management of third-party software that’s on your computers. Every one of us probably has Adobe reader or an internet browser like Chrome or something. Some of the third-party software needs to be patched because it does introduce vulnerabilities into the environment. So often we forget about them because we only focus on what’s put in front of our faces constantly, which is windows patches and this security thing from Microsoft, et cetera.  We need to look at ways to isolate endpoints. When we do have something detected, there is a breach or some risk that it’s able to be isolated. And by isolated, we mean shut off from the rest of the environment so that it can’t spread or cause any other issues. 

Continuous Vulnerability Assessments

Continuous vulnerability assessments is just what it says. You need to constantly update and rethink and re-look at how you’re assessing your environment because there are people whose full-time jobs are figuring out new ways to hack and new ways to infiltrate networks and devices and get around MFA, and they’re finding ways to do it faster and better every day. That’s why it’s important to have a SOC (security operations center) 24/7, 365 monitoring to assist with detection response. When people are asleep, somebody’s gotta watch the gauges and the dials and all of that and help alert and notify people when threats arise. Obviously automated backups with redundancy, that’s where your whole BCDR and DRaaS comes into play. 

Kelly

Way back in the day, things used to have to be manual.  You didn’t have offsite, or your offsite was really cumbersome and you were relying on tape and certain other things. And today we have providers such as ourselves who can offer not only redundancy in cloud backups, soft site backups, et cetera, but we can provide an annual DRaaS or DR test to ensure that what you’re doing is actually going to work. And the security awareness training that Jones has already hit is something that we also do internally. It’s always of the utmost importance. So just combining everything that we’ve talked about so far is a good way to start on your vulnerability management process. 

We talked about perimeters, and Steven, you already mentioned enhanced data protection and a little bit of this, but can you just describe to us how that security perimeter works when it comes to backups. How can we leverage enhanced data protection to protect customers better? 

Steven
00:48:28

You always want local backups with a good retention policy, with fail-over capabilities to the cloud, the Dataprise BCDR environment. You want those backups to be air-gapped out of your repository so that you do not have access to them, because if you have access to them, then the bad actors that get into your system will have access to them as well. Enhanced Data Protection is very important on the cloud side, but also you want to make sure that you have at least three copies of your data,  which we’ll discuss a little bit later. You also want to make sure that you’re testing your backups annually. I’ll share an example of why this is important. We had a customer who did an annual test not too long ago and realized that they forgot to include their entire Citrix system in the backups. That is a big miss from a customer standpoint, not knowing that they didn’t have backups of this environment. That is why it’s very important that you test your backups annually to make sure everything that you need in a DR situation is backed up locally and also backed up to the cloud. You do not want to find this out during an actual DR event. 

Kelly
00:50:23

Which takes us to our next point, what do you do when you’re attacked?  There are a couple of recommended steps.

Cyber Insurance

Jones
00:50:42

Your cyber insurance provider should be your first phone call during an attack. And the reason is that your policy will probably dictate who your incident response can be provided by. If you did not know that and you have cyber insurance, you may want to look that up because they may force you to use an approved provider that they dictate.  Then, as Steven mentioned, contacting your backup provider should probably be your second phone call because you’re going to want a plan for getting things reconstituted and getting your assets and your network back up and running, and of course, following your incident response plan. Your cyber insurance is not playing when they say they want to be your first phone call. If they find out they weren’t, they can invalidate your policy or in general, cause you lots of headaches following your incident response plan, as we pointed out. 

Hopefully, you have one. Here’s another pro tip that not too many people will mention. Print it out and put it in a three-ring binder somewhere because if you have a cyber incident, your building gets knocked down, and it was on somebody’s desktop,  guess what? You no longer have it. So print it out, and keep it in a couple of safe places as an actual tangible printed document because you may be flipping through a three-ring binder if your incident is severe enough.

Containment

Containment is something that my team, with our managed SOC service, deals with quite a lot during an incident as we want to contain the incident. We use our EDR tools to isolate endpoints. This temporarily disconnects them from the network but leaves them running, which gives us forensic and instant response access to those devices but limits them from being able to spread or contact servers or things like that. And of course, we’re digging into the SIM and our SOAR. Our SOAR is an orchestration and remediation, platform, automation remediation platform. This is basically an engine that we can build some remediation rules into to take automated action based on a set of inputs. We can get an alert out of a SIM. We can take a pre-described set of actions on that alert, and that is the job of the SOAR. 

Assessment

The next step would be an assessment,  assess your environment. Dataprise can help you with this. We have the methodology in place to come in and assess the state of the union if you will. Another function that we provide is a firewall audit. Again, as I mentioned earlier, you’ve got stuff out there that you don’t know necessarily as a hole or a back door or just maybe not a best practice for your firewall. We can come through and audit that for you. Get that penetration testing in there to make sure that everything is buttoned up tight. If you live in the cold areas of the country, you might find that little crack underneath the door every so often that lets that cold air end the same thing goes for your firewalls. 

Kelly
00:54:11

You need to have a way to validate or measure that.  Continuing ongoing end-user security awareness training. Again, Jones said this should probably be one of your top priorities because humans are the weakest link.  Email phishing simulations. Part of our offering does provide this automated for you. We can work with you to send these out to your employees and test their ability to respond to or recognize phishing emails and continue to improve response and training that way. Then we get to the zip code.  Steven, can you tell us what 3-2-1-0 is real quick? 

Steven
00:54:52

That’s three copies of your data on two different types of media. One offsite, one air gap copy with zero errors or what is being called the golden rule. 

Kelly
00:55:02

All right. There’s a test on that at the end. So three copies, two different types of media, one offsite, one air gap, and zero errors. Is that it?

Steven
00:55:11

That’s what I said. You passed the test, Kelly!

Kelly
00:55:15

Sweet. I get a cookie.  So we’ve got some exercise links here that we’ll provide to you for BCDR tabletop and security intrusion. Some good information there in order to increase your basic cyber hygiene.  These are really basic things. This is where to start to incorporate MFA, train those users, train and train and retrain the users. Conduct regular security assessments to identify gaps. Again, things change the gap. One gap may be different from year to year. Ensure all your systems are up to date. Steven and I talked at another webinar about how important it is to keep your systems patched. Make sure that those things are remediated and then you’re not leaving yourselves at risk. 

Kelly
00:56:08

Monitor your network activity because that’s generally where you’ll see a lot of nefarious things happening. Jones mentioned behavior and patterns and these detection response systems today can say, “Hey, this network traffic, this network pattern over here is unusual.” And they can immediately isolate that. We do have a link here for a resource center that talks a little bit more about that. 

Questions

Q: How often should I revisit or make changes to my incident response plan? 

Kelly
00:57:17

I would say at a minimum, annually.  I would say a mature organization would build this into their change management process so that large changes to the environment  are kicking off an evaluation review or update of your incident response plan. 

Q: There are many technology applications and platforms out there that my company can use. How can I help ensure these don’t pose an additional security risk? 

Jones
00:58:11

This is vendor risk assessment. If you are going to be using a third-party provider for software, hardware, it doesn’t matter, Your job here is to do a vendor risk assessment. It’s basically to evaluate the security controls that the vendor has in place to ensure that they are following a modica of security standards.  You need to understand what lengths they go to prevent abuse of their code base or compromise of,  their networks. That is something you should do for every single vendor. If you’re not doing that today, it’s not too late. Something that Dataprise can certainly help you with, is conducting those risk assessments for all of your vendors and providers. 

Kelly
00:59:13

And don’t forget that vendor doesn’t just stop at the software. It also covers people on premises that could be in your building, and have access to computer systems. Maybe you create an account for people to do some work, and then they leave, and you don’t ever disable that account.  Anybody that has access to any of your systems, an employee, a third-party vendor, must be monitored and controlled, and maintained the same way. We often forget, “Oh, here comes Jones, he’s been in and out of here every day for six months working on something.” Suddenly Jones isn’t there. Nobody says anything for a while except, “Oh, I guess Jones isn’t coming around anymore,” and they never disabled his account.  Jones can come in and do whatever he wants to without actually setting foot in the building. 

If you’d like to learn from from Stephen Jones, please follow him on LinkedIn.

More DRaaS & BaaS Articles