Criminals attack when they are least expected. As you go about your business, someone somewhere is hatching a plan to steal from you. You must stay ready. #covid19 pandemic has disrupted the world in ways no one could have predicted.
People are struggling for survival. A starving man has no option: to fight for survival at any cost. With social distancing and night curfew in place, criminals too have embraced the use of technology to eke a living. And that is why you must be more alert than ever to anticipate and manage cyber threats. Hackers are working around the clock, looking for vulnerable systems and services to hack.
As frontline professionals, providing security as a service (saas) to organizations, we have noticed unexpected high amounts of traffic from multiple sources to the systems, analysis of the traffic shows malicious intentions. Phishing, vishing, and social engineering options are on the rise. Because many cybersecurity professionals are not at work, organizations are at risk.
No system is 100% secure. You must establish effective incident response and recovery plans to continue operations in case of a disaster. Study the case below and discuss the pointers that follow to assess your readiness. Share this article with your team for improved governance of enterprise technology and security.
A case study:
A cyber-incident has taken place at the bank. Critical files including Word, Excel and PPT files have been taken over and are being held hostage, and the attacker is demanding payment. As part of the business continuity plan and disaster recovery, the IT department has consistently backed up data on the network file servers once a day at night, at 11:00 pm to be exact.
However, data on workstations and individual endpoints were not backed up, as this responsibility was left to respective workstation users.
Following the cyber-attack incident, the bank invokes its Incident Response Plan, which involves recovering the files from the backup server. And to remove the risk of privilege escalation (a practice whereby hackers initially gain limited access but continue gaining more rights in the system including super administrator access thereby taking over the entire systems), management decides to replace all machines that were compromised in the attack.
As part of solving the problem fully, the bank conducts an inquiry into the incident. A report by cybersecurity finds that basic controls like anti-virus and anti-malware programs were not effective as critical patches were not installed on the infected computers on a timely basis. They also discover that whereas the company has brought your device policy, Internet use policy and email policy, what is stated in the written policies is not exactly what is practiced on the ground.
During this period, take time and discuss the following. For answers, feel free to join our forum, mentor.mustaphamugisa.com and discuss for further insights.
- Many forms of malware, including ransomware, take advantage of known vulnerabilities in unpatched systems. What is your institution’s process for identifying security vulnerabilities and patching them promptly? Who is responsible for effecting patching on ALL computers before they connect on the critical internal network on which your mission-critical servers and applications are connected?
- Most viruses, spyware, and malware destroy and or render the original data unrecoverable. How does your institution ensure that all critical data can be recovered?
- Have your organization ever conducted a Business Impact Analysis (BIA), including end-user systems to identify critical processes and assets and systems that support them?
- If yes, what data and systems are critical?
- Are back-up strategies enough to address cyber-attacks? What is your backup policy? How do you monitor on-going implementation?
- Which data and reports are produced and verified during tests of the business continuity or disaster recovery plans?
- Malicious and phishing emails and websites are common initial entry points for attackers. During this coronavirus pandemic instigated lockdown, these have been noted as #1 attack vectors for hackers, the world over. As people connect via remote working apps, they provide easy doors for hackers to exploit. What kind of employee training is in place to increase awareness of proper cyber-safety practices and to protect employees who use email and the Internet as you try to collaborate and work remotely? What support do you provide employees when they receive a suspicious email? What training have you given to your staff since January 2020 to bring it to their attention the risk of remote working and connecting to company systems?
- What tasks does your institution perform during the initial incident response? What are the roles and responsibilities for staff specified in activating the Incident Response Plan? How do you continuously update this list since such an incident response plan document must be up to date by the day!
- How do you test to ensure that critical phases of your organization’s incident response, such as containment, eradication, recovery, and evidence protection, accomplished? When did you last test or do a dry run of your response plan? What were the results? Are the people specified as critical first responders alert or they put their phones off at night?
- Define the tasks documented in the Incident Response Plan for each of the specified first responders? Does your incident response plan have an ‘incident response box’ that has cash and other items critical to enable response or such box does not exist in which case an incident could happen and find no money to activate PLAN B or response plan?
- How are lessons learned used to improve cybersecurity?
- Under what circumstances would your institution pay ransom to regain access to critical files or data? Where would you find such money and how would you account for it to the shareholders and other stakeholders?
- How are malware attacks mitigated proactively? And how do you monitor any attack attempts and origins? Do you have a policy for offensive and defensive security or you are just defensive? Under what circumstances would your organization approve an offensive response to attackers?
- What factors should be considered before your current insurance coverage provide adequate protection against loss associated with impacts from the scenario described? Do you have cyber insurance policies in the first place? What are the specified limitations and what is included undercover? Did you work with an independent ICT security expert, to complement your in-house skills, to review the policy for the adequacy of cover before you signed?
- Is the amount of your insurance coverage commensurate with the amount of potential loss? What you reviewed adequately? Did you conduct a cybersecurity risk assessment before you bought the cyber insurance policy or you based on guesswork to buy the policy in which case you could be losing a lot of money in high premiums due to high assessed risks due to poor cyber hygiene?
- Has insurance coverage been added or expanded to account for new activities? What are the procedures for notifying affected customers of a cyberattack? And what are the conditions for a given incident to qualify as a result of customer’s negligence, not the bank?
- Consider the Head of IT, Network Manager, Internal Audit, CFO, Chair Audit Committee, CEO. Discuss the options these individuals could consider in response to the scenario.
- What actions could be taken? By who?
- Who would conduct these actions?
- What decisions need to be made, by whom, and at what point in time?
- What are the authorities for making and carrying out these decisions?
- Which reports are written? Who receives which kind of report and by when?
Copyright Mustapha B Mugisa, 2020. All rights reserved.