How to prepare for a cyber attack
Preventing cyber attacks is not easy. If it did, there wouldn’t be a steady stream of ransomware attacks dominating the news feed, and the President of the United States would also not feel pressured to issue cybersecurity decrees or orders. to declare that ransomware attacks should be treated as terrorism.
While preventing cyberattacks is not easy, avoiding one is a matter of luck, good planning, or a combination of the two. It is, after all, important to remember that attackers play by their own rules, and increasingly they are looking to hit a proverbial home run with a big payoff, like the one Colonial Pipeline did following their ransomware attack. .
When it comes to defending myself against a cyberattack, I would much rather be prepared and have a little luck on my own than pick up the pieces after a cybersecurity incident. With that in mind, here’s a plan you can use to prepare for a cyberattack and, ideally, avoid falling victim to it altogether.
Have an incident response plan
Following any cybersecurity incident, your teams will have to recover from the event while simultaneously addressing customer concerns and possibly regulatory concerns. Now is not the time to create a plan or drive it.
A good incident response plan will outline which teams are responsible for which tasks and how management communication will occur. The plan should address everything from the mundane issues of keeping logs for forensic analysis to public and regulatory communications. Eventually someone important will start asking tough questions about what went wrong, and the last thing you want to tell them is you don’t know because someone forgot to back up data. reviews.
Create a complete threat model
Threat models are arguably the hardest part of your preparedness plan. They force teams to think about the gaps in their processes and honestly consider how those gaps could be exploited in an attack.
Basic threat models tend to focus on protecting an asset, such as a database, against external threats. Such models favor perimeter defenses like firewalls while ignoring insider threats like compromised administrator credentials or successful social engineering. If an attacker can access this database from inside the firewall, then this firewall only protects against one type of threat.
Comprehensive threat models understand that most successful attacks have multiple stages. These steps form an attack pattern that an attacker could use to compromise your business. While it is not always possible to prevent every step of the attack pattern, it is possible to assign a risk metric to each step, correct the riskier steps, and monitor indications of compromise with the other. Without investing in a full threat model, any investment in threat mitigation isn’t all that different from assuming, and you never want to be in a situation where an attacker knows more about your weaknesses than you do.
Know all the software that powers your business
All companies have some form of patch management policy, but few can provide a full inventory of all the software that powers their business. Fewer still can identify the point of origin of this software. This ignorance creates exploitable blind spots that could lead to a cyber attack, but how is it possible for a business not to know what software it is using?
The problem is sourcing practices. If someone buys packaged software, they clearly know they have to manage that software. But if they buy a security camera, for example, they are actually buying a lot more than that. There is a piece of hardware (the camera), software to run the camera, possibly additional software to display images from the camera, and potentially a cloud service itself powered by software. Each of these software has its own update process, and the security standards used to create each item can be very different.
Things get a lot more complex when you look at open source software, and I can almost guarantee that you have open source software powering part of your business. Where a purchasing relationship at least offers the supplier the possibility of knowing his customers, this is not the case with something which can be downloaded and used for free on the Internet.
If your patch policy does not include all software assets, regardless of origin but with full knowledge of the origin, then you probably have unpatched software running your business. And, obviously, whenever there is unpatched software, there is a weakness that could be exploited.
Build a foundation
There are many other elements that make up a successful cybersecurity plan, like limiting access to data, but these three elements are part of the foundation. If you don’t know the software that powers your business, you can’t fix it. If you don’t know the threats your processes and software use to your business, you can’t reliably defend yourself against the attacks they fall victim to. If you don’t have an incident response plan in place prior to an incident, you will be slow to respond and could damage information that would be useful for rapid recovery.
Cyber security is all about preparation. You can’t protect yourself against all cyber attacks, but you can defend yourself against most. Knowing your software, why you have it, and how it works is a great first step in this process.