Ensuring your business is resilient against today’s rapidly evolving cyber threat landscape without standing in the way of business priorities can be a delicate balance. But as we’ve all heard, this risk of a cyberattack it’s not a matter of if, but when. Cyberattacks have become a persistent and permanent threat to organisations across all industries. The degree of damage from a cyber infiltration can be costly. However, before you get hit, you can have a clear process to minimise the damage.
To begin with, you need to ask yourself, “Are we sufficiently prepared to defend a cyberattack?” And if your answer is no, the next question is, “What are we actively doing to avoid, or at least minimise, any damage a cyber infiltration might cause?” If your organisation is not fully prepared, consider the following tips to help you reduce any harm so that you can get back to business as quickly, and reliably, as possible:
Restrict access and remove unnecessary privileges
Providing appropriate levels of access to the right resources can minimise the impact of any cyber infiltration by giving the attacker a smaller footprint in which to operate. You need to minimise the number of accounts, users with access to accounts, and their privileges. Less access is easier to protect, restrict, and review. You should also make it a priority to know who has access to what. Once that has been determined, you can establish processes to regularly remove unnecessary privileges and accounts. Third-party access should be automatically revoked after the contract expires, as an example.
Reduce the number of inbound network connections
The goal of most organisations is to optimise the network their employees rely on to do their jobs. To ensure this optimisation, identify the sources of unwanted or unnecessary network connections and traffic and take steps to correct or eliminate the root causes to enhance network performance and help avoid future problems. Removing inbound network connections minimises the risk of a network being exposed to cyber infiltration and the damage that can result. By removing these connections, the attack surface of the network will be reduced, and the overall safety of the network will increase.
Ensure antivirus and endpoint detection response (EDR) solutions are up to date
It is more common than you might think to ignore software updates, particularly if you leave it up to the user, rather than through an automated central control solution. Antivirus and EDR solutions provide signature files that contain the latest lists of known threats. These files are released daily, and sometimes even more often than that, so it is recommended to configure them to automatically check for updates at least once a day.
Log all events in a central location
Centralised network log records play an extremely important role in any well-thought-out security programme. They can help in the detection of anomalous activity both in real-time, as well as reactively during a cyberattack. Centralised logging provides two key benefits. First, it places all log records in a single location, making it easier for you to do log analysis and correlation tasks anytime you need. Second, it provides you with a secure storage area for your log data. This is important because in the event that an endpoint becomes compromised, the attacker will not be able to tamper with the logs stored in the central log repository unless the endpoint is also corrupted.
Use temporary accounts to log in to servers
Another way to minimise exposure is to create temporary logins for different accounts on the server. These logins can be created easily and set to expire automatically after a given time. Privileged Access Management (PAM) tools help to automate the whole process. For example, some organisations often hire sub-contractors to perform small adjustments on their networks, which may require access to the admin area of the network. You could create an admin account for them and later delete it when they have completed their job. However, sometimes you may forget that you added someone with network privileges, leaving your network open to possible security threats and data safety issues.
Restore and rebuild from reliable backups
Backup and restore refers to the practice of making periodic copies of data and applications to a separate, secondary device and then using the copies to restore and rebuild. The key to reliable backups is to find the best option for your organisation that will allow you to restore and rebuild if the original data and applications are held hostage or damaged due to a cyber infiltration, or even a power outage, a human error, a disaster, or some other unplanned event. Keep in mind that while a backup copy can help you recover from a cyber threat, it cannot prevent data leakage if the cyber-criminal decides to publish your valuable data.
Minimising damage from a cyberattack is possible, but it requires constant diligence and effort. The amount of damage and required work to overcome an attack can be reduced significantly if you take the necessary steps and precautions to provide protection. Before your organisation gets breached, it will implement the steps above and you’ll be better prepared to defend against an attack should you need to.
By Joe Dibley, Security Researcher at Netwrix
