It seems to me that ransomware is everywhere. More often than not, it’s particularly undignified and highly newsworthy, but it’s always there: headquarters and subsidiaries, major organisations and SMEs, charities and financial services, logistics, aviation, ransomware is our old friend. When ransomware hits a company without good security, as far as I know, none of the phone calls from the people affected were messages of calmness and tranquility – they were [mainly] messages of abject panic. If you look for it, I’ve got a sneaky feeling you’ll find that ransomware actually is all around … so what can business leaders do?
Business Leaders! Do your defenders have what they need for Christmas?
Before you head off for the Christmas break. Before you pat everyone on the back for a job well done. For all their hard work in what has been another year of pandemic uncertainty with still no clear end in sight. Make sure you do a round-robin of those responsible for keeping your IT infrastructure secure and confirm they have what they need this Christmas. Make sure as leaders you have assurance that should something happen over the festive break that people are ready to deal with what may come their way. Here are some things to check off:
- Are contact details for on-call staff up-to-date? Has a drill been conducted to check people can be contacted at the locations they are likely to spend the holidays? Do those people know they are on-call and that they need to be clear-headed during that time to deal with an incident? Can these on-call people gain access to physical locations should they need to fix something in person?
- Have backups been tested? The question to ask is how long it will actually take to do a full restore. If this question can’t be answered (and evidenced), your backups have not been properly tested. The second question to ask is how many backups exist. A good practice is to have 3 different copies with at least one being logically separated. A third question to ask is about access control to backups. If you can access the backups with the same credentials as those used for day-to-day operations, you have a major problem should your admin accounts become compromised.
- Has your Incident Recovery / ITDR Plan been tested – effectively? The question that should be asked is how long did it take for something to break? If nothing broke, the test was not rigorous enough. Why can I say this with confidence? Because I have never dealt with the aftermath of an incident in which the root cause was totally foreseeable and avoidable had it been tested. Whenever assumptions have been challenged, the assumption has always been proved to be false. I cannot stress this enough, for a test to be effective, something needs to break. Don’t stop turning off systems until this break happens! Leaders must know the breaking point, and then the time it will take from this point to get things back up and running.
- Is a change-freeze in place? This should be all changes. Emergency change procedures should be used sparingly and not used as a back door for business as usual work that didn’t get done in time.
- Are your logging and monitoring capabilities effective? Ask how much of the environment is covered by centralised logging (i.e. logs are not stored on the devices themselves and can’t be turned off). If it’s only “critical” infrastructure you have a problem. You need logs from as much of your infrastructure as possible to aid both in initial detection and follow-up forensic analysis. That said, those logs still need to be tuned and stripped of material with little value to avoid Christmas dinner being spoiled by an avalanche of false positives. Leaders also need to ask what activity is being monitored. There should be a clearly defined list of use cases that have been validated. Some examples might be successful login attempts by admins, normal users being given extra privileges. logging being turned off on firewalls. VPNs being accessed from strange locations. All can be initial indicators of unauthorised activity.
Because it’s Christmas…
So there you have it, leaders, some key questions to ask your people before you head out for the holidays. But for now, let me say … Without hope or agenda … Just because it’s Christmas … And at Christmas, you tell the truth … I hope you don’t get hit by ransomware … Merry Christmas from us all at Fox Red Risk!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso