Nevermore: stop your company getting hacked again

After a hack, a company needs to improve security quickly and effectively. We outline the first steps to cyber-resilience.

Measures to improve cyber-resilience of an organization

Major cyber-incidents are a good reason to improve things not only in information security, but also in IT. Management is willing to commit resources and genuinely wants positive change, but you need to be realistic about scope and budget. What measures will make the greatest contribution to preventing and minimizing the impact of new incidents?

Being prepared for future cyberattacks is called cyber-resilience. And it’s not just about beefing up defenses. For a company, cyber-resilience is the ability to operate in the face of a cyberattack or other cyber-incident. It means having the technical and organizational measures in place to detect, respond to and recover from incidents, then adapt and learn from them. The concept is set forth in the ISO/IEC 27001 standard.

Or, as organizations often say themselves: how can a company stop ransomware from getting in, and if it does get in, prevent it from doing harm? That’s the question we’ll try to answer.

Where to start?

The list of attack prevention and mitigation technologies is almost endless. You should prioritize by assessing the risks and damage from various cybersecurity incidents, preventing the most likely attacks from the ATT&CK framework, and applying one of the many playbooks to mitigate specific risks (example 1, example 2). But there are some important first steps.  Firstly, is not to spread your efforts too thin – we recommend focusing on a handful of core solutions that will produce an effect so impactful that all other projects are best postponed until these fundamentals are implemented. All of the solutions on the list significantly reduce the risk of the most common attacks, simplify incident response and reduce damage if an intrusion does occur. So, if your company lacks something from this list, implement it today.

We cannot overstress the importance of implementing these technologies on ALL computers in your company. That means all endpoints (including all corporate and personal laptops and smartphones), all servers and all virtual and containerized workloads. There’s a major pitfall here: shadow IT. Despite your best efforts, you may not be aware of the existence of some computers and servers. So, start with an inventory of all IT assets to ensure that security policies cover the entire corporate infrastructure.

Endpoint Detection and Response

All computers, including servers and virtual machines, must have an EDR agent installed, with threat-blocking features enabled.  EDR is a core protection technology that combines malware protection with monitoring and response for more complex information security systems.

Make sure you can receive telemetry from all computers, since any internal or external security expert will need it to quickly analyze potential incidents. Leading vendors, such as Kaspersky, automatically block the vast majority of common cyberthreats, so make sure that all features for blocking known malicious activity are enabled on all computers under a unified policy.

Multifactor Authentication

By various estimates, 60–80% of cyberattacks begin with account theft. That’s why it’s considered inadmissible to protect access to computer systems with a password alone: it’s too easy to guess, steal or brute-force. User login must be performed with MFA. The most common form employs two factors (password and one-time code), hence it’s known as two-factor authentication, or 2FA.  The most cost-effective solutions use an authenticator app, but, depending on the specifics of the organization and the position of the employee, it can be any combination of an app, USB token, biometrics, etc.  In general, MFA is recommended for all company systems, but its deployment should be prioritized for services that are accessible externally, such as email and VPN.

Protected backups

Backups have long protected companies against more than just fires and hardware failure. They also guard against a number of cyberattacks. Ransomware operators are well aware of this, so just about every ransomware attack involves the targeted deletion of backup copies of information. For this reason, a backup strategy must account for all scenarios, such as rapid recovery from an easily accessible copy – in case of hardware failure or other IT incident, as well as guaranteed recovery in the event of a ransomware attack. It’s very likely that two separate backups will be required. Ransomware-resistant backups are ones stored on media that are physically disconnected from the network (not very convenient, but reliable), as well as in “immutable” cloud storage, where data can be added but not replaced or deleted (convenient, reliable and potentially expensive).  Having created your immutable backup, conduct a data-recovery training to (a) make sure it can be done, and (b) estimate the time required (plus this will speed up your team’s response in the event of a real attack).

Application and patch management

All computers in the company, be it a desktop, a virtual server or the laptop of an employee on a business trip, must have tools installed that allow administrators to manage the machine remotely. Critical actions include computer diagnostics (checking for availability of necessary apps, checking network status, VPN health, EDR updates, etc.), installing applications and updates, testing for vulnerabilities, and so on.

Such capabilities are vital, both for everyday work and during incident response. In day-to-day operations, they ensure cyber-hygiene, such as the prompt installation of important security updates on all computers. During incidents, it may be necessary to run, say, a specialized utility or install a certificate — and only administration systems should be allowed to perform this within a reasonable timeframe, including for remote employees.

Best suited for this task are UEM systems that allow you to manage a variety of devices, including work and personal computers and smartphones, and apply company policies to them.  You also have the option to arm yourself with highly specialized solutions, such as patch management, VNC/RDP and other systems.

Unique passwords

Privileged access management and identify security is a very broad topic.  Well-built identity security both increases the company’s level of protection and simplifies the lives of employees. But full implementation can be a lengthy project, so the initial focus should be on the essentials, the first being to ensure that each computer in the company is protected by a unique local administrator password. Use the free LAPS tool to implement this measure.  This simple precaution will prevent attackers from moving quickly through the network, compromising computers one by one using the same password.

Minimizing vulnerable services

Regularly scan your company’s IP addresses from the internet to make sure that servers and services that should only be available on the local network are not globally exposed. If such a service ever pops up on the internet, take prompt action to block outside access to it. If for some reason it needs to be accessible from the internet, apply regular security updates and protect it with MFA.  These measures are especially important for favorite hacker targets such as: web management consoles, RDP, Telnet/SSH, SMB, SNMP and FTP. It’s best to assume that all services are visible from the internet, and scan them for vulnerabilities, weak passwords and other defects regularly.