A few weeks ago, we looked at prevention of malicious downloads. Today, I would like to look at some key components to business continuity which, in turn, is a key for your business or organization’s survival should the unthinkable happen. Although we only see the biggest companies on the evening news, the reality is that the vast majority of breaches occur to small- and medium-sized businesses. Let’s dive right and examine what mitigation measures can be taken if a serious breach does occur. (Please note: This is not necessarily a guide or sequential outline of items. Always consult an IT professional if your company or organization has been the victim of a cybercrime.)
For the purposes of this article, we will make a few assumptions:
- The breach was severe enough that basic scans and malware removal are not enough to mitigate. This would include, for example, a cryptolocker attack that has infected and encrypted a large multitude of files across vital IT areas.
- The attack has ended—the immediate danger of the threat has been neutralized, i.e. the infection has been controlled and removed and there is no danger of re-infection due to isolation or erasure.
Consult Business Continuity and Disaster Recovery Response Plans
The first step in continuing operations is to gather previously prepared plans. These plans include what should happen, when those things should happen, and who is responsible to make them happen.
Change of Account Authentication
A breach means there was a failure in security at some level. While forensic discovery has not occurred yet at this point (and thus method of entry could still be unknown), all passwords allowing access to sensitive hardware, software, or web sites should be assumed compromised and immediately be changed and MFA added wherever possible to increase efficacy of the login authenticity.
Microsoft Office Remediation
Perhaps a most basic remediation strategy will revolve around a recovery of Sharepoint and OneDrive. These systems offer historical recovery up to 30 days for files of individual accounts that were synced to One Drive and Sharepoint. However, this process can be slow and most likely, except for perhaps the smallest businesses, will not offer a sufficient amount of data to avoid a major interruption in productivity.
While this step can help to recover some files, relying solely on default protections from Microsoft is generally a poor business continuity plan and should be avoided as an all-inclusive recovery solution.
A determination should be made as to the method of intrusion. For example, if an account was compromised and lead to the infection, the method of compromise should be found, if possible, to avoid future security breaches. However, while credential compromise is a very common culprit, malicious attacks can be caused by infinite other possibilities including OS vulnerabilities, breaches caused by BYOD policies, or hardware/firmware vulnerabilities (among many others). A forensic IT investigator will often determine the geographic source of the attack, the full nature of the attack, exfiltration information (what the bad actors took with them), and other pertinent details.
Here at Certified CIO, we utilize the services of the experts at SOCLogix for this task. Because their job is much easier if they are already monitoring, we offer customers a monitoring and logging service so that things can get back up even faster.
If the health of on-site backups is intact, business continuity can start to take shape. Recovery could commence with re-imaging server and other hardware components, as needed. Time and date of breach should be established prior to this to avoid re-creating an already compromised scenario where a backdoor for access could easily still exist for the malicious actor.
Datto and Datto SaaS
Datto is an industry leader in business continuity and for good reason. Datto provides a relatively route to return to productivity by offering server backup solutions that, in some cases, are as easy as flipping a light switch. (Okay…it’s a little more than that. But it is easier and faster than most solutions.)
This product is called SIRIS, can be sized appropriately for your business or organization, and serves to provide one of the industry’s best bets for business continuity. With options to restore file level, image level or spin up a server using only the device, Datto SIRIS gives the most variety of options for recovery and is the gold standard for business continuity.
Another offering for smaller servers is called ALTO, which accomplishes a similar task with a few more steps (but still much faster than many more common solutions).
Datto also offers a SaaS product which is licensed individually, increasing the retention of Microsoft One Drive exponentially.
Dark Web Scanning
After the business is back up and running, many decision makers fall a bit short in maintaining a vigilant outlook. One option to help prop up security lapses is to maintain an automated service that scans Dark Web databases for breaches of individual account credentials. Certified CIO uses ID Agent’s Dark Web Monitoring for this. A discovered exposed credential creates a ticket in our system that requires a password change, removing the exposed password quickly after discovery.
How You Can Increase Your Preparedness
If you’re unsure that your business or organization is adequately prepared to handle an IT emergency situation, CONTACT US and we would love to sit down with you and create a plan! From creating response plans to shoring up cyber defenses, our experts can help you get your IT more productive—and stay more productive.