How to prepare against cyber attacks

There has been several publicly known ransomware attacks recently. The attacks against the Colonial Pipeline and SolarWinds were eye openers to many. The ongoing attack against Kaseya, is according to the vendor, affecting 1,500 organizations worldwide. The villains have found a clever way to extend their reach by attacking vendors that are providing tools for MSPs. Even my local golf club got hit in the attack against Kaseya!

But ransomware attacks are nothing new, what is new is that criminals are now better organized, and they attack with a larger and more devastating impact. They have also better aligned their demands with how much their victims are prepared to pay.

You can never fully protect yourself – but you can make it harder to become a victim. And perhaps it’s like when burglars are scouting houses and avoid the ones with high security. Make sure that your house has a decent level of security!

1) Scrutinize the tools that you’re using and think about how you can create siloes in your environment so that you limit the impact of an attack. Think like the US Air Force that makes sure that they got two separate fleets of tanker aircrafts – if one manufacturer’s aircraft has an issue, the other tanker aircraft model can still fly and provide refueling services in the air and operational capabilities remains intact.

2)?Make sure that all your systems are updated because that’s probably the best protection against being attacked. But also make sure that updates are not infected like what happened to Kaseya’s customers. Most updates don’t need to be installed right away – instead you can often wait a few weeks. And for business-critical systems, it makes sense to first install updates in an isolated test environment. Last, make sure that the updates are authorized and published by your vendor and when in doubt, make a phone call to the vendor and verify.

3) Train on how to roll-back updates so that you are comfortable doing it on servers, personal computers, SAN, firewalls, routers etc. When there’s an issue, you might be able to limit the impact with a quick roll-back!

4)?Make sure that you use complex passwords that are changed often and implement two factor authentication. Best practice is that your administrators should use personal accounts with the lowest possible level of access. Once they need a higher level of access they should use another account just for that purpose, or get their access temporarily elevated, and then go back to their lower level of access for their regular work.

5)?Separate your backups and make sure they are impossible to reach for someone having full access to your production environment. Ransomware attacks often involve attacking backups but if you have them separated and intact you will be able to quicker get back to business. You should have a modus operandi where you simulate restoring your systems with your backups as it’s important to know exactly what to do when needed. When your backups are separated and you know exactly how to restore, then you will be much more protected.

6)?Create a map of which systems that are business-critical and if there are any alternative solutions when you’re under attack. It might be going back to manual routines, or it might be switching temporarily to alternative systems that you can get up and running within a number of hours.

7)?Evaluate your vendors on how seriously they take cyber security and how prepared they are. We are all in this together and no chain is stronger than the weakest link.

8)?Educate your staff in cyber security so that they understand how they should act. This involves which type of pages to avoid, what information never to give and how to detect phishing emails.

9)?Utilize Azure Sentinel Fusion Detection for Ransomware (microsoft.com) that is now publicly available. It will give you alerts when behavior has been detected that might indicate that you’re under attack.

It’s a dangerous world out there. Together we can make it a little bit less scary.

Regards, Per