Ransomware, hindsight is 20/20

Issue 8 2021 Integrated Solutions

There are few things worse than discovering that your business has been compromised. Be it a phish, ransomware, hack or malicious attack, it’s going to leave a long legacy of damage and complexity behind it. According to Martin Potgieter, co-founder and technical director at Nclose, “There are three things that most breach victims wished they had checked, or done differently, after they’ve been hit with a ransomware attack.

Martin Potgieter.

Check your firewall rules

“The first is to ensure that the company firewall is filtering outbound traffic as aggressively as it is filtering inbound traffic. Once an attacker gets a foothold within a network, if there is unrestricted outbound access, they have the freedom they need to download malicious payloads and exfiltrate data and download tools for their attack.”

The common firewall problem is simple, the rules get old and dated and companies don’t audit them often enough. Many firewalls that went into the pandemic were not customised to handle the complexities that it introduced in the shape of remote working. Gaps and vulnerabilities appeared and most companies didn’t even realise they were there until it was too late. This draws a thick black line under the importance of consistent firewall audits and regular assessment of all firewall rules.

“Often people realise that just one rule change could have slowed down or prevented the attack,” says Potgieter. “This isn’t a great realisation when you’ve just had your entire system locked down or have to pay hefty fines for being in breach of regulations. There are specific technical controls that can be implemented and updated that will help companies to resolve this issue and ensure that their firewalls are configured for minimum required access and best practice in terms of network segregation.”

Protect your backups

The second mistake that companies make is not to protect their backups. One of the first things that an organisation does when it has been compromised is to go to the backup system and restore the data, especially if they’ve fallen victim to ransomware. They access their backups to avoid paying the ransom, only to discover all the backups have been deleted.

“When these attacks happen, the attackers often go in and delete the backups,” says Potgieter. “The problem is that most companies look at backups as a business continuity or operational process that’s in place to restore the system if a server goes down, not as the last stand for the organisation. The attackers think differently. It’s a very common thing for companies hit by ransomware to go straight to their backups and when they discover these are empty, it’s devastating.”

To manage this particularly unpleasant side-effect, companies need to test their backup systems to ensure they can restore them from multiple points and put controls in place to prevent anyone from being able to delete the backup at all. Many backup systems have moved from offline tape backups to online backups and although online systems are more convenient, they are not as safe from malicious deletion of backups.

Test your incident responses

“The third factor is the lack of a tested incident response playbook,” says Potgieter. “Some mature organisations have incident response playbooks, so they know what needs to be done in the event of an attack and how to respond to different types of attack. This will never completely resolve the issue, but it can help the business significantly as the attack plays out. The problem is that many companies have a playbook they’ve not tested, or they don’t have one at all.”

It’s essential that the business has a clear plan in place to ensure that everyone does the right thing, at the right time, to mitigate data loss and the impact of the attack. If nobody knows what the plan is, or what needs to be done, then it can have serious repercussions, particularly in the event of a data breach that requires the company share the insights with the clients, regulatory bodies and the media.

“It’s a complex situation. On one hand the company is investigating the cause of the attack and may want to wait until it has more information before going to the media and customers, but on the other hand they can’t be seen as withholding information,” concludes Potgieter. “This is where an incident response plan comes in handy. It needs to outline how PR, technical and legal people respond to the attack and ensures that information is disseminated within a clear timeframe so that the company’s reputation isn’t put at risk.”

Organisations face a tedious task in addressing their cybersecurity shortfalls, as Gartner points out, this has become a board-level issue that requires companies revise how they approach their security systems and frameworks. This is not the time to regret an old firewall rule or lack of incident response processes, but rather the time to revise and revisit systems and processes to ensure that there is continuous improvement in these particular facets as an organisation moves into a complex and challenging 2022.

For more information contact Nclose, +27 21 812 5400, info@nclose.com, www.nclose.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Over-the-air updates to enhance IoT and edge security
Integrated Solutions
Variscite, a system-on-module designer and manufacturer, announced it has enhanced security options for IoT and edge devices built with Variscite SoMs with over-the-air software updates on edge devices.

The edge and AI – a partnership in smarter computing
Integrated Solutions
Organisational decision-makers must ensure that data complexity and data silos are mitigated and the right tools or platforms are in place before deploying AI.

Mark Kane and Wayne Schneeberger join Stallion Security
Stallion Security Editor's Choice CCTV, Surveillance & Remote Monitoring Integrated Solutions
Stallion Security has announced that Mark Kane and Wayne Schneeberger have joined its ranks at the same time as the company confirms its acquisition of Myertal Tactical Security’s offsite monitoring business.

Touchless school access control
neaMetrics Suprema Editor's Choice Access Control & Identity Management Integrated Solutions Education (Industry) Products
Wolverhampton Grammar School deployed a Suprema access control solution, integrated with Paxton to resolve its legacy access control challenges.

Wearable devices set to boost mineworker safety
News Integrated Solutions
The Connected Worker solution centres on a connected, track-and-trace wearable device for mineworkers, with a linked data-insights dashboard that gives real-time feedback to health and safety officers.

The challenge of cloud acceleration
Integrated Solutions
A move to cloud, otherwise referred to as the ‘cloud shift’, that has triggered a change in the way organisations run, is accelerating across the world.

Unlocking the potential of IoT in 2022
Integrated Solutions
The IoT Industry Council of South Africa looks at what lies ahead for Internet-of-Things (IoT) technology and its implementation as it continues to evolve and adapt to changing market demands?

Five essential pillars for buildings of the future
Integrated Solutions
In an era of digitisation and electrification, commercial and industrial facilities need to rethink their focus; 40% of the world’s C02 emissions come from buildings, whilst 30% of the energy consumed ...

Private LTE/5G network deployments to increase in the next five years
Integrated Solutions
According to a new research report from the IoT analyst firm, Berg Insight, private LTE/5G network deployments are set to increase tenfold during the period 2021–2026.

Smartest hydropower station in the world
Dahua Technology South Africa CCTV, Surveillance & Remote Monitoring Integrated Solutions
Dahua’s AI-based intelligent video analysis algorithm realises the digitalisation of the entire process of concrete production, transportation, pouring and maintenance.