Ransomware, hindsight is 20/20

Issue 8 2021 Integrated Solutions

There are few things worse than discovering that your business has been compromised. Be it a phish, ransomware, hack or malicious attack, it’s going to leave a long legacy of damage and complexity behind it. According to Martin Potgieter, co-founder and technical director at Nclose, “There are three things that most breach victims wished they had checked, or done differently, after they’ve been hit with a ransomware attack.


Martin Potgieter.

Check your firewall rules

“The first is to ensure that the company firewall is filtering outbound traffic as aggressively as it is filtering inbound traffic. Once an attacker gets a foothold within a network, if there is unrestricted outbound access, they have the freedom they need to download malicious payloads and exfiltrate data and download tools for their attack.”

The common firewall problem is simple, the rules get old and dated and companies don’t audit them often enough. Many firewalls that went into the pandemic were not customised to handle the complexities that it introduced in the shape of remote working. Gaps and vulnerabilities appeared and most companies didn’t even realise they were there until it was too late. This draws a thick black line under the importance of consistent firewall audits and regular assessment of all firewall rules.

“Often people realise that just one rule change could have slowed down or prevented the attack,” says Potgieter. “This isn’t a great realisation when you’ve just had your entire system locked down or have to pay hefty fines for being in breach of regulations. There are specific technical controls that can be implemented and updated that will help companies to resolve this issue and ensure that their firewalls are configured for minimum required access and best practice in terms of network segregation.”

Protect your backups

The second mistake that companies make is not to protect their backups. One of the first things that an organisation does when it has been compromised is to go to the backup system and restore the data, especially if they’ve fallen victim to ransomware. They access their backups to avoid paying the ransom, only to discover all the backups have been deleted.

“When these attacks happen, the attackers often go in and delete the backups,” says Potgieter. “The problem is that most companies look at backups as a business continuity or operational process that’s in place to restore the system if a server goes down, not as the last stand for the organisation. The attackers think differently. It’s a very common thing for companies hit by ransomware to go straight to their backups and when they discover these are empty, it’s devastating.”

To manage this particularly unpleasant side-effect, companies need to test their backup systems to ensure they can restore them from multiple points and put controls in place to prevent anyone from being able to delete the backup at all. Many backup systems have moved from offline tape backups to online backups and although online systems are more convenient, they are not as safe from malicious deletion of backups.

Test your incident responses

“The third factor is the lack of a tested incident response playbook,” says Potgieter. “Some mature organisations have incident response playbooks, so they know what needs to be done in the event of an attack and how to respond to different types of attack. This will never completely resolve the issue, but it can help the business significantly as the attack plays out. The problem is that many companies have a playbook they’ve not tested, or they don’t have one at all.”

It’s essential that the business has a clear plan in place to ensure that everyone does the right thing, at the right time, to mitigate data loss and the impact of the attack. If nobody knows what the plan is, or what needs to be done, then it can have serious repercussions, particularly in the event of a data breach that requires the company share the insights with the clients, regulatory bodies and the media.

“It’s a complex situation. On one hand the company is investigating the cause of the attack and may want to wait until it has more information before going to the media and customers, but on the other hand they can’t be seen as withholding information,” concludes Potgieter. “This is where an incident response plan comes in handy. It needs to outline how PR, technical and legal people respond to the attack and ensures that information is disseminated within a clear timeframe so that the company’s reputation isn’t put at risk.”

Organisations face a tedious task in addressing their cybersecurity shortfalls, as Gartner points out, this has become a board-level issue that requires companies revise how they approach their security systems and frameworks. This is not the time to regret an old firewall rule or lack of incident response processes, but rather the time to revise and revisit systems and processes to ensure that there is continuous improvement in these particular facets as an organisation moves into a complex and challenging 2022.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Digitising security solutions with AI and smart integration
Regal Security Distributors SA Technews Publishing Integrated Solutions
The Regal Projects Team’s decades of experience and commitment to integration have brought the digital security guard to life as a trusted force for safer, smarter living.

Read more...
Smart cities and the role of video security
Surveillance Integrated Solutions
As cities around the world continue to embrace smart technology, including IoT that not only connects to people, but also the surrounding activity, the integration of advanced video security systems is crucial to ensure safety and efficiency in environments.

Read more...
Surveillance to unjam the traffic
Integrated Solutions Transport (Industry)
Traffic is a challenge that affects urban areas across Africa. The city of Johannesburg, South Africa’s most populous city, experiences severe traffic resulting from a confluence of issues, including power outages, faulty traffic lights, and infrastructure theft.

Read more...
The benefits of offsite control rooms
Astrosec Surveillance Integrated Solutions
As the security landscape grows more intricate, control rooms – the crucial hub of security operations – need to adapt. With escalating costs, mounting threats, and a heightened demand for immediate responses, many organisations are reassessing the operations of their control rooms.

Read more...
edgE:Tower video analytics integrated with SEON
Surveillance Integrated Solutions AI & Data Analytics
Sentronics has announced a new integration between its edgE:Tower advanced AI-driven video analytics solution and SEON, a Central Monitoring Software (CMS) platform. This integration enhances real-time situational awareness and automated threat detection for control rooms.

Read more...
Security industry embraces mobile credentials, biometrics and AI
AI & Data Analytics Access Control & Identity Management Integrated Solutions
As organisations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID.

Read more...
Insurance provider uses Net2 For access management
Paxton Access Control & Identity Management Integrated Solutions Healthcare (Industry)
BestMed selected Paxton Net2 for its access control requirements because of its simplicity of installation and ease of navigation for end users, as well as the 5-year warranty.

Read more...
The power of knowing your client
Ideco Biometrics Access Control & Identity Management Integrated Solutions
One of the most effective ways to combat the threat of fraud, identity theft, and financial crime threats is through a robust Know Your Client (KYC) process, which safeguards both businesses and clients.

Read more...
Managing identities for 20 years
Ideco Biometrics Technews Publishing SMART Security Solutions Access Control & Identity Management Integrated Solutions IoT & Automation
Many companies are now more aware of the risks associated with unauthorised access to locations and sensitive data and are investing in advanced identity authentication technologies to mitigate these threats.

Read more...
Cost-effective and reliable remote connectivity
Agriculture (Industry) Integrated Solutions Infrastructure
Companies that operate in hard-to-connect areas now have access to reliable connectivity due to a collaboration between MTN South Africa, Vox and Tarana technology.

Read more...