A little while ago, I wrote an article about how to recover from a security breach detailing the basic steps of the process:
While these steps outline the basic process for breach recovery, they don’t provide all of the answers. The thing is, some of the specific measures you take when dealing with a security breach might have to change depending on the type of breach that occurs. By “security breach types,” I’m referring to the specific methods of attack used by malicious actors to compromise your business’ data in some way—whether the breach results in data loss, data theft, or denial of service/access to data.
With this in mind, I thought it might be a good idea to outline a few of the most common types of security breaches and some strategies for dealing with them.
In recent years, ransomware has become a prevalent attack method. In this type of security breach, an attacker uploads encryption malware (malicious software) onto your business’ network. Once on your system, the malware begins encrypting your data.
After the encryption is complete, users find that they cannot access any of their information—and may soon see a message demanding that the business pays a ransom to get the encryption key. If the ransom isn’t paid in a timely fashion, then the attacker will threaten to delete the encryption key and leave the victim’s data forever unusable.
There are a few different ways to handle a ransomware attack:
Of the above options, using a remote backup is probably the best one—it’s the quickest fix, and it keeps the attackers from profiting from their attack. However, this does require a certain amount of preparation on your part. After all, you need to have some kind of backup system that is up-to-date with your business’ most important information while still being isolated enough not to be impacted by ransomware.
One of the biggest security breach risks in any organization is the misuse of legitimate user credentials—also known as insider attacks. These attacks leverage the user accounts of your own people to abuse their access privileges. Some insider attacks are the result of employees intentionally misusing their privileges, while others occur because an employee’s user account details (username, password, etc.) are exposed to malicious actors.
Whether it’s a rogue employee or a thief stealing employees’ user accounts, insider attacks can be especially difficult to respond to. In many cases, the actions taken by an attacker may look completely normal until it’s too late to stop the breach.
The best way to deal with insider attacks is to prepare for them before they happen. How can you prepare for an insider attack? Some key strategies include:
When attackers use phishing techniques on your employees, they aren’t always just after your employees’ user account credentials. Some phishing attempts may try to directly trick your employees into surrendering sensitive customer/client data. Others may attempt to get employees to click on links that lead to websites filled with malicious software—or, just immediately download and launch such malware.
Many of these attacks use email and other communication methods that mimic legitimate requests. For example, email phishing (and highly-targeted spear-phishing) attacks might attempt to recreate the company logos and style of your business or its vendors.
Once again, an ounce of prevention is worth a pound of cure. The first step in dealing with phishing and similar attacks that try to trick your employees into giving away sensitive information or otherwise compromise your security is to educate your employees about phishing attacks.
Additionally, setting some clear policies about what information can and cannot be shared online can help to prevent employees from accidentally giving away sensitive information.
If a phishing attempt is discovered, be sure to alert your employees to the attempt, and include which, if any, vendors were imitated in the attack. This helps your employees be extra vigilant against further attempts.
If the goal of the phishing attack was to trick users into downloading malware, have the employee immediately disconnect their workstation (or whatever device downloaded the malware). Then, they should shut the device down to make sure the malware cannot be spread to other devices on the network in case the device’s Wi-Fi gets activated. These actions should be outlined in your company’s incident response plan (IRP)—and employees should be trained to follow these steps quickly in case something happens.
While modern business software programs and applications are incredibly useful, the sheer complexity of such software can mean that it has bugs or exploits that could be used to breach your company’s security. Attackers often use old, well-known software bugs and vulnerabilities to breach the security of companies that are lax about applying their security patches in a timely manner.
Some attacks even take advantage of previously-unknown security vulnerabilities in some business software programs and mobile applications to create a near-unstoppable threat. However, these are rare in comparison.
The best response to breaches caused by software vulnerabilities is—once the breach has been contained and eliminated—to immediately look to see if the compromised software has a security patch available that addresses the exploited vulnerability. If so, it should be applied as soon as it is feasible. If not, the software developer should be contacted and alerted to the vulnerability as soon as possible.
In the meantime, finding ways to prevent the exploit from being used, such as by disabling a feature used in the exploit, writing a custom firewall rule blocking specific requests targeting the vulnerability, or even uninstalling the software temporarily may be necessary. Additionally, proactively looking for and applying security updates from software vendors is always a good idea.
The attacking IP address should also be added to a blacklist so further attempts are stopped before they begin—or at least delayed as the attacker(s) attempt to spoof a new IP address.
A common theme in many of the security breach responses listed above is that they generally require some form of preparation before the breach occurs.
The question is this: Is your business prepared to respond effectively to a security breach?
If you need help preparing your incident response plan, or just getting up to speed on the basics of cybersecurity, please contact us today! Compuquip Cybersecurity is here to help you minimize your cybersecurity risks and improve your overall cybersecurity posture.