Ensuring your business is resilient against today’s rapidly evolving cyber threat landscape without standing in the way of business priorities can be a delicate balance. But as we’ve all heard, this risk of a cyberattack it’s not a matter of if, but when. Cyberattacks have become a persistent and permanent threat to organizations across all industries. The degree of damage from a cyber infiltration can be costly. However, before you actually get hit, you can have a clear process to minimize the damage.
To begin with, you need to ask yourself, “Are we sufficiently prepared to defend a cyberattack?” And if your answer is no, the next question is, “What are we actively doing to avoid, or at least minimize, any damage a cyber infiltration might cause?” If your organization is not fully prepared, consider the following tips to help you reduce any harm so that you can get back to business as quickly, and reliably, as possible:
- Restrict access and remove unnecessary privileges. Providing appropriate levels of access to the right resources can minimize the impact of any cyber infiltration by giving the attacker a smaller footprint in which to operate. You need to minimize the number of accounts, users with access to accounts, and their privileges. Less access is easier to protect, restrict, and review.
You should also make it a priority to know who has access to what. Once that has been determined, you can establish processes to regularly remove unnecessary privileges and accounts. Third-party access should be automatically revoked after the contract expires, as an example. Analytics can be used to identify unnecessary privileges and tighten access.
- Reduce the quantity of inbound network connections. The goal of most organizations is to optimize the network their employees rely on to do their jobs. To ensure this optimization, identify the sources of unwanted or unnecessary network connections and traffic and take steps to correct or eliminate the root causes in order to enhance network performance and help avoid future problems.
Removing inbound network connections minimizes the risk of a network being exposed to cyber infiltration and the damage that can result. By removing these connections, the attack surface of the network will be reduced, and the overall safety of the network will increase.
- Ensure antivirus and endpoint detection response (EDR) solutions are up to date. It is more common than you might think to ignore software updates, particularly if you leave it up to the user, rather than through an automated central control solution.
Antivirus and EDR solutions provide signature files that contain the latest lists of known threats. These files are released daily, and sometimes even more often than that, so it is recommended to configure them to automatically check for updates at least once a day.
- Log all events in a central location. Centralized network log records play an extremely important role in any well-thought-out security program. They can help in the detection of anomalous activity both in real-time, as well as reactively during a cyberattack.
Centralized logging provides two key benefits. First, it places all log records in a single location, making it easier for you to do log analysis and correlation tasks anytime you need. Second, it provides you with a secure storage area for your log data. This is important because in the event when an endpoint becomes compromised, the attacker will not be able to tamper with the logs stored in the central log repository, unless the endpoint is also corrupted.
- Use temporary accounts to log in to servers. Another way to minimize exposure is to create temporary logins for different accounts on the server. These logins can be created easily and set to expire automatically after a given time. Privileged Access Management (PAM) tools help to automate the whole process.
For example, some organizations often hire sub-contractors to perform small adjustments on their networks, which may require access to the admin area of the network. You could create an admin account for them and later delete it when they have completed their job. However, sometimes you may forget that you added someone with network privileges, leaving your network open to possible security threats and data safety issues. A temporary account in this example would help reduce this risk.
- Restore and rebuild from reliable backups. Backup and restore refers to the practice of making periodic copies of data and applications to a separate, secondary device and then using the copies to restore and rebuild.
The key to reliable backups is to find the best option for your organization that will allow you to restore and rebuild if the original data and applications are held hostage or damaged due to a cyber infiltration, or even a power outage, a human error, a disaster, or some other unplanned event. Keep in mind that while a backup copy can help you recover from a cyber threat, it cannot prevent data leakage if the cyber criminal decides to publish your valuable data.
Minimizing damage from a cyberattack is possible, but it requires constant diligence and effort. The amount of damage and required work to overcome an attack can be reduced significantly if you take the necessary steps and precautions to provide protection. Before your organization gets breached, and it will, implement the steps above and you’ll be better prepared to defend against an attack should you need to.
Joe Dibley is a Security Researcher at Netwrix. An expert in Active Directory, Windows, and a wide variety of enterprise software platforms and technologies, he researches new security risks, complex attack techniques, and associated mitigations and detections.