5 Ways to Close Data Security Gaps Before an Attack
With any ransomware attack or security event, there will be a before, a during and an after. Understanding how to protect your organization at every phase is understanding how an attack unfolds.
In this article I will start with the front of an attack and discuss what you need to do and put in place to make sure you fill in the gaps that create vulnerabilities and breakthroughs for attackers.
What happens before an attack?
Typically, before an attack occurs or a breach occurs, a few things will happen:
- The attackers will reconnoiter their target. [Add? They will learn if you have cybersecurity insurance, where from, and how much itâs for. Theyâll assess your critical operations and supply chain to determine where an attack can do the worst damage, etc.]
- The attackers launch a campaign. This usually happens via email, prompting you to install a little piece of software that will “call home” and act as a gateway to the target environment.
- The attackers will âinhabitâ the environment. Once inside, they can linger undetected and wait for the worst possible time (for you) to deploy their ransomware payload. This will scan and map the target network and propagate to on-premises and cloud systems, mapped and unmapped.
What can you do to repel them and prevent a successful attack?
5 ways to close security gaps before an attack
These 5 elements are essential to help you proactively strengthen your defenses and ward off an attack:
1. Perform good data hygiene on the systems. (Patch management is key.)
Unsupported operating systems and unpatched software open the door to malware infections and other exploits from attackers. Once threat actors gain access to the environment, they methodically seek out key systems and sensitive data to exploit.
This is why it is beneficial to have a well-defined patch management program that promotes the implementation of patches and updates soon after they are released, with a target of three to seven days for patches and critical updates and no more than 30 days for others. In many cases, by the time a vendor releases a patch, cybercriminals are already aware of the vulnerability and have developed or are in the process of developing a tool to exploit it. For example, the WannaCry ransomware was prevalent because targeted organizations failed to update systems using older operating systems even though a patch was released and was available for some time.
System configuration errors can also lead to violations. Open ports and improperly configured firewalls or routers can allow hackers to gain access to your network or provide network information that can lead to access.
Tip: Try a fun approach to patch management programs. This can illustrate how each business unit performs against each other – no team wants to be the slowest! It can motivate and inspire teams to improve.
2. Implement multi-factor authentication and store administrator credentials for all systems.
Poor password management practices and insecure endpoints can create vulnerabilities. But passwords and credentials with privileged access are especially valuable. Storing credentials and administrator credentials provides additional safeguards for the credentials of shared resources on your network, providing a repository with automatically updated passwords after each connection.
If an employee uses the same password for multiple personal and corporate accounts and one of the accounts is compromised, attackers can gain access to the other accounts using the compromised credentials. Multi-factor authentication adds additional steps and security, requiring a personal device or biometric data to prove identity.
3. Provide consistent logging throughout the environment
Security and access logs are absolutely essential in helping you identify the source of an attack, or âpatient zeroâ. The sooner you can do this, the sooner you can apply the necessary fixes and restore a clean backup. After an attack, these logs also allow you to provide the required proof of compliance to regulators, in which you can describe what happened and demonstrate that your organization was indeed taking the necessary precautions.
It is not enough to maintain security logs. These also need to be protected from hackers, who will target these logs for deletion or modification to cover their tracks. You can read more about why and how to protect security logs in this article.
4. Implement a rapid analysis platform to help identify signs of threatening actors in the environment. “Threat hunters” can actively search for and clean up indicators of compromise.
Fast, real-time scans can help detect suspicious behavior, anomalies and more to alert you to the possibility of an attack. If unusual activity occurs in your environment, rapid scanning platforms will detect it before it’s too late. Threat hunters can identify and root them out before your data is significantly compromised.
Tip: Your architecture should be designed with resilience and durability in mind. For example, implementing SafeMode â¢ snapshots from Pure StorageÂ® can protect critical backup data from deletion.
5. Organize regular trainings and security awareness tables with an emphasis on ransomware
Employees can be the weakest link in a business, especially when it comes to cyber threats. Employees are frequently victims of email phishing scams, one of the most Common Ransomware Attack Vectors . Phishing emails trick users into downloading malware attachments or clicking links leading to compromised content with hidden malicious code. Inadequate password security policies can lead to impersonation or unauthorized access to high-level information.
Remote devices on the corporate network, using outdated software or operating systems, can also open the door to cyber attacks. Without clear IInternet and email policies, employees won’t know how to access, use and share sensitive data securely, or what information should and should not be shared via email. Data access policies ensure that each employee has access only to the systems and data they need to do their jobs.
Tip: Implement end-user awareness training and measure its effectiveness. This will help you identify weak spots where you need to follow up. At the board and senior management level, tabletop drills should be done at least once a year to make sure everyone knows the game plan in the event of an attack.
Other vulnerabilities to note
The shift to remote working and BYOD (Bring Your Own Device) policies has increased attacks on mobile devices. Insecure Remote Desktop Protocol (RDP), along with virtual desktop endpoints and poor network configurations, create vulnerabilities that can lead to ransomware attacks. Poorly secured endpoints can be exposed to Wi-Fi hacking and man-in-the-middle attacks, exposing the corporate network and sensitive data.
RDP is the second most commonly exploited ransomware attack vector and is often used by attackers to gain unseen access to corporate networks. The security of RDP connections can be explicitly set, but in many cases the connections are protected with weak passwords and use a well-known default standard port, which is also poorly secured. RDP credentials can also be purchased on the dark web, and once the credentials are obtained, hackers can bypass endpoint security to gain access to a company’s systems.
Protect your data with Pure Storage??
While it is not possible to guard against all known security threats, knowing the common vulnerabilities that cause ransomware attacks can help you create the right plan to minimize your risk. before an attack occurs.
Pure can help you at the “before” stage by
- Provide access to a large pool of scan data and the fastest scan processing to identify threats
- Protection against internal administrative errors
For more information and guidance on the next steps, check out these two helpful resources:
Stay tuned for parts 2 and 3 where I will go into threats and backups during and after an attack.