What do you do when you figure out that your systems have been compromised? Check out the guest blog post below that has excellent tips for organizations that find themselves in the unenviable position of trying to put Humpty Dumpty back together again.
This event got me thinking, and the first thought that popped into my head was that no matter how vigilant an organization is, there’s a very good chance that a cyberattack will be successful. That’s because cyberattackers have become very sophisticated, they are very good at what they do, and their tactics evolve rapidly, seemingly by the hour. They also can be very persistent and patient and are highly motivated. In this way, a cyberattacker is very much like a burglar, who will spend weeks observing a target to determine whether it is worth breaching and if so, the best time and approach for doing so. And if a burglar really wants what is inside, he is going to find a way in.
All of that is not to say that you should give up on cybersecurity — it’s still good thinking to do everything possible to prevent cyberattacks. But it’s equally good thinking to develop a strategy and tactics designed to lessen the severity of such an attack if it occurs. Here’s where to start:
- It is imperative that a disaster-recovery plan
that addresses, on a high level, the agency’s IT assets exists — it should be an element of the agency’s continuity-of-operations plan. It should be as comprehensive as possible, event to the point of contemplating scenarios that are highly unlikely. The DR plan should be exercised and updated regularly, at least annually. - Expect that the DR plan doesn’t work exactly how you envisioned it — that’s why you exercise it, to discover the bugs and then fix them.
- It’s a good idea to place backup servers, applications, and databases in the cloud.
In this example, the city’s on-premises primary and backup infrastructure — i.e., physical and virtual servers — was attacked and compromised, but everything that resided in the cloud came away
unscathed. - If a cyberattack occurs, immediately assess the specific damage, because the sooner that you do, the sooner that you can develop a post-attack mitigation plan. This seems intuitive but planning often is
neglected in the heat of the moment. Think of this in terms of a structure fire — firefighters never are sent into a burning building unless size-up has occurred and a plan for attacking the blaze has been
developed. The temptation is to rush in and extinguish the blaze, but that’s exactly the wrong thing to do — if it’s an oil fire, you don’t want to pour water on the flames, or if the structure has been compromised, you don’t want to send firefighters to the roof. It works the same way when responding to a cyberattack. - The mitigation plan should prioritize each IT capability category and determine the order that they are brought back online. In this example, the city identified three major categories — the network, the Active Directory, and the servers and applications that run on the network.
- After the initial prioritization occurs, the next step is to prioritize within each major category that has been identified. In this
example, the 911 system, particularly the CAD system, was the top priority in the servers-and-applications category. - After the mitigation plan is drafted, bring all stakeholders together to ensure that the priorities are correct, and they understand
the plan’s timing. - During the restoration process, be overly cautious and thorough — you don’t want to miss something and in doing so cause a reinfection.
Here’s a link to the above article: “Your Agency Experienced a Cyberattack — Now What?”