6 Min Read
A little while ago, I wrote an article about how to recover from a security breach detailing the basic steps of the process:
- Initial preparation;
- Stopping the attack;
- Investigating the attack;
- Notifying the affected parties and the authorities;
- Restoring/replacing affected assets; and
- Preparing for the next attack.
While these steps outline the basic process for breach recovery, they don’t provide all of the answers. The thing is, some of the specific measures you take when dealing with a security breach might have to change depending on the type of breach that occurs. By “security breach types,” I’m referring to the specific methods of attack used by malicious actors to compromise your business’ data in some way—whether the breach results in data loss, data theft, or denial of service/access to data.
With this in mind, I thought it might be a good idea to outline a few of the most common types of security breaches and some strategies for dealing with them.
1) Ransomware Attacks
In recent years, ransomware has become a prevalent attack method. In this type of security breach, an attacker uploads encryption malware (malicious software) onto your business’ network. Once on your system, the malware begins encrypting your data.
After the encryption is complete, users find that they cannot access any of their information—and may soon see a message demanding that the business pays a ransom to get the encryption key. If the ransom isn’t paid in a timely fashion, then the attacker will threaten to delete the encryption key and leave the victim’s data forever unusable.
Dealing with Ransomware Attacks
There are a few different ways to handle a ransomware attack:
- Using Remote Data Backups. One of the best ways to thwart ransomware is to simply wipe your encrypted drives clean and restore them from a remote backup of some kind—you get to keep your data, and the attacker gets nothing.
- Using Decryption Services. Another option is to have a company with access to powerful decryption tools try to break the encryption. However, this is not generally considered an ideal solution because decryption can take a lot of time and effort—and that’s when decryption works.
- Paying the Attacker. Many companies feel the pressure to simply pay the attacker’s ransom and be done with it to get their data back—usually because they don’t have a remote backup and can’t afford to wait for a successful decryption. However, payment of the ransom doesn’t guarantee that the encryption key will be provided. Also, this rewards the attacker and encourages them to make more attacks in the future.
Of the above options, using a remote backup is probably the best one—it’s the quickest fix, and it keeps the attackers from profiting from their attack. However, this does require a certain amount of preparation on your part. After all, you need to have some kind of backup system that is up-to-date with your business’ most important information while still being isolated enough not to be impacted by ransomware.
2) Insider Attacks
One of the biggest security breach risks in any organization is the misuse of legitimate user credentials—also known as insider attacks. These attacks leverage the user accounts of your own people to abuse their access privileges. Some insider attacks are the result of employees intentionally misusing their privileges, while others occur because an employee’s user account details (username, password, etc.) are exposed to malicious actors.
Whether it’s a rogue employee or a thief stealing employees’ user accounts, insider attacks can be especially difficult to respond to. In many cases, the actions taken by an attacker may look completely normal until it’s too late to stop the breach.
Dealing with Insider Attacks
The best way to deal with insider attacks is to prepare for them before they happen. How can you prepare for an insider attack? Some key strategies include:
- Applying a Policy of Least Privilege to All Users. Implementing a policy of least privilege (POLP) means limiting each account user’s access to only the bare minimum required for them to perform their job function. The less a user account has access to, the less damage it can cause if it gets misused.
- Using Defense in Depth Strategies. One of the major issues with insider attacks is that they can bypass all of your network’s perimeter security measures—rendering them useless. Using a defense-in-depth cybersecurity strategy that adds extra layers of security between the different assets on your network can help slow down attackers by forcing them to spend time and effort on breaking out of whichever part of your network they start in. This gives you and your cybersecurity team more time to discover and stop the attack.
- Adding Intrusion Detection Systems (IDSs). An intrusion detection system helps to alert your cybersecurity incident response team to security breaches so they can contain and eliminate the threat sooner rather than later. Using an IDS that can monitor unusual requests is especially important for detecting insider attacks quickly.
3) Phishing and Social Engineering Attacks
When attackers use phishing techniques on your employees, they aren’t always just after your employees’ user account credentials. Some phishing attempts may try to directly trick your employees into surrendering sensitive customer/client data. Others may attempt to get employees to click on links that lead to websites filled with malicious software—or, just immediately download and launch such malware.
Many of these attacks use email and other communication methods that mimic legitimate requests. For example, email phishing (and highly-targeted spear-phishing) attacks might attempt to recreate the company logos and style of your business or its vendors.
Dealing with Phishing and Social Engineering Attacks
Once again, an ounce of prevention is worth a pound of cure. The first step in dealing with phishing and similar attacks that try to trick your employees into giving away sensitive information or otherwise compromise your security is to educate your employees about phishing attacks.
Additionally, setting some clear policies about what information can and cannot be shared online can help to prevent employees from accidentally giving away sensitive information.
If a phishing attempt is discovered, be sure to alert your employees to the attempt, and include which, if any, vendors were imitated in the attack. This helps your employees be extra vigilant against further attempts.
If the goal of the phishing attack was to trick users into downloading malware, have the employee immediately disconnect their workstation (or whatever device downloaded the malware). Then, they should shut the device down to make sure the malware cannot be spread to other devices on the network in case the device’s Wi-Fi gets activated. These actions should be outlined in your company’s incident response plan (IRP)—and employees should be trained to follow these steps quickly in case something happens.
4) Software Bugs and Vulnerabilities
While modern business software programs and applications are incredibly useful, the sheer complexity of such software can mean that it has bugs or exploits that could be used to breach your company’s security. Attackers often use old, well-known software bugs and vulnerabilities to breach the security of companies that are lax about applying their security patches in a timely manner.
Some attacks even take advantage of previously-unknown security vulnerabilities in some business software programs and mobile applications to create a near-unstoppable threat. However, these are rare in comparison.
Dealing with Software Vulnerabilities
The best response to breaches caused by software vulnerabilities is—once the breach has been contained and eliminated—to immediately look to see if the compromised software has a security patch available that addresses the exploited vulnerability. If so, it should be applied as soon as it is feasible. If not, the software developer should be contacted and alerted to the vulnerability as soon as possible.
In the meantime, finding ways to prevent the exploit from being used, such as by disabling a feature used in the exploit, writing a custom firewall rule blocking specific requests targeting the vulnerability, or even uninstalling the software temporarily may be necessary. Additionally, proactively looking for and applying security updates from software vendors is always a good idea.
The attacking IP address should also be added to a blacklist so further attempts are stopped before they begin—or at least delayed as the attacker(s) attempt to spoof a new IP address.
Before Any Security Breach, Preparation is Key
A common theme in many of the security breach responses listed above is that they generally require some form of preparation before the breach occurs.
The question is this: Is your business prepared to respond effectively to a security breach?
If you need help preparing your incident response plan, or just getting up to speed on the basics of cybersecurity, please contact us today! Compuquip Cybersecurity is here to help you minimize your cybersecurity risks and improve your overall cybersecurity posture.
Managed Security Services
Discover how to accelerate the effectiveness of your firewall monitoring and management.