After a hack, a company needs to improve security quickly and efficiently. Let's take the first steps towards cyber resilience.

The main cyber incidents are a great reason to improve things not only in information security, but also in IT. The administration is willing to commit resources and genuinely wants a positive change, but you need to be realistic when it comes to scope and funding. Which measures will contribute most to preventing and minimizing the impact of new incidents?

Being prepared for future cyber attacks is called cyber resilience. It is not just about reinforcing defenses. For a company, cyber resilience is the ability to operate in the face of a cyber attack or another cyber incident. It means technical and organizational measures implemented to detect, respond and recover from incidents and then adapt and learn from them. The concept is established in the ISO/IEC 27001 standard.

Or, as organizations themselves typically say: how can a company prevent ransomware from entering, preventing it from causing damage? This is a question that we will try to answer.

Where to start?

The list of attack prevention and mitigation technologies is almost infinite. You must prioritize evaluating the risks and damages of several cyber security incidents, avoiding the attacks most likely to the ATT&CK structure and applying two very manuals to mitigate specific risks (example 1, example 2). But there are some important first steps. First of all, do not put too much effort into it – we recommend focusing on a few main solutions that will produce such an impactful effect that all other projects must be added until these fundamentals are implemented. All of the solutions on this list significantly reduce the risk of two of the most common attacks, simplify response to incidents and reduce damage in the event of an invasion. So, if your company is missing something on this list, implement it yourself.

We cannot overemphasize the importance of implementing these technologies on ALL of your company's computers. Isso means all endpoints (including all corporate and personal laptops and smartphones), all servers and all virtual and containerized workloads. There is a big armadilha here: shadow IT. Despite your best efforts, you may not be aware of the existence of some computers and servers. Therefore, it begins with an inventory of all IT assets to ensure that security policies cover the entire corporate infrastructure.

Endpoint detection and response

All computers, including servers and virtual machines, must have an EDR agent installed, with network blocking resources activated. EDR is a basic protection technology that combines malware protection with monitoring and response for more complex information security systems.

Make sure you can receive telemetry from all computers, as any internal or external security specialist will need it to quickly analyze any incidents. Major vendors, such as Kaspersky, automatically block most common cyber threats, so please ensure that all resources to block known malicious activities are activated on all computers under a unified policy.

Multifactor authentication

According to several estimates, 60 to 80% two cyber attacks come with account theft. This is why it is considered inadmissible to protect access to computer systems with just one simple approach: it is very easy to guess, steal or use brute force. The user's login must be complete with MFA. The most common way is to use two factors (with a unique code), which is why it is known as two-factor authentication or 2FA. The most economical solutions are to use an authenticator app, but depending on the specificities of the organization and the function's position, it can be any combination of app, USB token, biometrics, etc.

Protected backups

Backups do much to protect businesses against more than just fires and hardware failures. They also protect against various cyber attacks. Ransomware operators are aware that all ransomware attacks involve targeted exclusion of backup copies of information. For this reason, a backup strategy must apply in all scenarios, such as rapid recovery of an easily accessible copy – in the event of a hardware failure or other IT incident, as well as guaranteed recovery in the event of a ransomware attack. It is very likely that two separate backups are necessary. Ransomware-resistant backups are only those stored on media that is physically disconnected from the network (not very convenient, but reliable), but also in new storage “immutable”, where the data can be added, but not replaced or excluded (convenient, reliable, and potentially expensive). After creating your immutable backup, perform data recovery training to (a) ensure that this can be done correctly and (b) estimate the time needed (also, this will speed up your team's response in the event of a real attack).

Management of applications and patches

All company computers, whether a desktop, a virtual server or the laptop of an employee on business trips, must have tools installed that allow administrators to manage the machine remotely. Critical actions include computer diagnosis (availability verification of necessary applications, network status verification, VPN integrity, EDR updates, etc.), application installation and updates, vulnerability testing, and so on.

These resources are vital, both for daily work and during incident response. In day-to-day operations, we guarantee cyber hygiene, as well as the immediate installation of important security updates on all computers. During incidents, it may be necessary to run, say, a specialized utility or install a certificate – and only management systems must be authorized to do this within a reasonable period, even for remote officials.

The most suitable for this task are UEM systems that allow you to manage a variety of devices, including work computers, people and smartphones, and apply company policies to them. You also have the option to arm yourself with highly specialized solutions, such as patch management, VNC/RDP and other systems.

Unique signs

The management of privileged access and security of identification on very broad issues. Built-in identity security increases the level of company protection and simplifies the lives of employees. Although a complete implementation may be a delayed project, the initial focus must be non-essential, first ensuring that each company computer is protected by an exclusive local administrator role. Use the free LAPS tool to implement this measure. These simple precautions will prevent invaders from moving quickly across the network, compromising computers one by one using the same method.

Minimizing vulnerable services

Regularly check your company's IP addresses on the Internet to ensure that the servers and services that should be available only on the local network are not exposed globally. If this service appears on the Internet, take immediate steps to block external access to it. If, for some reason, you need to be accessed on the Internet, apply regular security updates and protect yourself with MFA. These measures are especially important for some of the hackers' favorites, such as: web management consoles, RDP, Telnet/SSH, SMB, SNMP and FTP. It is best to assume that all services are viewed on the Internet and regularly examined for vulnerabilities, failures, and other defects.

SOURCE: Kaspersky Blog

Software.com.br is part of Minitab and is also a reference in technology solutions for the corporate world in Latin America. Through partnerships with the main market manufacturers, a company working in Digital Transformation, with specialized consultants in: Software Licensing, Cybersecurity, DevOps, Infrastructure and Data Analytics.

See more about Kaspersky on our site: Software.com.br