Responding in the Wake of a Cyberattack
- 22 January, 2018 12:11
With cyber threats, it’s only a matter of when and not if you’re going to be impacted. Some attacks are within your control, and some aren’t, so you need to be prepared on what to do when you do become a victim. Understanding the method of threats you face can hopefully help you identify any hack or compromise before it becomes a major incident.
Following Your Company Incident Response Plan
If your company computer or device becomes infected, you should follow your company’s incident response plan and report the cyber incident as quickly as possible to the appropriate person. Many companies have corporate IT policies that define acceptable use, password policies, rules and in some cases, incident response procedures. Every employee should be familiar with these procedures because rapid responses tend to reduce problems or damage from the incident.
These days, some companies have established cyber ambassadors within each department. These people are typically trained and IT knowledgeable and are first-line responders when something suspicious occurs. This approach helps companies quickly review suspicious occurrences or issues and act accordingly — much like emergency responders.
Given the frequency and evolving nature of cyber threats, every company should establish a well-defined and well-planned incident response process. It can mean the difference between surviving a cyberattack or losing all your data with catastrophic consequences.
Reacting to Ransomware Incidents
If you experience a ransomware message, quickly disconnect and isolate your computer from the network to protect against spreading it to other devices in your network. Remove the network cable, turn off Wi-Fi, and power off the infected device. If the message occurs on a corporate computer, follow your company’s incident response plan for the appropriate restore process.
After a ransomware attack has succeeded, you have limited options for how to respond:
» Restore your system and files from a backup.
» Start again with a fresh operating system installation and accept that your files are gone forever.
» Pay the ransom amount, but there’s no guarantee you’ll receive a key to restore your files, so I do not recommend this option!
» Hope security researchers or law enforcement can provide alternative ways to get the encryption key to restore your files — this rarely happens.
Obviously, the best action is to prevent this type of attack by not clicking on unknown links.
Fixing Your Personal Devices
If a personal device, such as a laptop, tablet, or cellphone has been infected with malware, seek expert advice from the IT department where you work or from a computer services firm. In many cases, you may need to connect the hard drive of your device to another system that can then scan the file system for a virus or malware. This will also enable you to back up your critical and important files to another removable hard drive so you can conduct a complete reinstallation of the operating system. You should scan your backup files for any sign of the malware and only then restore them.
Assume that any data stored on an infected device has been stolen and is now in the hands of a cybercriminal. You should also assume that any USB devices you may have used with this device are also infected, and they should all be scanned for any sign of the malware.
Be aware that any Internet services you accessed using the infected device have also been compromised, including the passwords for account access to your bank, financial details, email accounts, and social media accounts, including your social logins that connect you with other Internet accounts.
Changing Passwords, Two-Factor Authentication, and More
To minimize the risk that your personal or business accounts will be abused by cybercriminals after an incident, immediately reset the passwords of all your critical and sensitive accounts. Start with your bank, email, and social media accounts. When resetting your passwords, make sure to perform this from a private network and not via public Wi-Fi.
At the same time, review your security settings to enable two-factor authentication and review your password manager (if you have one):
» Two-factor authentication (2FA): Many password-required accounts also have the ability to enable 2FA, which combines your password with an additional factor required to log on. This factor is typically a PIN or token that’s generated via an SMS text message or mobile phone authenticator app.
» Password manager: A password manager helps you in generating strong, long, and complex unique passwords for each account you have. Consider using free password manager software that helps you create these passwords. This security process reduces cyber fatigue and makes it easier to protect your accounts with a password vault. Some password managers allow you to check for the age of passwords, duplicate passwords, and weak passwords.
Notifying Your Boss, Friends, and Colleagues
Notify your family, friends, and your company that you have been the victim of cybercrime and alert them to check their systems and accounts for any signs of suspicious messages or emails coming from your accounts that could be spreading malware. Be aware of the warning signs and review your security settings.
While some people may be reluctant to share or report that they’ve been victimised in a cyberattack, it’s important to report a cyber incident as soon as possible. A malware infection from a simple email with an attachment could be the first step to a major cyber incident. If unreported, the infection could escalate and impact critical infrastructure or services such as a community power supply, logistics and supply chains, or even hospitals and emergency services that could result in severe damage and possibly loss of life.
About the Author
Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).