5 Ways to Address Data Security Gaps Before an Attack

With any security event, there’s a before, a during, and an after. Here, Andy Stone discusses the before phase and what you can do to ensure you’re closing the gaps.

Data Security

7 minutes
image_pdfimage_print

With any ransomware attack or other security event, there’s going to be a before, a during, and an after phase. To understand how to protect your organization at each phase is to understand how an attack unfolds. Each phase also requires its own unique approach to minimize the damage from a security breach.

In this article, I’ll start with the before phase of an attack and discuss how to close the gaps that create vulnerabilities and inroads for attackers.

What Happens Leading Up to an Attack?

Typically, before an attack or a breach occurs, a few things will happen:

  • Attackers will perform reconnaissance on their target. They will learn if you have cybersecurity insurance, where from, and how much it’s for. They’ll assess your critical operations and supply chain to determine where an attack can do the worst damage.
  • Attackers launch a campaign. This usually happens via email, tricking someone into installing a small piece of software that will “phone home” and serve as a door into the target environment.
  • Attackers will “dwell” in the environment. Once in, attackers may linger undetected and wait for the worst possible time (for the business) to deploy their ransomware payload. The payload will scan and map the target network and propagate to local resources and the cloud, as well as mapped and unmapped systems.

What can you do to head them off and prevent a successful attack?

5 Ways to Close Security Gaps Before an Attack

These five processes are critical to proactively bolstering your defenses and heading off an attack: 

1. Maintain excellent data hygiene on systems. (Patch management is key.)

Unsupported operating systems and unpatched software open the door for malware infections and other attacker exploits. Once threat actors gain access to the environment, they methodically look for key systems and sensitive data to exploit. 

“Hygiene is a hugely missed point in security. A lot of times in the past, we would have pushed it away and said, ‘That’s not our job, right?’ It was IT’s job to keep systems patched and managed. But really, it all flows back to security.” 

Perfecting Cyber Resilience: The CISO Blueprint for Success

That’s why it’s beneficial to have a well-defined patch management program that promotes the implementation of patches and updates soon after they’re released with the target of three to seven days for critical patches and updates and no more than 30 days for others.

In many instances, by the time a vendor releases a patch, cybercriminals are already aware of the vulnerability and are well down the path to developing a tool to exploit it. For example, WannaCry ransomware was widespread because the targeted organizations failed to update older operating systems even though a patch had been released and was available to them for some time.

System misconfigurations can also lead to breaches. Open ports and improperly configured firewalls or routers can give hackers access to your network—or provide information about the network that can lead to access. 

Tip: Try a gamified approach to patch management programs. This can illustrate how each business unit is performing relative to one another—no team wants to be the slowest! This can motivate and incentivize teams to improve. 

2. Implement multi-factor authentication and admin credential vaulting for all systems.

Identity is the new perimeter when it comes to enterprise data protection. Poor password management practices and improperly secured endpoint devices can create vulnerabilities. But passwords and credentials with privileged access are especially valuable. Vaulting credentials and admin credentials provide extra safeguards for credentials of shared resources on your network, offering a repository with passwords automatically refreshed after each login. 

“If you look at the breaches that are out there, everything is identity-focused.”

Perfecting Cyber Resilience: The CISO Blueprint for Success

If an employee uses the same password for multiple personal and company accounts, and one of the accounts is compromised, attackers can gain access to the other accounts using the compromised credentials. Multi-factor authentication adds extra steps and security, requiring a personal device or biometrics to prove identity.

3. Provide consistent logging across the entire environment.

Security and access logs are absolutely critical to identifying the source of an attack—or ”patient zero.” The sooner you can ID the bad actor, the sooner you can apply the necessary patches and restore a clean backup. 

After an attack, these logs also provide required proof of compliance to regulatory agencies, so you can demonstrate that your organization was, in fact, taking the necessary precautions.

But it’s not just enough to maintain security logs. The logs need to be protected from hackers, who will target them for deletion or alteration to cover their tracks.

4. Implement a fast analytics platform and threat hunters to help identify signs of threat actors in the environment.

Speedy, real-time analytics can help spot suspicious behavior, anomalies, and more to alert you to the possibility of an attack. If unusual activity is happening in your environment, fast analytics platforms will spot it before it’s too late. Threat hunters can identify these anomalies and eradicate them before data is widely compromised.

Tip: Your architecture should be built with resiliency and durability in mind. For instance, implementing SafeMode™ Snapshots from Pure Storage can protect critical backup data from deletion.

5. Regularly run security awareness training and tabletops with a focus on ransomware.

Human beings are often the weakest link in a company, especially where cyber threats are concerned. Employees frequently fall victim to email phishing scams, one of the most common ransomware attack vectors. Phishing emails trick users into downloading malware attachments or clicking on links that lead to compromised content with hidden malicious code. Inadequate password security policies can result in identity theft or unauthorized access to high-level information. 

Remote devices on the company’s network with out-of-date software or operating systems can also open the door to cyberattacks. Without clear internet and email policies, employees won’t know how to access, use, and share sensitive data securely, or what information should and shouldn’t be shared via email. Data access policies ensure that each employee only has access to the systems and data they need to perform their job.

Tip: Implement end-user awareness training and measure its efficacy. This will help you identify any weak points where you need to follow up. At the board and senior level, tabletop exercises should be performed at least annually to ensure everyone knows the game plan in the event of an attack. 

Compliance may not prevent an attack, but good data hygiene can

Another “Before” Vector 

The shift toward remote work and bring-your-own-device (BYOD) policies has increased attacks on mobile endpoint devices. Unsecured remote desktop protocol (RDP), as well as virtual desktop endpoints and network misconfigurations, create vulnerabilities that can lead to ransomware attacks. Improperly secured endpoint devices can be susceptible to Wi-Fi hacking and man-in-the-middle attacks, leading to exposure of the company’s network and sensitive data. 

RDP is the second most commonly exploited ransomware attack vector and is often used by attackers to gain unnoticed access to company networks. Security for RDP connections can be explicitly set, but in many cases, connections are protected by weak passwords and use a well-known default standard port, which is also poorly secured. 

RDP credentials can also be bought on the dark web, and once credentials are obtained, hackers can bypass endpoint security to gain access to a company’s systems. 

Hacker's Guide to Ransomware Mitigation and Recovery

Safeguard Your Data with Pure Storage

Although it’s not possible to guard against every known security threat, knowing the common vulnerabilities that cause ransomware attacks can help you create the right plan to minimize your risks before an attack occurs.

Pure Storage can help at the “before” stage by:

  • Providing access to a large pool of analytics data and the fastest analytics processing to identify threats
  • Protecting against internal administrative mistakes

For more information and guidance to take the next steps, check out these two helpful resources:

Learn what to do next during an attack and after an attack has been launched.

AI readiness
Enterprise AI
Analytics Innovation