Honan began by warning organizations: “What you put in place to defend or secure your network won’t stop the attackers. It will delay the attackers, but a sophisticated attacker will get by your systems eventually, so what you need to do is design your security to delay them long enough to detect them, so you can respond and kick them back out.”
With this principle in mind, Honan set out the following best security practices for organizations to follow:
Identify Your Key Assets
In the same way certain products and services were picked out as essential during the COVID-19 pandemic, organizations need to understand what parts of their business are most in need of protection. Then, “make sure you’ve got effective patch management and good cybersecurity hygiene in place to keep everything as secure as can be” in these areas.
Have Effective Anti-Virus
Honan noted that many organizations he has helped following a cyber-incident “haven’t had effective anti-virus solutions in place,” which in many cases would have prevented the attack. He added that there are many good products out there that can fulfill this function.
Keep Good User Engagement
Organizations should look at government messaging around COVID-19 restrictions for inspiration about how to communicate cybersecurity best practices, according to Honan. Examples relating to COVID-19 include ‘stay at home’ and ‘get vaccinated’ – “messages that were repeated over and over again.” As a result, “there are very few people at this stage who don’t know what they should be doing in regard to COVID-19.” However, this is often not the case for cybersecurity, and organizations should educate their user base on how to act securely through simple, repeatable messages.
Good Communication During a Breach
When an organization falls victim to a cyber-attack, it should strive to be as open and transparent as possible. Honan said a good example of how to communicate clearly was during the ransomware attack on HSE Ireland earlier this year. Here, the CEO gave a TV interview as early as the following morning, “explaining exactly what was going on” in regard to the impact and response. This prevents panic and speculation about what’s happening.
Have Good Filtering in Place
In another analogy with COVID-19, where the importance of ventilation is well-recognized in helping prevent the virus’ spread, Honan noted that effective filtering at organizations’ endpoints and perimeters are critical in keeping them secure. These include email filtering and web filtering.
Have Good Segmentation
Honan acknowledged this is easier said than done, “particularly as many organizations’’ environments have evolved over time.” Nevertheless, he believes it is time to work out how to isolate systems. “If one part of your environment gets compromised, you can lock it down,” he added.
Have Appropriate Incident Response
Having a practiced plan and processes in place ahead of a cyber-incident underpins an organizations’ ability to deal with it properly. This includes going through the different scenarios that may occur and doing regular exercises to make sure it works. For example, “have you got a press statement ready if you get hit by ransom?” Honan asked. Another aspect is ensuring the organization can respond effectively if an attack takes place during an evening or weekend.
Detect Anomalies and Compromise
Honan noted that unusual activity in your environment could be a sign of an attack. For example, “is somebody logging in from China at 2.00 am on a Sunday night when they should be logging in from Dublin?” Therefore, having these capabilities is crucial in being able to respond quickly to an attack.
Manage Your Network Traffic
Organizations should ensure their traffic is going where it should be going. Honan advised analyzing DNS logs for this purpose, as they “will provide you with huge amounts of data, intel and insights into how your network is working and behaving.”
Given attacks can still be successful, no matter how secure an environment is, businesses should be asking themselves: “If you get hit by a ransomware attack tomorrow, can your organization stay in business?” Honan gave the example of the attack on Norsk Hydro in 2019, who were able to fall back on old paper-based instructions to keep the aluminum plant functioning while their systems were down.
Processes must be in place to apply security patches as soon as they are available, similarly to how vaccines should be taken once offered, commented Honan. While this sounds simple, too often, patches are not applied promptly by organizations.
Honan emphasized that organizations must have their own strategy in place to get their business back up and running after an attack and certainly not rely on the attackers to enable this after a ransom payment. For example, Colonial Pipeline paid $4.4m for a recovery key after suffering a ransomware attack earlier this year, yet “ended up using their own backups anyway because the decryption key was badly written.”