1) Verify all security settings for systems – access and administration at all level, software including operating systems and applications, networks, and other management/monitoring tools. A plan for auditing and regular updating of security settings should be developed and followed. This should be exercised according governance practices but at least monthly.
2) Tools used to detect attempts to penetrate the environment should be implemented and tested periodically. These tools continue to evolve and will require continual updating and transitioning to improved tools.
Detection of an attack in progress is done through a limited number of means:
There is great variance in what the recovery processes are considering the environment – systems and software. There are some general considerations to be undertaken but detailed understanding of recovery requires efforts with technical staff who understand the environment and the organization requirements.
1) The first step is to understand what potentially is required to be done in the case of a recovery due to a cyber-attack. The starting point for this, from an expediency standpoint, is to begin with an existing Disaster Recovery plan. Using that will serve as an outline where the reasons for recovery with an understanding of the potential for altered/infected data and those implications can the introduced.
2) The recovery sequence from a cyber attack is what will be developed first. With the DR recovery sequence as an outline (without a DR recovery plan that includes a detailed sequence of actions, the effort becomes much greater).
3) Use of existing DR plans is an expedient outline after understanding what data could be infected/altered and the systems that could be compromised. Examination of the DR plan with a focus on where recovery changes for cyber attack would need to be made will lead first to additional investigation that may need to be done and then insertion of additional steps for this type of recovery. Adding the steps for identification of ‘known good copy’ of data and validation of data are the first consideration. Another is the ‘sandbox.’ Propagation of an infection/alteration during recovery is a major concern during recovery. To address this, recovering data to a trial area, termed a ‘sandbox’ where tests can be done to prove the validity of the data recovered is an additional, time-consuming step that needs to be taken.
4) Exercising the recovery from a cyber attack must be added to the regular process for IT operations.