1. Introduction

Cyber attacks are a constant threat to organizations and it’s important to have proper measures in place to protect both employees and data. To protect employees, organizations can implement employee education and training, use of security software, network segmentation, strong password policies, regular security updates, and an incident response plan. Additionally, to protect data, organizations can implement data encryption, data backup and disaster recovery, and access controls and user management.

2. How do you help protect your organization from an attack?

2.1 Protecting Employees

To help protect employees from cyber attacks, organizations can take several steps such as:

Employee education and training: Educating employees on how to identify and prevent cyber attacks, such as phishing scams and social engineering tactics, can help reduce the likelihood of a successful attack. This includes providing training on how to identify suspicious emails, how to create strong and unique passwords, and how to avoid falling prey to social engineering attacks.

Use of security software: Implementing security software, such as antivirus programs, firewalls, and intrusion detection systems, can help detect and prevent cyber attacks. This can include deploying endpoint security solutions that can detect and block malware, and email filtering to block malicious links and attachments.

Network segmentation: Segmenting a network into smaller, more secure subnetworks can help limit the potential damage of a successful attack. This can include implementing network access controls, such as firewall rules, to limit access to certain parts of the network based on user roles or device types.

Strong password policies: Enforcing strong password policies, such as requiring the use of long and complex passwords, can help prevent unauthorized access to company systems and data. This can include implementing multi-factor authentication, which requires users to provide more than one form of identification, such as a password and a fingerprint or token.

Regular security updates: Regularly updating and patching systems and software can help prevent known vulnerabilities from being exploited. This can include implementing a patch management process to ensure that all systems and software are updated with the latest security fixes.

Incident response plan: Having a plan in place for responding to a cyber attack can help minimize the damage and ensure a quick recovery. This can include identifying key personnel and resources that will be responsible for responding to an attack, and regularly testing and updating the incident response plan to ensure its effectiveness.

Example of real world cyber attacks targeting employees:

Phishing attack on Google: In 2017, Google reported that it had been targeted by a phishing attack that was specifically designed to steal the credentials of its employees. The attackers sent spear-phishing emails to select Google employees, which were designed to look like they were from trusted sources.

Business Email Compromise (BEC) attacks: Business Email Compromise (BEC) attacks are a type of social engineering attack where attackers impersonate company executives or other trusted individuals in order to trick employees into transferring money or sensitive information. In 2018, the FBI reported that BEC attacks had resulted in losses of more than $12 billion globally.

2.2 Protecting Data

To help protect an organization’s data from cyberattacks, there are several steps that can be taken such as:

Data encryption: Encrypting sensitive data, both at rest and in transit, can help protect it from unauthorized access or exfiltration in the event of a successful cyberattack. This can include using encryption technologies such as AES, RSA, and SSL/TLS.

Data backup and disaster recovery: Regularly backing up important data and having a disaster recovery plan in place can help ensure that data can be quickly restored in the event of a cyberattack. This can include implementing a data backup strategy that includes both on-site and off-site backups.

Access controls and user management: Implementing strict access controls and user management procedures can help prevent unauthorized access to sensitive data. This can include implementing role-based access controls, regularly reviewing and revoking user access, and monitoring for suspicious activity.

Real-world examples:

Marriott data breach: In 2018, Marriott announced that a data breach had resulted in the theft of personal information of millions of guests, including passport numbers, names, and addresses. The attack was believed to have been the work of a Chinese hacking group.

Target data breach: In 2013, Target announced that a data breach had resulted in the theft of millions of credit and debit card numbers, as well as other personal information. The attack was later linked to a third-party vendor’s compromised credentials.

2.3 Protecting Systems

To help protect an organization’s systems from cyberattacks, there are several steps that can be taken such as:

Whitelisting: Implementing software whitelisting can prevent unauthorized or malicious software from running on systems. This can include creating a list of approved software and only allowing that software to run on systems, and blocking everything else.

Remote wiping: Implementing the ability to remotely wipe data from lost or stolen devices can help prevent sensitive data from falling into the wrong hands. This can include implementing mobile device management (MDM) solutions to remotely wipe data from lost or stolen devices.

Strong password policies: Enforcing strong password policies, such as requiring the use of long and complex passwords, can help prevent unauthorized access to company systems and data. This can include implementing multi-factor authentication, which requires users to provide more than one form of identification, such as a password and a fingerprint or token.

Device management: Implementing device management policies, that control device access and usage, can help prevent unauthorized access to company systems and data. This can include implementing policies that regulate device usage, device registration and device retirement.

Security monitoring: Implementing security monitoring and logging to detect and alert on suspicious activity can help detect and respond to cyberattacks quickly. This can include implementing security information and event management (SIEM) systems to monitor and analyze security-related data from multiple sources in real-time.

Physical security: Implementing physical security measures to protect systems, such as locking server rooms, can help prevent unauthorized access to systems and data. This can include implementing security cameras, access control systems, and having a security personnel to monitor the premises.

Cloud security: Organizations that rely on cloud services to store and process data must ensure that their cloud providers implement robust security measures. This can include encryption of data at rest and in transit, regular security audits, and incident response plans.

Real-world examples:

NotPetya malware attack: In June 2017, a malware attack known as “NotPetya” affected multiple organizations around the world, including shipping giant Maersk and pharmaceutical company Merck. The malware spread rapidly through networks and was able to bypass traditional security solutions by leveraging multiple attack vectors.

Sony PlayStation Network breach: In 2011, the Sony PlayStation Network was hacked and the personal information of 77 million users was compromised. The attack was believed to have been carried out by a group of hackers and was later linked to the theft of credit card information.

3. How do you detect an attack if it has already occurred?

There are several methods that organizations can use to detect an attack if it has already occurred such as:

Intrusion detection and prevention systems (IDPS): IDPS are designed to detect and alert on suspicious network traffic and can help identify an attack in progress. This can include deploying network-based IDPS to monitor network traffic, and host-based IDPS to monitor activity on individual systems.

Security information and event management (SIEM) systems: SIEM systems collect, analyze and correlate security-related data from multiple sources in real-time to detect suspicious activity. This can include analyzing logs from firewalls, intrusion detection systems, and other security devices to detect patterns of malicious activity.

Vulnerability scanning and penetration testing: Regularly scanning systems and networks for vulnerabilities can help identify potential attack vectors that could be exploited by attackers. This can include conducting internal and external vulnerability scans, and regular penetration testing to simulate an attack and identify vulnerabilities.

Network traffic analysis: Analyzing network traffic can help identify unusual patterns of activity that may indicate an attack. This can include monitoring for unusual traffic patterns, such as large amounts of data being exfiltrated, or traffic to known malicious IP addresses.

Behavioral analysis: Behavioral analysis can help detect anomalies in the behavior of systems, users and networks that could indicate an attack. This can include monitoring for unusual patterns of system usage, such as an unusual number of failed login attempts, or unusual changes in system configuration.

Incident response plan: Having a plan in place for responding to a cyber attack can help minimize the damage and ensure a quick recovery. This can include identifying key personnel and resources that will be responsible for responding to an attack, and regularly testing and updating the incident response plan to ensure its effectiveness.

Real-world examples:

WannaCry ransomware attack: In May 2017, the WannaCry ransomware attack affected more than 200,000 computers in 150 countries. The attack exploited a vulnerability in older versions of the Windows operating system, and it was able to spread rapidly through networks. The attack was detected by security researchers who found that the malware was using a specific kill switch domain that, when registered, stopped the malware from spreading.

4. How do you help your organization respond to an attack?

To help an organization respond to an attack, there are several steps that can be taken such as:

Containment: The first step in responding to an attack is to contain it and prevent it from spreading further. This can include disconnecting affected systems from the network, shutting down affected services, and implementing security controls to block malicious traffic.

Identification: The next step is to identify the scope and nature of the attack, including what systems and data may have been compromised. This can include conducting forensic investigations, analyzing system and network logs, and consulting with external experts if necessary.

Eradication: Once the attack has been contained and identified, the organization can begin to take steps to eradicate the malicious code or activity from its systems. This can include running malware scanners, manually removing malware, and patching vulnerabilities that were exploited.

Recovery: After the attack has been eradicated, the organization can begin the process of recovering any lost or compromised data. This can include restoring data from backups, and rebuilding or reimaging affected systems.

Lessons learned: After the incident has been resolved, it is important to conduct a post-incident review to identify what worked well and what could be improved. This can include identifying the causes of the incident, identifying any gaps in security controls, and implementing measures to prevent similar incidents in the future.

Communication: Throughout the incident response process, it is important to keep relevant parties informed of the situation, including stakeholders, customers, employees, and regulatory bodies if applicable.

Real-world examples:

Sony PlayStation Network breach: In 2011, Sony’s PlayStation Network was breached and the personal information of 77 million users was compromised. Sony’s response to the incident included shutting down the PlayStation Network, conducting a forensic investigation, and offering identity theft protection services to affected users.

5. How do you help your organization recover from a potentially serious attack?

To help an organization recover from a potentially serious attack, the following steps can be taken:

Prioritize systems and data: Identify which systems and data are most critical to the organization’s operations and prioritize their recovery.

Data backup and disaster recovery: Implement a robust data backup and disaster recovery plan to ensure that critical data can be restored quickly in the event of an attack.

Communication: Establish clear lines of communication with key stakeholders, including employees, customers, and regulatory bodies if applicable.

Incident response plan: Have a well-tested incident response plan in place that outlines the steps to be taken in the event of a serious attack.

Third-Party support: Engage with third-party incident response and forensics firms to assist with the recovery and investigation process.

Review and improve: Conduct a post-incident review to identify what worked well and what could be improved. Use the findings to improve the incident response plan, security controls and risk management processes.

6. Conclusion

To protect an organization from cyber attacks, it’s essential to implement a comprehensive security strategy that includes measures to protect both employees and data. By providing employee education and training, implementing security software, network segmentation, strong password policies, regular security updates, and an incident response plan, organizations can help prevent successful attacks. Additionally, by implementing data encryption, data backup and disaster recovery, and access controls and user management, organizations can protect sensitive data in the event of a cyber attack. Real-world examples such as the Google phishing attack and the Marriott data breach highlight the importance of these measures in protecting organizations from cyber threats.

References:

  1. National Cybersecurity Alliance (NCSA) & the SANS Institute - Small Business Cybersecurity Guide
  2. US-CERT - Small Business Information Security: The Fundamentals
  3. NIST Cybersecurity Framework (CSF)
  4. ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems (ISMS)
  5. OWASP Top Ten Project