With spring in full swing and summer around the corner, has your organization started its cybersecurity spring cleaning? Constant bombardment of new, more complex attacks and the growing list of To-Do’s often leaves little time for organizations to reflect on a few simple things that can go a long way in preventing or preparing for a cybersecurity incident. MOXFIVE believes organizations should use this season as a reminder and an opportunity to audit and address their:
What cybersecurity tooling do you have, where is it deployed, and is it redundant with anything else? A common theme MOXFIVE observes during ransomware incidents is that either the impacted organization does not have a reliable endpoint detection and response (EDR) tooling implemented at all, or the one implemented is not deployed to all assets within the environment. This coverage validation is a crucial way to reduce the risk of an incident.
Outside of EDR, there are many other opportunities to ensure your organization's tools and technologies are fully implemented across your on-premises and cloud environments. Knowing and reducing any gaps will help keep your cybersecurity team better prepared.
Much like any other form of spring cleaning, this is also a great opportunity to inventory your organization's tools, licensing and technologies for the purpose of identifying any unnecessarily redundant costs. If you recently implemented a top-of-the-line EDR solution, you probably don't need to be paying the license costs for two additional anti-virus solutions. MOXFIVE often recommends creating an inventory of all cybersecurity tools your organization has, plotting them against the environment they're protecting, and then identifying how each protects you against the MITRE ATT&CK framework. Too many tool overlaps might translate to an opportunity for savings.
Is this privileged user still working at your organization? It's no surprise that not every account will be around forever. Co-workers come and go for a multitude of reasons. Regardless of the reason for their disembarkation, it is important for accounts to be quickly disabled and removed from the environment to reduce risks of unauthorized access. Stale accounts, especially vendor accounts, introduce opportunities for initial access that can more easily go unnoticed.
MOXFIVE has also observed instances where threat actors have re-enabled old accounts that have not yet been deleted, for the purpose of maintaining persistence with limited visibility to the organization.
In addition to eliminating stale accounts, use this time to audit active account access and privileges to ensure they adhere to current needs, in alignment with the principle of least privilege.
Are you tracking all of the servers and workstations within your environment? Do you know where they reside, who the assigned end user is, what their business function is? Having an outdated asset list can sometimes be as helpful as not having one at all! The same goes for lists that track the critical data locations within your environment. MOXFIVE recommends refreshing asset and data inventory / criticality lists to ensure the information is at the tips of your fingers and without gaps that can lead to systems that are not accounted for.
Do you have backups that will actually make you resilient to ransomware and natural disasters? It is heartbreaking when MOXFIVE encounters organizations who fell victim to ransomware, just to find out that their backups are not viable, or were not capturing the data it was supposed to. Use this time to ensure your organization has a hardened implementation of your backup solution (offsite copies, non-domain joined, etc.) and plan actual restoration tests to validate the anticipated data is being backed up in the way you think it is.
"We have 100% confidence that our employees will never be reason for a cybersecurity incident" is something not typically uttered by organizations. Mistakes happen and threat actors are using artificial intelligence to become even more crafty when tricking people. The emergence of deep fake technologies even makes it difficult to trust phone calls and video calls now. Use this time to reflect on your end user security awareness and training program. Identify any opportunities to refresh the content and training pace given trends across the cybersecurity landscape, in addition to risks you have observed recently at your own organization.
If you have questions or need help with any of these, our team can help! Reach out to us at incident@moxfive.com or fill out the form on our contact us page.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.
Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.
