After a Cyber-Attack: Key Steps to Reconstruct Applications and Data

Introduction

A cybersecurity breach can be devastating to your organization, and your ability to reconstruct quickly afterward is paramount. Unfortunately, such breaches occur daily:

Once the damage is done and you no longer have access to your systems, the reconstruction effort can be costly and time-consuming. This blog discusses some key considerations to guide the organization when planning and executing your applications recovery strategy. These recommendations are based on actual Wavestone client experiences and are intended to be a guideline to help you think through the various steps involved when adapting them to your organization.

An Ounce of Prevention

The best way to deal with cyber attacks is to avoid them in the first place–in other words, the best defense is a good offense. Enforcement of standard operating procedures that addresses the most common ways that hackers can gain access to your network/applications/data can help reduce the risk of making you an easier target. A layered defense looks to mitigate risks in each “layer” of your environment: this includes network, hardware, software, firewalls, code, data, access/passwords, physical access, and end user training. In general, ensure that your defense plan takes into consideration the following layered actions:

• Implement an end user training program that provides proactive education around how hackers use email, lax password management, external devices, and more to gain access to the corporate network and cause damage.
• Limit access to applications and ensure that when users leave the company or change roles, access is updated appropriately and promptly.
• Enforce a password change policy.
• Enforce a monthly full data backup at minimum, with system logs with incremental backups in between.
• Encrypt databases and any sensitive traffic within your network.
• Encrypt backups (best practice is to have monthly backups offsite).
• Ensure each department has an updated business continuity plan.

Cyber-attack Recovery Guidelines

Other than a ransomware attack, application restoration typically follows your disaster recovery sequence of restoration.  In the event of a ransomware attack, an offsite backup solution can shorten system downtimes. Think through the different scenarios when developing your disaster recovery plan and update your processes to account for use cases, such as ransomware attacks and data destruction.

In specific action terms, the best way to ensure that your applications can be recovered is to prepare before a cyber attack:

• Ensure that code refactoring is done frequently to strengthen security.
• Develop and enforce security coding standards using rules and guidelines to prevent security vulnerabilities.
• Diligently patch any underlying technology used.

• Code to prevent credential stuffing and password reuse, username enumeration, form entry validation, and other trivial hacks.
• Validate any third-party components used in the development process for known and unknown vulnerabilities.
• Application security testing during the entire SDLC.
• Penetration testing after each release.

• Ensure that application whitelisting accounts for filtering copycat URLs.
• Keep application vulnerability patching up to date.
• Understand what the vendor security commitments are to keep up with current threats and notification of breaches.

After a cyber attack, several key actions must be undertaken to:

• Ensure that applications data has been inspected.
• Ensure that the application code is not the entry point.
• Review the entire application stack and start recovery with infrastructure apps first (see the separate Wavestone Strategy Brief, “Key Steps to Consider When Reconstructing your IT Infrastructure After a Cyber Attack“)

Below are a few context-setting scenarios and responses to consider for applications recovery:

Conclusion

Everyone in your organization is responsible for cybersecurity, including applications and data security.  As we have discussed, the best defense is a good offense, which includes everyday “common sense actions” such as

• Not opening phishing or suspicious emails.
• Provide proactive cybersecurity training to the entire team in your organization.
• Executing good cybersecurity “hygiene” such as patching, access controls, password updates, backups, and a good Business Continuity Plan that is tested frequently.
• Embrace periodic practices of refactoring code and implementing secure coding standards.
• Frequent penetration testing and fuzz testing* for external-facing applications.
• Monitoring your third-party security practices and require them to contractually comply with yours.

*Note: Fuzz testing is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected inputs and data into a computer program to find coding errors and security loopholes. This is an old but increasingly common process both for hackers seeking vulnerabilities to exploit and defenders trying to find and fix them first.

Definition source: contrastsecurity.com

Thanks for review and input from my Wavestone colleague, Kathy DuFour.