By: Dean Buczek
Each news cycle seems more troubling than the last. You can’t open a web page or read a news
story without seeing another company suffering from a data breach that’s exposed petabytes of
sensitive user data, like credit card information or users’ names and passwords, or hearing about
how vulnerable our critical infrastructure is. While cyberattacks from Iran are in the forefront of
the news-cycle – they are just one of the threat actors that consistently menacing our critical
Maybe you’re asking yourself “what can I do to mitigate my own risks as much as possible?”
“Where do I start?” Information Technology and Network Security can be a daunting subject and
change happens faster that most people can keep up with.
Where to start?
Start with a Risk Assessment
It’s difficult to know where you are going and how to get there if you don’t know where you are.
iSECURE can perform an assessment and provide a Consolidated Risk Report which aggregates
risk analysis from multiple assessments performed on your network, providing you with both a
Consolidated Risk Score and a high-level overview of the health and security of the network. Risk
analysis and risk management are dynamic processes that must be periodically reviewed and
updated in response to changes in the environment. Even if you regularly test your network for
vulnerabilities it is still highly recommended best-practice to engage a trusted third-party to
assess your network. It is always beneficial to have a clean set of eyes providing unbiased review.
Maybe a Penetration Test is in order
An internal Vulnerability Risk Assessment is good to help you understand what is going on inside
your network, but what about the multitude of bad actors that are constantly ‘bashing at your
gates’ from the outside? You need to know and understand what exactly is visible to the outside
world to mitigate the risk of those external threats. A Penetration Test is a simulated cyber attack
that looks for vulnerabilities that can be exploited. It’s better for you to know where your weak
points are instead of having a bad threat actor do it for you.
A Chain Is Only as Strong as The Weakest Link
You’re all set, right? You have a bunch of shiny expensive equipment with all sorts of flashing
lights of various colors, and they give you a warm and contented feeling when you look at them
because you ‘know’ they are keeping your critical business infrastructure and data ‘safe’. What
happens when Fred opens the email his ‘friend’ sent him to sign up for the World Cup pool and
instead of opening the attached ‘sign up sheet’ he actually opens a piece of Ransomware that
maliciously encrypts his company data? I have seen this happen and if you want to buy me a beer
sometime, I’ll tell you a story that will make you shake your head in disbelief (FYI- I like Pale Ales).
Do You Have A Policy for That?
Should Fred have opened that email in the first place? He did just create an enormous amount of
damage with a simple click of the mouse. Maybe Fred should not have opened a personal email to
try to sign up for something personal on company equipment. Have you thought about it? Do you
have a policy in place that would discourage or restrict that from happening? The key in
prevention is to have custom policy and procedure documents in place.
How Are You Getting That Data Back?
So now Fred has to do the walk of shame every time he goes to the coffee machine because he has
made life difficult for the entire crew. There was not a policy in place to prevent this and you also
didn’t train your employees on the risks and methods of Social Engineering.
How are you going to get your data back? You have backups, right? What’s that you say? The
backups have been failing for a month and the last recoverable data you have is months old?
Do you just pay the ‘ransom’? Even if you do, there’s no guarantee that you will get your data back.
It has been reported that some of the encryption malware is so poorly written that there is no
mechanism to decrypt the files it’s touched even if the ransom is paid.
The time to think about that is BEFORE you are in that situation and not AFTER! You should be
following the 3-2-1 rule. 3 copies of data on at least 2 different mediums with at least 1 off site.
You also need to be concerned with RTOs and RPOs. That’s Recovery Time Objective – how long it
takes to restore the lost data and Recovery Point Objective – how old the data is that’s being
restored. The gate needs to be closed before the dog gets out not after he’s running down the
So Lets Get Those Gates Closed
The iSECURE team can help guide you to assess your current situation and give you
recommendations to help you get to where you want to be. IT security must be viewed holistically
and taking steps prior to situations arising is the key in prevention.
Dean Buczek is iSECURE’s network security engineer who spends his days working in conjunction with organizations to ensure
they are proactively enabled to deal with the ever changing cyber security landscape.
Corporate HQ: 354 N. Goodman St
Building H | Rochester, NY 14607