[MTE] [Aug 2024] [P3] From Breach to Business Continuity [Part 3]

From Breach to Business Continuity: Managing the Cybersecurity Incident [Part 3]

Hoo Chuan Wei discussed these topics in three blogs on corporate business Resilience: Clean and Good Backup and Recovery.

In cyber incident response, the often-overlooked aspect of data backup and recovery can be critical to a successful outcome. While many organizations may have implemented backup strategies, ensuring the integrity and availability of those backups in the face of advanced threats can be challenging.

This presentation will delve into the importance of robust backup strategies and the potential pitfalls associated with traditional approaches. We will discuss the need for diverse backup methods, including offline storage and immutable media, to protect against ransomware and other sophisticated attacks. Additionally, we will explore the critical role of compromise assessments in verifying the integrity of backups and preventing reinfection.

By understanding the principles of effective backup and recovery, organizations can enhance their resilience and minimize the impact of cyber incidents. A well-executed backup strategy is a cornerstone of a comprehensive cyber incident response plan, providing a vital means of restoring data and systems during a breach.

Clean and Good Backup

Clean Backups: The Cornerstone of Cyber Resilience

Effective backup strategies are essential to protect critical data and systems in the face of increasing cyber threats.  However, simply creating backups is not enough.  Ensuring that backups are clean and free from malware or malicious code is equally important.

The Importance of Clean Backups

Data Integrity

• Clean backups guarantee that restored data is accurate and corruption-free.

Disaster Recovery

• Clean backups are crucial for restoring operations and minimising downtime in case of a data breach or system failure.

Compliance

• Many regulations and industry standards require organisations to maintain clean and secure backups.

Risk Mitigation

• Clean backups can help mitigate the impact of ransomware attacks and other cyber threats.

Common Backup Mistakes

Relying Solely on Online Backups

• While online backups can be convenient, they are vulnerable to cyber-attacks that target cloud storage providers.

Neglecting Offline Backups

• Offline backups, stored on physical media, provide additional protection against cyber threats.

Failing to Test Backups

• Regular testing ensures that backups are functional and can be restored.

Ignoring Backup Security

• Backups must be protected from unauthorised access and tampering.

Best Practices for Clean Backups

Implement a 3-2-1 Backup Strategy

• This strategy involves creating three copies of data, two of which should be stored locally and one off-site.

Regularly Test Backups

• Conduct regular tests to verify that backups can be restored.

Encrypt Backups

• Encrypt backups to protect sensitive data from unauthorised access.

Implement Access Controls

• Restrict backup access to authorised personnel only.

Conduct Backup Audits

• Regularly audit backups to identify and address potential vulnerabilities.

Consider Immutable Storage

• Immutable storage prevents backups from being modified or deleted, making them more resistant to ransomware attacks.

Conclusion

Clean backups are essential for protecting critical data and ensuring business continuity. By following the best practices outlined in this article, organisations can enhance their cyber resilience and minimise the impact of data breaches and other cyber threats.

Recovery

Recovery and Post-Incident Review: Essential Steps in Cyber Resilience

Recovery and post-incident review are critical phases in the aftermath of a cyber incident. By conducting a thorough damage assessment and implementing effective recovery strategies, organisations can minimise the impact of the incident and restore operations.

Damage Assessment and Recovery Planning

Assess the Damage

• Conduct a comprehensive assessment to determine the extent of the damage, including the loss of data, systems, and services.

Identify Dependencies

• Identify critical dependencies, such as hardware, software, or network infrastructure that may hinder recovery.

Develop a Recovery Plan

• Create a detailed recovery plan outlining the steps necessary to restore operations and data.

Implement Recovery Strategies

• Execute the recovery plan, prioritising critical systems and functions.

Monitor Progress

• Continuously monitor the recovery process and adjust as needed.

Post-Incident Review

Conduct a Thorough Review

• Conduct a comprehensive review of the incident to identify root causes, lessons learned, and areas for improvement.

Document Findings

• Document the review findings, including recommendations for preventing future incidents.

Share Lessons Learned

• Share the lessons learned with relevant stakeholders, including employees, management, and the board of directors.

Update Security Controls

• Implement necessary security controls to address the vulnerabilities identified during the review.

Revise Plans

• Update your incident response, business continuity, and disaster recovery plans based on the insights gained from the review.

Key Considerations

Timeline

• Act quickly to minimise the impact of the incident and avoid further damage.

Resources

• Ensure adequate resources are available to support recovery.

Collaboration

• Foster collaboration among different teams and departments to ensure a coordinated response.

Communication

• Maintain open and transparent communication with stakeholders throughout recovery.

Continuous Improvement

• Use the post-incident review to improve your organisation's cybersecurity posture and resilience.

Conclusion

Recovery and post-incident review are essential steps after a cyber incident. By conducting a thorough assessment, implementing effective recovery strategies, and learning from the experience, organisations can enhance their resilience and minimise the impact of future incidents.

Dr. Goh Moh Heng moderates and transcribes this session. If you have any questions, email the moderator with your comments.

Click the icon on the left to return to part 1 of the presentation.