Skip to content

什麼是事件響應計劃 (IRP),為什麼制定一個很重要?

With the evolution of technology and the revolution in the information age, the concern with data security has become more and more constant for companies, governments, and users. Since data are fundamental assets for the growth of companies, investing in protection is essential in organizations’ routines.

As cyber threats and crimes increase, efforts need to be stepped up, putting effective security measures in place. Therefore, there is a need to have a team specialized in data protection within a company, regardless of the industry, that constantly works to secure the information, relying on an Incident Response Plan (IRP).
This way, the team can anticipate threats and develop the best actions to combat them immediately, without harming the company’s business.

For that, one needs to ensure this response plan works correctly, following the fundamental steps, and is well managed.

In this article, we explain what is an incident response plan, its benefits, and the important aspects of putting one together. Our text is divided into the following topics:

  • What is an Incident Response Plan (IRP)?
  • Why Is Incident Response Important?
  • Understand the Six Steps of An IRP
  • Most Common Cybersecurity Incidents
  • Important Aspects of Putting an IRP Together
  • Who Is the Team Responsible for the IRP?
  • What Is the Relationship Between An Incident Response Plan and A Disaster Recovery Plan?
  • What Is the Relationship Between An Incident Response Plan and A Business Continuity Plan?
  • About senhasegura
  • Conclusion

Enjoy the read!

What is an Incident Response Plan (IRP)?

The IRP is a formal document that contains a set of tools and procedures that must be adopted by the IT team to deal with company security problems. The purpose of these measures is to work on the prevention, identification, elimination, and recovery of cyber threats.

Moreover, they ensure that actions are taken as soon as possible, minimizing any damage to the business, which may include data loss, financial damage, and loss of trust by customers, suppliers, partners, and employees.

Now you know what an incident response plan is. Keep reading our article and understand why an incident response is important.

Why Is Incident Response Important?

A company that has an IRP is better prepared to deal with a variety of situations related to the security of its information. The best practices in the plan help the company to assertively anticipate and combat various threats.

By adopting these practices, the company ensures greater security of its information, prevents the payment of penalties on data recovery costs, and avoids financial losses. Here are other factors that show why an incident response is important.

Greater Data Security

The implementation of protection and backup, correction, and access management systems, as well as the correct management of information, generate faster actions to protect and contain incidents.

Cost Reduction

The costs of fighting incidents can be high due to regulatory sanctions, customer compensation, or the overall costs of investigating and restoring systems.

An IRP helps to reduce these costs as it constantly works to prevent problems. In addition, the losses are also minimized, since, in addition to minimizing costs, system downtime also decreases, limiting data loss.

It Maintains and Enhances the Company’s Reputation

Without the implementation of an IRP, controlling and combating threats becomes more difficult, which can lead to losses. This is because incidents do not only affect the technical aspects of the company but are directly related to business continuity.

Constant violations of an organization’s data diminish its credibility. Furthermore, it may lose investors and shareholders who stop believing in a flawed and easily breached business.

On the other hand, quick and effective responses to incidents demonstrate the company’s greater commitment to data security and privacy, which increases its credibility and reputation.

Understand the Six Steps of An IRP

To be successful in an IRP, one needs to follow some fundamental steps that are well-managed. The standard plan with these steps is based on the Incident Handler’s Handbook published by the SANS Institute.
It is a document with six steps to be followed when building the plan. These are:

1. Preparation

The first step in implementing the plan is defining a specific team to work with the incidents. The team will be responsible for creating the incident documentation, containing the protocols to be followed in the execution of the plan’s actions.

It is necessary to train the personnel assigned to deal with these situations following the company’s security policies. This helps to understand exactly the risks to which the company is exposed and the preventive measures to be taken in different situations.

An important action is to create incident response simulation contexts periodically in order to verify the effectiveness of the plan and improve it in case it is needed.

2. Identification

The responsible team must work to detect deviations from operations, seeking to identify incidents and define their severity.

In this detection, the type and severity of the problem are documented, as well as all the procedures that are being carried out in this regard. The formalization of this incident must answer the questions:

  • Who?
  • What?
  • Where?
  • Why?
  • How?

3. Containment

After identifying an incident, the team’s next step is to work on containment, to avoid future damage of the same nature. This containment is divided into short-term and long-term procedures.

The short-term containment works on the immediate solution of the problem, trying to prevent possible damage from the attack, while the long-term one refers to more complex actions, which involve the restoration of the entire corporate system, aiming at its return to normality.

In addition to the short, medium, and long-term strategies, it is important to rely on a redundant backup of the files so as not to lose data necessary for your company.

4. Eradication

Once the problem is contained, eradication actions are initiated. At this step, the focus is on the complete removal of the vulnerability and the necessary measures to avoid a recurrence of the problem.

These actions can involve a change in authentication mechanisms, such as passwords and access permissions, or even a restoration of all affected systems in the company. The incident level and the most assertive action will be defined by using metric indicators, or KPIs.

5. Recovery

In this step, the team works to verify and correct threats that may have gone unnoticed in the previous step, that is, the remnants of the incident. A scan action and transport of backups into cloud systems can be one of the necessary measures in this process.

Also, the team assesses the performance of the previous step by analyzing the response time, the damage caused and the performance of tasks, so that new directions to be followed are defined.

6. Lessons Learned

For the team to be prepared for future problems and to reduce any errors, it needs to record the entire containment process performed, including the incidents and the procedures to combat them.

It is a very important step as it documents the entire process and provides a history of occurrences to aid future actions. It is also at this step that mistakes and successes are evaluated, which hindered or enhanced the development of actions.

Most Common Cybersecurity Incidents

There are many types of common security incidents, considered more or less critical, depending on the organizational decision and the company profile. Check some of them:

Data Breaches

A data breach occurs when the company faces a security incident related to the information that is under its responsibility, compromising the confidentiality, availability, or integrity of such data.

When this occurs, it is necessary to notify the control authorities as soon as possible, as well as the people affected, in addition to applying the appropriate technical measures.

Data Leaks

Data leaks are a cybercrime planned and executed by hackers, who access and expose sensitive data of individuals and organizations without authorization.

In practice, the malicious attacker breaks into a database and sells the information found on the deep web or uses it to threaten their victims.

Ransomware and Other Malware

Through ransomware, malicious agents hijack data stored on their victims’ devices so that they no longer have access to that information. In this way, they charge an amount for the ransom, usually using cryptocurrencies.

With this form of action, cybercriminals will hardly be tracked and the user will only have access to their data if they pay the required amount.

Corporate Espionage

Corporate espionage is performed in companies and industries to gain access to sensitive data, such as industrial secrets, strategic plans, bank information, or information about the organization’s customers, ensuring competitive advantages.

OPSEC Failures

OPSEC is a security management process that enables an IT team to view information and systems from the perspective of potential attackers in order to classify information and protect it.

Nevertheless, for this protection strategy to be effective, it is necessary to implement certain practices, such as ensuring access with fewer privileges.

Email Spoofing

Malicious users can tamper with emails and disguise themselves as legitimate senders to apply phishing attacks.

To do this, they often change message header information or include typos in the domain, but they can also present themselves as a legitimate domain or a random address, without reference to the domain.

Domain Hijacking

Another form of hacker action is domain hijacking, which consists of taking control of a company by falsifying the transfer authorization. To prevent this problem, it is advisable to keep your company’s domain locked.

Man-In-The-Middle Attacks

In this type of attack, hackers position themselves between the victim and a real institution, intercepting the messages and posing as the entity later.

Social Engineering Such As Phishing and Spear Phishing

Social engineering is a technique used by hackers who manipulate their victims to gain access to sensitive data.

In the case of phishing, the user is led to believe that they are in contact with a legitimate institution. Spear phishing, on the other hand, is a version aimed at professionals who work in a company and receive requests from criminals impersonating someone in the organization.

Exploits of Vulnerabilities Listed in the CVE

Common Vulnerabilities and Exposures (CVE) is the joint initiative of several technology and security companies, which list the main vulnerabilities and risks faced in the virtual environment.

In practice, CVE was born as a kind of guide that aims to help control the digital security of a company.

Exploits are programs or codes designed to take advantage of these vulnerabilities listed in Common Vulnerabilities and Exposures, as well as other cyber risks.

Typosquatting

In Typosquatting, malicious attackers register domains with poorly spelled names from known websites to induce users to disclose personal data, such as their credit card data.

Denial-of-Service (DoS)

In denial-of-service (DoS) attacks, hackers seek to overload a web property with traffic by disrupting the normal functioning of a computer or other device.

All incidents in the above list are very common and require security measures provided for in an incident response plan. Also, it is essential to keep in mind that small occurrences can generate attack vectors, so they must be monitored in real-time.

Another concern the security team should have is related to third-party suppliers, which may pose a risk to the company, as they might access confidential data.

In this sense, the recommendation is that your company has a supplier management policy, which makes it possible to evaluate their level of digital security and manage third-party risks. You can also hire suppliers with SOC 2 and ISO 27001 certifications, and ask them to know their information security policy.

Important Aspects of Putting an IRP Together

Following the IRP steps is critical to your success. However, the company needs to be aware it is not a fixed process and that it must be adapted to the organization’s structure.

Hence the importance of periodic assessments to constantly evaluate the plan, eliminate gaps, and adopt the necessary improvements.

To implement the plan, it is not necessary to have a large team of employees, but it is essential that everyone is properly qualified, trained, and has good tools to ensure the best possible results in carrying out the activities.

It is also necessary that other sectors undergo training so that they become aware of the company’s security policies and know how to proceed in the face of incidents and how to report them to the responsible team.

Who Is the Team Responsible for the IRP?

As we have already suggested, companies must hire qualified teams to deal with cyber incidents. This group can count on the following professionals:

Incident Response Manager

This professional is responsible for overseeing the response plan during the identification, containment, and recovery of an incident. Moreover, they may be responsible for reporting serious incidents to other company professionals.

Security Analysts

Their job is to work with the resources achieved during a cyber incident, in addition to deploying and maintaining technical and operational controls.

Threat Seekers

This function, usually outsourced by companies, provides threat intelligence, and can use specific solutions and the Internet to understand them. Therefore, it is possible to rely on tools that allow automatic monitoring of data leaks, security policies of suppliers and third parties, and leaked credentials.

It is worth mentioning that, for the security team to have an effective performance, it must count on the support of leaders and other departments of the organization.

After all, leaders are the ones who enable the necessary investments in the security area and the legal body has the function of clarifying legal issues related to data leaks and breaches.

The human resources sector can help remove employee credentials in the event of insider threats, while the public relations sector ensures the accuracy of messages sent to the media, customers, etc.

What Is the Relationship Between An Incident Response Plan and A Disaster Recovery Plan?

A disaster recovery plan is a document that provides for measures to be taken by companies in cases of incidents such as cyberattacks, power outages, and natural disasters.

This set of strategies minimizes the damage caused by the incident and prevents the company from remaining inoperative due to the disaster.

The incident response plan has the function of identifying a security event and putting an end to it. Therefore, the disaster recovery plan and the incident response plan should complement each other.

What Is the Relationship Between An Incident Response Plan and A Business Continuity Plan?

Another document associated with the incident response plan is the business continuity plan. Their functions are similar: to mitigate the impacts of incidents and keep the business operating, but they present some differences.

The incident response plan, as a rule, ensures more visibility and focuses on security events that directly affect data and network integrity and exposure to breaches.

On the other hand, the business continuity plan addresses different threats faced by the organization, whether related to employees, assets, or natural disasters.

About senhasegura

Senhasegura is part of MT4 Tecnologia, a group of companies focused on information security founded in 2001 and operating in more than 50 countries.

Its main objective is to ensure digital sovereignty and security for its clients, granting control over privileged actions and data and avoiding theft and leaks of information.

For this, it follows the lifecycle of privileged access management through machine automation, before, during, and after accesses. senhasegura also seeks to:

  • Avoid interruptions in the activities of companies, which may impair their performance;
  • Automatically audit the use of privileges;
  • Automatically audit privileged changes in order to identify privilege abuses;
  • Provide advanced PAM solutions;
  • Reduce cyber risks;
  • Bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001, and Sarbanes-Oxley.

Conclusion

In this article, you saw that:

  • An IRP is a document that contains a set of tools and procedures that the IT team must adopt to deal with security issues;
  • A company that has an IRP is better prepared to deal with a variety of situations related to the security of its information;
  • Other factors that show why an incident response is important are: greater data security, cost reduction, and improvement of the company’s reputation;
  • Knowing what an incident response plan is involves understanding its six steps. These are: preparation, identification, containment, eradication, recovery, and lessons learned;
  • There are many types of common security incidents, considered more or less critical, depending on the organizational decision and the company profile;
  • They all require security measures provided for in an incident response plan;
  • For the implementation of the plan, it is necessary to have qualified and trained professionals who have good tools;
  • These professionals can take on the following roles: incident response manager, security analyst, and threat seeker;
  • The disaster recovery plan and the incident response plan should complement each other;
  • The business continuity plan presents functions similar to the incident response plan.

Did you like our article that shows what is an incident response plan? So share it with someone else who may be interested in the topic.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

CISA BOD 23-01: Why vulnerability scanners miss the mark on asset inventory

On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive requires that federal civilian executive branch (FCEB) departments and agencies perform automated discovery every 7 days and identify and report potential vulnerabilities every 14 days. Additionally, it requires the ability to initiate on-demand asset discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.

To meet these requirements, agencies will need to start with an accurate asset inventory. Most agencies will attempt to leverage existing solutions, like their vulnerability scanners, to build their asset inventories. It seems reasonable to do so, since most vulnerability scanners have built-in discovery capabilities and can build asset inventories. However, they will quickly learn that vulnerability scanners are not up for the task and cannot help them sufficiently and effectively meet the requirements laid out by CISA.

Let’s take a look at why agencies need a solution solely focused on asset inventory, in addition to their vulnerability scanner, if they want to tackle CISA BOD 23-01.

Asset inventory is a foundational building block

Every effective security and IT program starts with a solid asset inventory. CISA BOD 23-01 reinforces that imperative. Specifically, it states, “Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.”

What does this mean? FCEB agencies looking to meet the requirements outlined by CISA BOD 23-01 must be able to discover managed and unmanaged devices connected to their networks. Internal and external internet-facing assets must be cataloged with full details and context. All within the timeframe outlined by CISA.

So now, the question is why vulnerability scanners can’t be used to meet the requirements laid out in the directive.

The challenges of asset inventory with vulnerability scanners

As the number of devices connecting to networks continues to grow exponentially, agencies need to stay on top of these devices; otherwise, they could provide potential footholds for attackers to exploit. However, common issues like shadow IT, rogue access, and oversight continue to make it difficult to keep up with unmanaged devices. BOD 23-01 highlights the importance of identifying unmanaged assets on the network. That’s why the need for a fully comprehensive asset inventory is the key to adequately addressing the directive.

So, why can’t vulnerability scanners deliver on asset inventory? Most vulnerability scanners combine discovery and assessment together, resulting in slower discovery times, delayed response to vulnerabilities, and limited asset details. As a result, most agencies are left wondering how they can do a better job building their asset inventories.

Combining discovery and assessment slows everything down

Vulnerability scanners typically combine asset discovery and assessment into one step. While on the surface, this appears to be efficient, it is actually quite the opposite. In regards to asset discovery, CISA BOD 23-01 specifically requires that FCEB agencies perform automated discovery every 7 days and identify and initiate on-demand discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.

Because vulnerability scanners leverage a lot of time-consuming checks, they’re not able to scan networks quickly enough. Add in the complexity of highly-segmented networks and maintenance windows, and it is nearly impossible to effectively utilize vulnerability scanners for discovery and meet the timing requirements outlined by CISA.

Under the new directive, assessing the potential impact of vulnerabilities becomes even more urgent. Agencies will need to perform on-demand discovery of assets that could be potentially impacted within 72 hours, if requested by CISA. When security news breaks, agencies need to respond as quickly as possible, but vulnerability scanners slow down the process. In a scenario like this, it would be more efficient to have a current asset inventory that agencies can search–without rescanning the network. This is particularly useful if agencies know there are specific assets they need to track down, they can query their existing asset inventory to identify them immediately.

For example, let’s say a new vulnerability is disclosed. Vendors will need some time to develop the vuln checks, and agencies will need to wait for the vuln checks to become available. Once they’ve been published, agencies can finally start rescanning their networks. Imagine waiting for the vuln check to be released, and then delaying the rescan due to scan windows. Without immediate insight into the potential impact of a vulnerability, agencies are playing the waiting game, instead of proactively being able to assess the risk.

How agencies can speed up discovery

So, what can agencies do? Let vulnerability scanners do what they do best: identify and report on vulnerabilities. Complement them with a dedicated solution that can automate and perform the discovery of assets within the timeframe set by the directive. In order to accomplish this, the asset inventory solution must be able to quickly and safely scan networks without a ton of overhead, be easy to deploy, and help security teams get ahead of new vulnerabilities.

Agencies need to have access to their full asset inventory, on-demand, so they can quickly zero in on any asset based on specific attributes. This information is invaluable for tracking down assets and investigating them, particularly when new zero-day vulnerabilities are uncovered. When the new zero-day is announced, agencies can find affected systems by searching across an existing asset inventory–without rescanning the network.

Meet CISA BOD 23-01 requirements with a dedicated asset inventory solution

It is increasingly evident that decoupling discovery and assessment is the most effective way to ensure that agencies have the data needed to accelerate vulnerability response and meet the requirements outlined in the directive. Because let’s face it: vulnerability scanners are really good at vulnerability enumeration–that’s what they’re designed to do. However, they really miss the mark when it comes to discovering assets and building comprehensive asset inventories. Because vulnerability scanners combine discovery and assessment, they aren’t able to scan entire networks quickly, and at times, they don’t fingerprint devices accurately.

As a result, many agencies are wondering how to meet the requirements outlined in CISA BOD 23-01 if they can’t depend on their vulnerability scanner for discovery. Agencies will need to start looking for a standalone asset inventory solution that is capable of performing unauthenticated, active discovery, while also enriching data from existing vulnerability management solutions.

How runZero can help a
gencies focus on asset discovery

runZero separates the discovery process from the vulnerability assessment stage, allowing agencies to perform discovery on-demand. Because runZero only performs discovery, it can deliver the data about assets and networks much faster than a vulnerability scanner. Customers have found that runZero performs scans about 10x faster than their vulnerability scanner, allowing them to:

  • Get a more immediate day one response to new vulnerabilities.
  • Gather as much information as possible about assets while waiting for vulnerability scan results.

That means, while waiting for vulnerability assessments to complete, agencies can already start digging into their asset inventory and identifying assets that may be impacted by a vulnerability. runZero regularly adds canned queries for assets impacted by newly disclosed vulnerabilities and highlights them via Rapid Response. Users can take advantage of these canned queries to instantly identify existing assets in the inventory that match specific identifiable attributes. For example, querying by hardware and device type can narrow down assets to a specific subset that may be affected by a vulnerability. All of the canned queries can be found in the Queries Library.

All in all, runZero is the only asset inventory solution that can truly help FCEB agencies stay on top of their ever-changing networks. By decoupling asset discovery from vulnerability assessment, agencies will gain visibility and efficiencies, while meeting the requirements set by CISA BOD 23-01.

  

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

如何管理端點中的權限?

If you are running an organization, you should be concerned with managing endpoint privileges to ensure devices such as laptops, smartphones, and tablets do not pose a threat to the cybersecurity of your company.

In this sense, one can use a PAM solution to support privilege management and avoid risks when not implementing the principle of least privilege.

In this article, we explain how this works and how GO Endpoint Manager can help you. To facilitate your understanding, we divided our text into topics. They are:

  • What is Endpoint Privilege Management?
  • How does a PAM Solution Support Privilege Management?
  • GO Endpoint Manager as a Solution for Managing Privileges in Endpoints
  • About senhasegura

Enjoy the reading!

What is Endpoint Privilege Management?

Endpoint privilege management combines application controls and privilege management and enables a company’s employees to have enough access to perform their activities without having full entitlements to the IT system.

Through endpoint privilege management (EPM) technologies, professionals have access only to trusted applications and companies are able to remove local administrator access with little impact on end users.
In practice, we are referring to the implementation of the principle of least privilege, according to which employees receive only the necessary permissions to perform their tasks.

How does a PAM Solution Support Privilege Management?

Privileged Access Management (PAM) consists of a set of information security strategies and technologies that aim to protect accounts by controlling privileged access and permissions for users and reducing risks of external attacks as well as insider threats.

With its evolution, Gartner included two classifications that describe different PAM solution approaches. They are: Privileged Account and Session Management (PASM) and Privileged Elevation and Delegation Management (PEDM), which is nothing more than the endpoint privilege management.

The focus of PEDM is to provide more specific access controls than those provided by PASM, minimizing threats generated by excessive privileges. PASM is based on more basic methods to protect access, such as the use of passwords.

To gain access, machines and users check administrator accounts that have full or no access privileges.
With PEDM solutions, one can grant only the necessary access for the performance of certain tasks. Moreover, access can be limited to a specific time.

At the end of a session, privileges are revoked and if credentials are compromised, attackers will not be able to persist in their actions.

PASM associated with PEDM makes it possible to control the privileges of administrator accounts, consequently reducing insider and external threats.

Another important function of PEDM tools is to allow administrators to request new roles to obtain the necessary permissions to perform tasks so that privileges are assigned through a flexible approach.
In addition, they help organizations to comply with some criteria, as they often provide reports as well as monitoring capabilities.

GO Endpoint Manager as a Solution for Managing Privileges in Endpoints

GO Endpoint Manager is senhasegura’s PEDM solution. This tool is used to control the delegation of privileges to Windows and Linux-based endpoints, including Internet of Things devices and other wireless devices for corporate networks.

Through this feature, endpoints can be brought into compliance with the security standards of cybersecurity organizations and regulations, such as NIST, CIS Controls, and ISO 27001.

About senhasegura

We, from senhasegura, are part of MT4 Tecnologia, a group of companies focused on information security founded in 2001 and operating in more than 50 countries.

We propose to guarantee digital sovereignty and information security to our clients, granting control of privileged actions and data, and avoiding theft and leaks of information.

For this, we follow the lifecycle of privileged access management through machine automation, before, during, and after accesses. We also seek to:

  • Prevent companies from suffering interruptions in their operations;
  • Automatically audit the use of privileges;
  • Automatically audit privileged changes to detect privilege abuse;
  • Provide advanced PAM solutions;
  • Reduce cyber risks;
  • Bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001, and Sarbanes-Oxley.

Conclusion

By reading this article, you saw that:

  • Endpoint privilege management allows employees of a company to have enough access to perform their activities, without having full entitlements over the IT system;
  • PAM has two complementary approaches to protect accounts, namely: Privileged Account and Session Management (PASM) and Privileged Elevation and Delegation Management (PEDM);
  • GO Endpoint Manager is senhasegura’s PEDM solution. This tool is used to control the delegation of privileges to endpoints.

Was this article helpful to you? So, share our text with someone who might be interested in the topic.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Backup Strategy and the 3-2-1 Principle

Data loss comes in all sizes: small (individual files), medium (SharePoint site), and large (ransomware and disaster recovery). No matter the size of the loss of data, none of them are fun, and even the smallest of data loss events could leave you lacking your most critical data.
That one spreadsheet or that one hard disk drive could have what you and your business rely on most – it’s not always something someone can “just create again” on a whim as data loss is indiscriminate in its impact.
All data loss events negatively impact workflow, and all are risk and data protection concerns that ultimately are a business imperative. Proactive data protection through backup and data management is at the forefront of all of our minds—or at least should be. Now why is that?
Years ago, the assumption prevailed that cloud services would “take care of everything” once you signed up for a cloud service, with backup being lumped in. But now, more than ever, as the awareness of shared responsibility models for SaaS applications grows which states it is the user who is responsible, it’s clear the onus is on you to have that backup strategy in place.
That’s why the 3-2-1 backup rule—a principle established for on-premises infrastructure which requires multiple copies of backup data on different devices and in separate locations—is still relevant to today’s cloud-based infrastructures by providing essential data-protection guidelines.

Why Back Up Cloud SaaS Data, and Why Now?

Your data is critical to your business operations, and in many cases, maintaining control of and access to it is required by law. (Read more about how third-party security keeps companies in control of their data here.)

SaaS Shared Responsibility Model

Software-as-a-service providers have established documentation that clarifies the areas of responsibilities they have and also those responsibilities that are retained by the customer.
Microsoft, well known for its Microsoft 365 SaaS offering, delineates the boundaries of shared responsibility in the cloud.

While Microsoft does provide some degree of data protection, many people are not aware of the limitations of this protection. The short of it is that Microsoft does not provide suitable backup and restore functionality to customers. Learn more about why your M365 is not backed up (and how to fix it) in our in-depth article here.

And it’s not only Microsoft that has a shared responsibility for their SaaS services.
Google (and backup files to Google drive) has what they refer to, almost ominously, as “shared fate” on Google cloud shared responsibilities.
Likewise, Amazon Web Services (AWS) have their own shared responsibility model. It’s vital customers know and understand the extent of their agreement.

Risks to Data Security

In the days of on-premises backup, the only credible risks were acts of mother nature and hardware failure.
That is, of course, if you ignore software issues. Lots of software (from firmware on RAID adapters to drivers to operating system filesystem implementations and the user applications) problems would cause data loss and a need for restore, from system level down to file level. (That’s one thing I don’t miss about the ‘90s.)
However, in the cloud-computing era, the risks have evolved as much as the ways in which we create, share, and store data, so things are much more complicated now.
With both the prevalence and penetration of ransomware, cybercrime, and not to mention the increased access users have in order to streamline collaboration interactions and boost productivity, data—the lifeblood of a company—has, in many ways, never been more susceptible to data loss, regardless of whether it’s international (malicious actors, ransomware, etc.) or unintentional (human error, accidental deletion).
Sometimes going back to basics can be the place to start in developing or hardening security.

3-2-1 Backup Method

The 3-2-1 principle comes from the days of on-premises data storage. It is still commonly referenced today in the modern, cloud-computing area.
Even though it isn’t directly applicable, word for word, to cloud data, this well-known and widely used principle can still be used today to guide security decision makers in their process of improving their security infrastructure against today’s data risks.

Roughly speaking, the 3-2-1 backup rule requires 3 copies of data, across two types of storage media, with one off-site copy stored.

What Is the Origin of the 3-2-1 Rule?

Backup and recovery solutions have existed since long before cloud computing. However, the methodologies have shifted due to the modernization of the infrastructures, behaviors, needs, and of course a lot more variables (but we won’t get into that here), which has resulted in some discrepancies between best-practice principles and their application to modern data infrastructures.
This is also the case with the 3-2-1 backup rule, with the biggest change being the shift of how data is created and stored (or rather where).
Formerly, production data was created on site and stored in on-premises hardware, alongside one backup copy, and the third being stored off premises and typically on tapes. ComputerWeekly has a feature on if the cloud has made 3-2-1 obsolete.
In the cloud era, data is created in numerous places by remote workers in SaaS applications, where it is often transferred around the globe, and is stored “somewhere else” from a business’s physical office. More than likely, the extent of an answer to the question of “where is your data stored” is that it’s in the cloud. But is that backup? And what is true backup in the cloud?

How Does the Rule Apply to Cloud Backup?

We often see iterations of this backup principle in fancy infographics that almost forget to translate the rules to apply to the current scenarios. However, with a few tweaks, there’s plenty of relevant guidance that can help lead to a successful, modern, data security system.

Let’s look at the rules with a modern lens:

3 Copies of Your Data

The ‘3’ in the rule refers to the number of “copies of your data,” with one being the primary dataset in the production environment while the remaining two copies are backups. This is still applicable to modern data protection best practices.

2 Administrative Domains

As mentioned, the ‘2’ can be understood as “two administrative domains” so that copies are managed independently from the other or are stored within separate logical environments. You often see this written as “two types of media,” which is a relic from the on-prem past when it was made up of disks and tapes.
Now, it’s about having copies across multiple disks and across two administrative domains so that one data-loss event cannot possibly—or is extremely unlikely to—impact all copies of the data. This is known as a logical gap.
Without it, should there be a cloud-wide compromise (such as a breach) or data loss event of the cloud where your primary data lives, your data would not be available to you.
One of the best-known examples of this is the Danish shipping giant Maersk and the infamous NotPetya cyberattack, dubbed “the most devastating cyberattack in history” in the full Wired story here.
When working “in” the cloud, the building you are in isn’t of any real consequence to the data. Rather, it’s the cloud you are working in and storing data in that matters. In many regards, this step could envelop the step below, “1 copy external,” but in respect to the principle, it serves us here to keep it a separate consideration.
Should there be a cloud-wide compromise or data loss event of the cloud where your primary data lives, your data would still be available to you by following the rule. Without doing so, you’ve lost access to your data (or even lost your data permanently), with an impact that has a massive potential for business disruption and costs (as in the case of Maersk).

1 Copy External

Formerly the ‘1 off-site storage copy,’ this still applies for the same reasons as it did in the past: You don’t want to store all of your data in the same exact location, and whether all are aware or not, the cloud is located in physical data centers.
From the on-premises days, this meant literally having a copy of disks and/or tapes in a different location from your business in case someone, something, or some event with the power to destroy the building did so. Let’s call this the “in case of fire” step.
In cloud computing, this means having a backup copy outside the cloud of the production environment and outside the administrative domain of the other backup. Remember, the cloud is ‘just’ physical data centers, so by working in the cloud, the centers you are storing your data in are of real importance to the data.
What if the data center of the cloud you are working in is also the same data center that your backup cloud data is stored in? Should there be a data loss event at that center, all of your data would be at risk from that event. That’s bad.

Use Case: What would this look like in real life?

If, for example, you are working on a Microsoft Word document and you save it to OneDrive that has OneDrive Backup turned on, you’re totally protected, because it says “backup,” right? This is an example where the 3-2-1 principle still helps shed light on modern data protection in the cloud.
By following the 3-2-1 rule above, one can deduct that this example isn’t backup (but neither is a lot of what SaaS providers offer as ‘backup’) because true backup requires a logical infrastructure separate from the primary data.
As the “in case of fire” step requires, you must have one copy outside of the administrative domain. By working in and backing up OneDrive data to Microsoft’s cloud services, the data remains in the same administrative domain.
What if something were to happen to Microsoft servers? You’d lose access to your primary data and the copies “backed up” since they all relied on the same cloud.
What’s even worse is that since the backup is configured by “you” (i.e., the admin), a compromise of your account can unconfigure it, too. So, a simple case of ransomware could completely and automatically disable or work around such in-service protections—even leading to immediate backup data deletion.
Keepit, on the other hand – aside from being separate (and therefore unlikely to be compromised at the same time by the same mechanism), as a dedicated backup solution – will actually protect even the administrator from quickly or immediately deleting backup data.
In this respect, Keepit offers some of the most desirable features of “the tape in an off-site vault” in a modern cloud service solution.

Here’s how to use the 3-2-1 backup rule to ensure you’re covered: Independent cloud

If you’re interested in further reading, check out our e-Guide on SaaS data security for a thorough look into leading SaaS data security methodologies and how companies can raise the bar for their data protection in the cloud era.
Convinced you need backup, but want to know more about data protection and management for your particular SaaS application, then explore how Keepit offers cloud data backup coverage for the main SaaS applications here.

 

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

零信任:它是什麼以及如何實施

Zero Trust and Data Security in Companies 
Due to the surge of ransomware attacks, the increased risks for data loss, and the continuous adverse effects cybercrime poses, many organizations have adopted the zero-trust principle to harden the security of their systems, thereby increasing their cyber resiliency.

Cyberattacks have become so ubiquitous that the Biden White House issued a statement urging American business leaders to strengthen their organization’s cybersecurity measures.

As it stands, GlobeNewswire reported that zero trust security is expected to reach a market value of $29 million USD by the end of 2022 and increase to US $118.7 billion by 2032. This significant growth in the coming decade comes from the value zero trust brings companies.

The simple fact is that business leaders are following its principles, like consistent monitoring and validation, because these principles help prevent data breaches and mitigate data loss.

This post will dive into what the zero principle is, as well as its capacity to tighten workplace data and security, effectively ushering in what Microsoft calls:

A new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located.

What are the cybercrime trends that zero trust can help curb?

One trend that’s risen in recent years is ransomware. Ransomware cripples businesses by locking their computer systems until a sum of money is paid. These attacks are expected to have a price tag of $265 billion USD annually by 2031, according to Cybersecurity Ventures.

With how easy it has become for ransomware gangs to deploy ransomware on a multinational scale, businesses need to deploy enhanced cybersecurity solutions to lessen system vulnerabilities, because “when it comes to ransomware attacks, it’s a matter of when, not if.” Read more from the Keepit blog article on how to prepare for ransomware.

It should come as no surprise that ransomware attacks can result in operational downtime. A Statista report stated that the average length of interruption after ransomware attacks is 20 days.

Even minor disruptions can decrease employee productivity, impede communications with clients—among other issues such as the significant fines Marriott faced—and impact business continuity. One might struggle to fully comprehend the serious implications that 20 days of downtime would have for businesses.

Zero trust, in a nutshell, is guided by the principle of ‘never trust, always verify.’

Why Zero Trust?

Zero trust, in a nutshell, is guided by the principle of “never trust, always verify.” It’s a modern security architecture which assumes that internal and external threats exist on the network at all times due to the pervasiveness of cybercrime. And as such, it requires all network users to undergo verification and validation processes before they can access the network resources.

Is zero trust really needed?

Generally, employees within a company access multiple networks simultaneously. There are many, many data exchanges between multiple user devices, across potentially numerous networks – of course, depending on the complexity of a company’s IT infrastructure.

This architecture boosts productivity through increased collaboration. However, this can come with a hidden risk when not following the zero-trust security model.

Zero trust use cases

What might that risk look like? Let’s suppose that one employee working on a single device is validated as “trusted.” But that device has become infected with malware by the user opening a dangerous email. (Learn how to identify a dangerous email.)

Since this user’s device was previously validated and is now assumed harmless, it still has access to all the users and networks as before being infected without having to provide or verify any credentials.

The result is unrestricted access to spread malware from this “trusted” device to other users within the network and to other devices within overlapping networks, allowing the malicious actor to expand their reach and damage, gaining access to more and more of a company’s business-critical data.

This example is the main reason zero trust architecture rejects assuming any device is safe. Rather, the system reduces risks through continuous authentication, thereby enhancing protection for your company’s network system by always verifying and authenticating. According to TechTarget:

This protects your organization in ways other models can’t. It stops malware from entering your network; gives remote workers more protection without affecting productivity; simplifies management of security operations centers with enhanced automation; and extends visibility into potential threats to improve proactive remediation and response.

TechTarget

How to Adopt Zero Trust  

According to a Microsoft zero trust business plan, “digital transformation forces re-examination of traditional security models.” And as such, there are many companies offering guidance. Microsoft alone has helped aid zero trust deployments in thousands of organizations with insightful (and practical) guides on how to adopt a zero-trust business plan.

Global cybersecurity leader Palo Alto Networks shares that there are three crucial steps you need to follow to deploy zero trust architecture in your business:

  1. Define your protected surface: Zero trust architecture can be costly and complicated. As such, identify your protected surface—including components like company applications and assets— rather than focusing on a large network area.

    If your business utilizes Microsoft 365, then you’ll know that documents, email, SharePoint data, and Teams chat must be secured against cyberattacks. Attackers can breach an account with access to the data or hijack your system admin, making it imperative to find a SaaS data backup solution that can maintain multiple backup copies with the needed granularity of data and metadata.

  2. Map your data flow: Plan your business’ flow of instructions and data as this will provide you with information on overlapping networks.

    For instance, where and in which formats is the data stored? If your employees utilize digital, desktop, mobile, or cloud, identify them so you can see how data is moved and shared.

  3. Design your architecture: Essentially, the network architecture should prevent unauthorized access to individuals who aren’t part of your company.

    This is especially relevant if you want to encrypt data before it moves to cloud storage devices. If you want to back up your company’s Microsoft 365 data, for instance, we offer blockchain-based encryption technology that guarantees your backups will remain immutable to ransomware threats and data loss. At Keepit, we also offer comprehensive coverage for M365 applications such as SharePoint, OneDrive, Groups and Teams, and Exchange Online.

Of course, implementation isn’t as simple as one, two, three: It involves a massive undertaking and a focused effort to implement and maintain. There are many, many other variables and considerations.

For instance, you can also adopt multi-factor authentication (MFA) and ensure use of updated devices.

  • MFA is especially relevant for companies who have stored their digital information on cloud computing systems. With MFA, you can prevent unauthorized users from accessing your organization’s resources.
  •  Similarly, encourage your workforce to update their devices with the latest firmware as this typically offers security patches for known vulnerabilities.

Continuously monitor your network and device attributes. Adopting zero trust architecture can prove futile if your workers do not audit and maintain a log for monitoring network traffic.

Do I still need to get backup for my SaaS data?

Ultimately, zero trust makes it much more difficult for external threats to gain access to an organization’s business-critical data – but not impossible. It also does not protect you against internal threats nor from human errors such as accidental overwrites and accidental deletions.

Data protection best practices tell us to always have a backup. That is a fundamental responsibility for you, the data creator and customer of a SaaS service like Microsoft 365, due to the well-documented yet often misunderstood shared responsibility model.  Securing an independent backup is still the best way to ensure 24/7 availability to your data.

With the offerings from specialized third-party backup and data management providers, peace of mind can be had quickly and from a cost-effective service. This is why Keepit was created: Your data, here today, here tomorrow.

Want backup now?

Learn more about Keepit’s SaaS data backup service offerings here.

If you’d like to explore more about backing up a particular SaaS workload like Microsoft 365, find the relevant Keepit blog posts below, as Keepit offers a suite of cloud SaaS data protection services:

  • Read our blog about why you need to back up M365
  • If you’re using Salesforce, read that blog article here
  • Why back up Active Directory (Azure) here
  • And for Google Workspace
  • Finally, read why to back up Zendesk here

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

制定勒索軟件事件響應計劃

Ransomware is considered one of the biggest threats to business in 2022. In this type of cyberattack, hackers block their victims’ computers and charge a ransom to unlock them.

You may be wondering: what are the basic steps of an Incident Response Plan for ransomware or what an Incident Response Plan should include? So we prepared this article.

Here are the aspects a proper response to a ransomware attack should include:

  • Risk Assessment
  • Identification of a Ransomware Attack
  • Defining the Scope of the Attack
    • Isolation of Affected Systems Elimination of Malicious Software Disclosure of the Attack Environment Recovery Incident Recovery Plan Application of Lessons Learned
Keep reading this article and learn all about it!

Basic Steps of an Incident Response Plan An Incident Response Plan involving ransomware shall cover the following steps:

Risk Assessment The first step for those who want to design an Incident Response Plan involving ransomware is to assess the risks and threats faced by the company. In this step, you should understand which types of ransomware your company is most vulnerable to and which assets and data would be most impacted. In addition, it is important to know how and to what extent your organization would be affected by a ransomware attack.

Identification of a Ransomware Attack When implementing an Incident Response Plan for ransomware, it is possible to identify an attack, taking into account there are many types of malware similar to ransomware, and the main signs of the latter are encryption and file blocking.

Defining the Scope of the Attack In an Incident Response Plan for ransomware, defining the scope of the attack is equivalent to measuring how much data and systems were affected by it. That is when you will know if the attack affected a single server, or if all your files kept in the data center or the cloud were impacted as well.

Isolation of Affected Systems The next step is to stop ransomware activities by isolating the affected systems in order to contain the attack and immediately putting the affected systems and networks offline. If this is not possible, disconnect the compromised devices or remove them from Wi-Fi to prevent ransomware infection from spreading.

Elimination of Malicious Software After containing the attack and isolating the affected systems, you must respond to the incident by eliminating malicious software and making sure the attack has been stopped. In the Incident Response Plan for ransomware, this is the time to assess the extent of the damage and check for backups to the locked files.

Disclosure of the Attack

Certain data protection laws and compliance regulations provide that attacks affecting sensitive data must be notified to authorities and persons who have had their information exposed.

So, if a ransomware attack has affected your customers’ data, be prepared to make the disclosure, according to the steps established by the regulatory bodies.

Environment Recovery

After removing the malicious software and disclosing the attack, the focus should be on restoring systems and data by using the backup to retrieve information and reinstalling the systems.

In this step, the security team must work in collaboration with the IT team, ensuring all security mechanisms are updated before reinstalling the impacted systems.

Incident Recovery Plan

If you are not prepared to restore systems and data after the attack, you will need to create an Incident Recovery Plan for ransomware.

This activity may be a bit time-consuming, but it is essential to avoid errors during recovery. In this step, you should also look for ways to recover files that were not saved in backups.

Application of Lessons Learned

Once you have recovered the data and restored your business operations, it is essential to check what has happened. Making a solid assessment of what motivated the ransomware attack will help your company not make the same mistakes and prepare employees to deal with future situations.

Relevant Statistics on Ransomware

  • Here are some relevant figures about ransomware attacks:
  • 9% of Americans have been targeted by this type of attack;
  • Two-thirds of ransomware infections are caused by phishing emails;
  • Annually, ransomware attacks generate $1 billion for malicious attackers;
  • It is believed a ransomware attack will take place every 11 seconds by the end of 2022.
  • In 2020, schools and colleges were the main targets of ransomware attacks.

About senhasegura

We are senhasegura, a company widely recognized as a leader in cybersecurity. Our purpose is to provide sovereignty over sensitive data to the companies that hire us, using PAM to prevent data theft and leaks, as well as shutdowns in activities, which damage the results of corporations.

To achieve this goal, we track the lifecycle of privileged access management and use machine automation before, during, and after access.

Moreover, we automatically audit the use of privileges and privileged actions to prevent abuse, reducing cyber risks. We also bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001, and Sarbanes-Oxley.

Conclusion

In this article, you saw that:

  • Ransomware is a cyberattack in which hackers block their victims’ computers and charge a ransom to unlock them;
  • An Incident Response Plan involving ransomware must include the risk assessment, identification of the attack, definition of the scope of the attack, isolation of the affected systems, elimination of malicious software, disclosure of the attack, and recovery of the environment among its steps;
  • It is also critical to verify what happened after implementing the Incident Response Plan for ransomware; and
  • Alarming numbers reveal ransomware is one of the main cyber threats today.

Did you like our article? Then share it with someone who wants to learn more about Incident Response Plan for ransomware.

ALSO READ IN SENHASEGURA’S BLOG

The Biggest Cybersecurity Challenges for Internet of Things
Network Security Perimeter: Why Is This Concept Obsolete?
How Has Robotic Process Automation Revolutionized Routine Execution?

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.