Quick Disaster Recovery plan to implement now for 2022
You have heard the words Business Continuity and Disaster Recovery being thrown around; however, I know a fiery earthquake or the great flood might not be the top of your concern. Sadly, a disaster in today’s world comes in the form of cybercrime. According to TMC.net, 50% of companies that experience a cyber attack go out of business within 6 months of the attack. This is not surprising when you consider the number of preventable data breaches taking place everyday. I want to point out steps for your company to take in order to survive the disaster and get back on track as soon as possible.
What this requires is planning and having steps in place to continue operation. Here are some steps to consider when developing your disaster recovery plan.
The first step is to know what you have on your network, where it is stored and how it is used by employees. This will allow for quick recovery of the data which can be crucial in getting things back up and running.
The best way to find out about all the devices on the network is to use a network scanner. There are many out there, and they are mostly free to use. A popular one that I like to use is called Advanced IP Scanner. Just scan the network and see what you will find. Do you see computers with shared folders? Do you see your Server SYSVOL folders and shared drives? Do you see your network attached storage?
If a cyber criminal would gain access to one computer on the network they would also we able to run the same network scanner to see the rest of the devices they can access on YOUR network. As a matter of fact what most don’t realize is that threat actors use mostly off the shelf tools that are free or open source to infiltrate and move laterally on the network.
So what does this mean for your business?
Your Active Directory that hosts SYSVOL and all of your permissions can be compromised and break all computer sign-ins on the network. If your Network Attached Storage (NAS) is linked with your Active Directory and using a local network password will grant threat actors access into that as well, then you can guess what will happen next. Your backups are now compromised as well. Any computer sharing folders can have a malware payload delivered to it and remotely executed if admin permissions can be attained by the threat actors.
So how do you protect your business?
Let’s start with backups! Let’s face it: if you have great backups that are secure, a restore is only a few clicks and a few hours away from undoing what was done. However, it’s important to have a plan when it comes to backups. Here is what I recommend:
- Keep 3 version of the backups for both Cloud and Local
- Make sure that local backups are not visible on the network scan and they do not share the same passwords as other resources on the network.(such as your admin login to the server)
- Image backups of your servers should be performed either weekly or monthly, and I recommend file backups be performed daily.
- You must keep multiple versions of your backups, because imagine if your data gets encrypted by ransomware and your backups override good data with encrypted data. It would be like you never had a backup to begin with.
Do you know if your backups are good?
Can you go and recover a few files just to test things out? Do you have a written step by step guide on what to do and how to recover files?
Individual file recovery is easier than recovering a server. However, if you have a local server, reinstalling an image backup might be a little more challenging. However, it can be done with proper documentation. I suggest making sure that your business has this black book printed and ready to go in case it ever needs to be used.
What to do after the recovery?
Well, the good news is you survived because you had great backups. However, what do you do now?
How do you make sure this doesn’t happen again?
Do you know the penetration point?
How do you take measures to make sure that backdoor is now closed?
Check list to go through
Firewall
I recommend checking this first as it is the easiest one. Do you see usernames that you don’t recognize? I would suggest changing all passwords for all users for the firewall. Make sure your VPN has 2FA if you are using it enabled.
Check the firewall policies, are there 1:1 NAT rules or routes that point to devices on the network that you are not familiar with?
Workstations
Often times, the attack starts as a phishing attack that allows threat actors access to one particular computer on the network. Look at any machines that have been affected by this attack and disconnect them immediately from the network. It’s a good idea to just reinstall windows on those computers to be on the safe side.
Train your employees
Truth is, a lot of phishing attacks are preventable with proper training that allows your employees to better spot them. It’s certainly an inexpensive step that can save your company a lot of time and money down the road.
Have your network assessed.
If you are not sure how to do the steps above, checkout some local Managed Services Providers (MSP) that focus on cybersecurity. AlphaCIS is located in Metro Atlanta area and we have helped many business develop a Disaster Recovery Plan, Asses their systems and implement policies and procedures to safeguard our clients. If you need some help making sure you business cyber security is on part please reach out to us by calling (678) 619-1218
Dmitriy Teplinskiy
I have worked in the IT industry for 15+ years. During this time I have consulted clients in accounting and finance, manufacturing, automotive and boating, retail and everything in between. My background is in Networking and Cybersecurity
