You’ve Just Recovered from a Cyber-Attack, What’s Next?

Your organization has just recovered from a cyber-attack, what will you do next?

A.     Lick your wounds and get back to work

B.     Pray another attack doesn’t happen

C.     Assess your readiness and prepare

If you answered A or B, you could stop reading right now; the remainder of this article will be dull. I’m not guaranteeing it won’t be boring for those who choose to continue reading, but it hopefully will be informative!

Security frameworks such as NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” and Center for Internet Security’s (CIS) “CIS CONTROLS V7.1” all state the need to know what IT assets are in your organization’s environment. When a cyber-attack is first detected, the work begins to identify the attack vector and the attack surface. The attack surface is the IT assets and the networks that connect them, but we also need to consider those off-network assets that may be added to the network at any time.

If your organization has recently recovered from a cyber-attack, were you surprised by the number of IT assets found during the resolution? Many organizations underestimate the number of assets they have. There is a common saying for IT security – you can’t secure what you don’t know you have.

So, your organization recovered from this attack, but have you plugged the holes that allowed rogue and unmanaged assets to connect to your network?

What You Should Do After a Cyber-Attack is Resolved

1.     How bad was it?

Not the attack, but how many assets of all types were found that you were unaware of?

2.     How many problem areas are there?

Were the majority of rogue assets from one or two departments? If yes, then you have the first areas to focus on fixing.

3.     Can you determine where they came from?

Were they leftovers from a refresh? Were they abandoned after a project or when an employee left the organization? Were they purchased by avoiding policies or standard procedures? Were they purchased using a budget redistributed from IT’s budget?

4.     Why did it happen?

• Did the purchaser not understand policies or procedures? 
• Are there missing or incomplete processes?
• Are the tools insufficient?

5.     What needs fixed?

Are policies and/or procedures not understood or known?

a.     Review policies for accuracy, completeness, and perhaps most important, clarity.

b.     Review training practices. Are new employees and contractors educated on the policies and procedures? Do employees and contractors receive continuous training?

c.      Is the culture supportive of a disciplined approach to managing IT assets?

Are there missing or incomplete processes?

a.     How are asset purchases approved and paid? Is there a formal request/approval process?

b.     Are off-boarded employee’s and contractor’s assets collected?

c.      Are project related assets collected after the project is complete?

d.     Does the tech refresh cycle retrieve replaced assets?

e.     Is a physical inventory performed on a regular basis?

f.      Is there a formal disposal process for asset types?

g.     Are unused assets properly secured and made available for re-use?

h.     Are IT’s installs, moves, adds, and changes accurately reflected in the IT asset repository?

Are the tools sufficient?

a.     Is there a database containing a single source of truth of IT asset data?

Okay, okay, I know. A single source is like expecting a letter from the government saying you never have to pay taxes again. The single source of truth represents the culmination of a significant effort to combine people, process, and tools and it doesn’t happen overnight. Therefore, you have to develop a strategy that allows incremental improvements to your IT asset repository.

b.     Are the electronic discovery tools working and is the data they generate being used appropriately?

c.      Are the assets tagged with either barcodes or RFID tags?

d.     Is barcode or RFID technology used to track physical assets in support of that single source of truth IT asset management repository?

After a cyber-attack, there should be a review of what was found during the remediation period regarding how well the organization’s IT assets were managed. Is there an IT asset management program with complete autonomy when it comes to managing the ITAM program? Is the environment overly complicated due to the lack of IT standards?

Suppose your organization can commit to significantly improving the management of the organization’s IT assets. In that case, if, or when, the next cyber-attack occurs, IT security can spend precious time finding and stopping the attack and then repairing the damage instead of trying to define the attack surface.

Additionally, improving your IT asset management operations will pay dividends in other areas like cost savings, compliance, and operational efficiencies.