Being Cyber Ready

With the recent high profile international attack to a US-based fuel pipeline, and the local attack on the Waikato DHB, the headlines are a regular reminder of the importance of understanding cyber risks and knowing what to do if a cyber event happens.

Below are a couple of key updates on cyber security.

Five steps to help contain the impact and preserve critical evidence – Incident response solutions

NZI’s cyber insurance partner Incident Response Solutions, has compiled five steps to help businesses to contain the fallout and preserve critical evidence if they are impacted by a cyber breach such as ransomware.

The steps below are the first course of action

Containment

Contain the impact by assessing any compromised systems and determine which of the following steps can be (safely) taken:

1. Disable the networking environment and individual endpoints (servers, workstations etc).

2. Unplug endpoints from the cable network or remove them from the Wi-Fi network (consider turning off the Wi-Fi access point).

3. If you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.

4. Consider using out-of-band communication methods like phone calls or a third-party conferencing facility. Cyber attackers often attempt to remain in your environment or gain ‘persistence’ to gain future access and may also be monitoring your organisation’s activity or communications.

Preservation

5. Create copies/backups of the affected systems in their compromised state and preserve this evidence. If the compromised device cannot be copied/backed up, leave the device powered on and disconnected from the network where possible.

• Examples of devices to be preserved include: Servers including Virtual Machines, network attached storage devices and other backup formats, workstations, laptops, and mobile devices. It’s important to note that the preservation of servers and virtual machines is time critical and should be initiated as soon as possible, preferably with the support of forensic expertise.
• Examples of network data to be preserved include: Network traffic logs, firewall logs, security/antivirus logs, Windows Event Logs, Microsoft 365 Unified Audit Logs, Microsoft 365 Azure Active Directory Logs.

Did you know? - New Microsoft 365 Audit feature to capture log files

As part of Microsoft's 'Advanced Auditing' functionality, Microsoft has introduced a new mailbox auditing action called 'MailItemsAccessed', which helps with investigating the compromise of email accounts.

This is part of Exchange mailbox auditing and is enabled by default for users that are assigned an Office 365 or Microsoft 365 E5 license or for organisations with a Microsoft 365 E5 compliance add-on subscription. 

With ‘MailItemsAccessed’ enabled, administrators are able to identify almost every single email accessed by a user, giving organisations forensic defensibility to help assert which individual mail items were or were not maliciously accessed by an attacker.

Cyber cover is a key tool for protecting businesses – click here to read about NZI’s cyber cover options. And if you missed it last time, in July last year we released the top 10 ways to prevent cyber incidents.