Backup, Backup, Backup
Please, introduce yourself.
My name is Kyle Posey. I am a Server expert for the Recovery & Remediation team at BreachQuest.
How do you explain what you do to your non-technical family/friends?
I usually tell them I help businesses recover from any type of ransomware hits. Then I usually have to explain what ransomware is. Defining ransomware gives them a better understanding of what it means to go through a cyber attack. Though that is changing. Because of how much it is happening, how frequent it’s been, and much more public these things are going, you are starting to see ransomware used more and more in everyday conversations.
Do you go onsite with the team?
I am remote. Normally, the team is scrambled. We’ll have a team of server experts, desktop experts, and engagement leaders on site. During these events, internet connectivity, or any type of remote connectivity, is usually shut down. I’m able to walk the client through things on the phone to get access to their systems, figure out how to help them rebuild, implement new programs, and install security systems on their computers and their assets. I make sure that we can access everything we need to get them up and running again.
I usually work with the technical point of contact. They’re generally more understanding of the situation. We can level with them and explain what a road to recovery looks like. And then they can process that much easier than the c-level or owners who only see the financial implications. It’s a little bit easier to work with them.
What do you wish every IT/Security team had done to make a recovery quicker or easier?
The one thing that I cannot stress enough to everyone is backups! Test them regularly, store them offsite, and keep extra copies. As long as you have good backups, you can recover quicker and easier than going through a complete rebuild or paying the ransom to recover your files.
This is what I preach. The biggest thing that I have to stress to everyone is to make sure you’re backing everything up. But then you need to make sure you’re testing out those backups periodically. Testing is the only way to know if the backup is good or not when you go to restore. So if you’re not testing them, they may not be a good backup. If your backup is not going to restore properly, you’re just as bad off as if you weren’t running backups. Backups are the only way that anybody can cut their downtime. A good backup will save as much time to get up and operational and reduce loss of business. Whatever the industry is, everything revolves around having good backups and having multiple copies.
Now ransomware bad actors are infiltrating the backups. What do you do then?
It’s now very common that they do. Threat actors know the backup systems. There are a lot of common backup systems that companies will use. But there are ways around them. My best suggestion is to do offsite backups, where basically, you make a backup on physical media. Then you store it physically in another location, not connected to anything. Take the tape or whatever you use and stick it in a safe. Where it cannot be touched. Just be sure it is protected from natural disasters too. Have it stored in locations that are rated to protect against any type of EMP, earthquakes, tornadoes, fire, or things like that.
You used to work with the DoD. What did you learn from that role that you still use today?
One of the things that stayed with me consistently throughout my entire career since working in the Department of Defence, whether it was the Army, Air Force, Marine Corps, Navy, or even some of the other DoD branches, was cyber awareness training for the users. I am a firm believer that your employees are your biggest threat to your network. In the military, nobody would be allowed to use the network until they went through cyber awareness training. You would have interactive training sessions and then test your knowledge on them. It would show you what phishing could look like. It will illustrate what happens if you leave your company-provided device somewhere. It would give a broad overview of things that can happen and things to look out for users. And until they passed the test, they wouldn’t be allowed to use the network.
Cyber training is not going to make everybody a security expert. But what it will do is give everybody working in your environment some idea of what not to do. A lot of the time, users will be your single point of failure for an event. They click on a suspicious link, download a malicious file, something like that. User awareness training seems to be a very small thing, but it can have one of the biggest impacts on the security of your network.
Do you think people are getting better at detecting malicious actions?
There is more awareness. But people don’t understand just how dangerous it is. For example, not many people know what an endpoint detection response solution is. But you can make them aware of it, tell them about it. Anyone who has gone through a breach thinks an EDR solution is great. Maybe because we provide a free trial to all of our clients. But people who have not had a cyber incident think their standard antivirus solution will protect them. There is not enough emphasis on how potent and dangerous things are if you’re not doing them properly.