The right prevention measures can reduce the risk of cyber attacks. But what can you do after your trust company has been the victim of data theft, a DDoS attack or ransomware? Read this blog post to find out what steps you should take after a cyber attack.
Cyber attackers are becoming more and more cunning. Instead of mails from alleged princes, they now come up with deceptively real-looking phishing traps, sophisticated malware and perfidious blackmail attempts. Since cyber criminals are constantly developing their attack strategies, trust companies must also strengthen their security measures. The basic version of standardised antivirus software is often no longer sufficient to ward off today’s cyber threats. Protect all of your trust company’s workloads, data and applications across multiple domains. It is no less important that you sensitise your employees to the topic of cyber security.
Reading tip: In Part 1 of our cyber security series, you will find out which cyber threats are currently lurking and in Part 2 you will receive practical tips on how you can reduce the risk of hacking attacks on your trust company.
With the right security precautions, the risk of a successful cyber attack is reduced. But what can you do if your trust company has fallen victim to cyber criminals? What do you need to consider when it comes to data loss, a DDoS attack or a ransomware attack? In the next sections, you will learn more about the most common cyber attack scenarios and how you can respond to them.
Data leakage after a hacker attack: How to minimise the damage
Data is often described as the most important currency in the digital world. Cyber attacks and associated data losses cost billions of dollars worldwide every year. If your customers’ data falls into the wrong hands – whether intentionally or accidentally – there is a risk of a permanent loss of trust, fines and sanctions. After a data leak, first get an overview of the extent of the compromised data and the associated risk. Identify the security gap and close it. If personal data is affected, you should report this to the Federal Data Protection and Information Commissioner. Then inform your clients about the data theft. Apologise sincerely and communicate that your fiduciary company will do everything in its power to limit the damage and prevent data leaks in the future. Subsequently, fundamentally revise your data protection concept.
Fiduciary companies are currently particularly at risk of losing valuable data in the event of a hacker attack. Software breaks, only partially digitised processes and locally stored files make it more likely that data will be compromised in a hacker attack. Smart fiduciary software can significantly simplify data storage and backup in your fiduciary business. All relevant data is kept on a secure platform that only you and authorised employees can access. You define the access rights so that you always have control over who can view and edit data. The platform provider normally takes all basic security measures, takes care of the backups of your data and creates an IT emergency plan (disaster recovery) so that no customer data is lost even in the case of perfidious hacker attacks or natural disasters.
What you should do in the event of a DDoS attack
DDoS stands for Distributed Denial of Service and DDoS attacks ensure that your systems or your website are either only accessible to a limited extent or not at all. “A DDoS attack is primarily about signalling to the attackers that they are not reaching their target. Hold out long enough and the attackers will typically turn away from you,” writes the National Cyber Security Centre (NCSC). First, log the attack by recording netflows and server logs. Do not delete emails from the blackmailers. Keep selected communication channels open and inform your customers about the attack, for example via a static website. Offer alternative contact options such as e-mail, telephone or SMS.
Then it is a matter of analysing the DDoS attack and defining a defence strategy. If the origin of the attack is a limited number of IP addresses, filtering these addresses on your router or firewall may be sufficient. If the data volume exceeds the bandwidth available to you, your internet provider must take care of this. In the case of IP-based attacks, you can move your attacked system to another subnet. If it is an attack with forged source IP addresses, filtering the IP addresses makes no sense and can even lock out legitimate users. Contact your internet provider who can redirect and filter out this traffic. To do this, you should know which protocols are used in your trust and which can be filtered out without harm. DDoS attacks on applications often take the form of a large number of complex requests that paralyse the application. According to the NCSC, the address of the sender of these requests is difficult to forge and you can therefore filter them. In the case of attacks on the SSL/TLS protocol, terminating the SSL connection with a cloud service that then forwards the filtered connection to your systems can be helpful.
Be prepared for the fact that in the event of a DDoS attack, the attackers will try to adjust to your defensive measures and adapt the tactics. In such a case, analyse the DDoS attack again and apply appropriate countermeasures.
The most important steps if your trust company is infected by ransomware
Ransomware is a malicious programme that restricts or prevents access to data and systems. The attackers usually demand a ransom for the release. According to the NCSC, you should immediately disconnect the infected systems from the network in the event of a ransomware attack. To do this, disconnect the network cable from the computer and switch off any WLAN adapters. After limiting the damage, you should identify the infected systems. So-called “log files” can help here, which you can use to identify access to network drives. The metadata of the encrypted files can also provide clues to infected systems. For example, you can find out which user accounts created the files. Back up these log files. According to the NCSC, the logs of the e-mail server, proxy server and firewall, as well as any other security software, can be used to determine the extent of the infection and to detect the URL and IP addresses of the attackers. Block these URLs and IP addresses on the internal proxy server or on the firewall. This will prevent an unwanted connection to the infrastructure of the cyber attackers. In the case of an infection via e-mail, you may be able to read out the URL and IP address directly in the e-mail via a hyperlink or in a corresponding attachment.
Afterwards, back up caches and hard drives. If the ransomware has also encrypted your local backups, you should keep all data. “In some cases, security and law enforcement agencies have been able to gain access to keys or decryption methods in the course of their investigations,” says the NCSC. The next step is to reinstall the systems affected by the cyber-attack. Make absolutely sure that the operating system used comes from a trustworthy data medium.
Ransom payments to cyber criminals cause more attacks
After a cyber attack of any kind, you should clarify how the attackers were able to penetrate your systems and what they were doing there. This is the only way to ensure that there is no backdoor through which the cyber criminals can carry out further attacks. The NCSC also advises filing a criminal complaint with the cantonal police at your place of business. Should fiduciary companies pay a ransom in the event of cyber extortion? For the NCSC, the answer is a clear no: “There is no guarantee that the criminals will not publish the data after paying the ransom or make other profit from it. Moreover, every successful extortion motivates the attackers to continue, finances the further development of the attacks and promotes their spread.”