Cyber

Ed.20

Evolution of Cloud Security:

Chief
More Tools, Larger Budgets,
Greater Threats

Five Cybersecurity Trends

that Will Affect Organizations
in 2023

Cybersecurity 2023:
Reinforcing Defenses
Cyber
Ed. 20

Chief Magazine

Despite substantial increases in cybersecurity defenses around the

globe, 2022 was another year of high-profile cyberattacks. Moreover,
today’s economic and geopolitical uncertainty are adding to the risks that
organizations face.

In order to adjust to these realities, in 2023, companies will shift their

cybersecurity priorities. According to Forrester, at least 10% of budgets will
move from transformation to resilience. A key strategy will be understanding
the most business-critical security risks.

This edition of Cyber Chief Magazine dives into the key trends that will
affect organizations of all sizes in 2023 and shares strategies that will help
cybersecurity leaders prepare for the challenges and seize the opportunities.

The Cyber Chief team

cyber.chief@netwrix.com
 Contents
Cybersecurity:
Facts and Figures
4 Cloud Security Trends
41%
of workloads are already
in the cloud. Organizations
expect this number to increase
by 13% by the end of 2023.
Focus
6 Five Cybersecurity Trends that Will
Affect Organizations in 2023
Analysis
10 Evolution of Cloud Security: More
Tools, Larger Budgets, Greater
Threats
Extra Security
16 How To Defend Your Organization
Against Common Malware
20 EISA: The Core Principles of
Strengthening the Enterprise
Cybersecurity
24 Your Business Will Face
Cybersecurity Attacks: Here’s
How to Prepare and Respond
28 Bouncing Back After a Cyberattack:
A Cyber Resilience Checklist
32 Six Ways to Minimize Damage from
a Cyber Infiltration
36 How to Reduce Your RPA Security
Risk
First-Hand Experience
40 Standard Bank Namibia Mitigates IT
Risks and Secures Data Regulated
by PCI DSS
Cloud Security Trends

Cloud Usage

41% 80%
of workloads are already in the cloud. of organizations store sensitive data in the cloud.
Organizations expect this number to The most common types are the PII of employees
increase by 13% by the end of 2023. and the PII of customers.

Source: Netwrix 2022 Cloud Data Security Report

Top 3 Goals of Cloud Reasons for using

Adoption multiple clouds
Reduce costs 61%
43% Managing security
Improve security 53%

Organize infrastructure 45% 42% More agile and scalable

development environment
for remote workers

Source: Netwrix 2022 Cloud Data Security Report 41% Best of breed cloud
services and applications

40% Business agility and innovation

Cloud Architecture
34% Reducing cloud services costs

82%
of organizations have
adopted a hybrid cloud
architecture.
34%
Business resilience and
92% disaster recovery
of organizations use
two or more public
cloud providers.

Source: Cisco 2022 Hybrid Cloud Trends Report Source: Cisco 2022 Hybrid Cloud Trends Report
Evolution of Security Incidents in the Cloud 2022 2020

73%
Phishing
40%

31%
Account compromise
16%

29%
Ransomware or other malware attack
24%

29%
Targeted attacks on cloud infrastructure
16%

Source: Netwrix 2022 Cloud Data Security Report

Top Challenges of Multi-Cloud

61% 53% 51%

Deploying and managing solutions Ensuring data protection and Understanding how different
across all cloud environments privacy for each environment solutions fit together

Biggest Security Threats for Public Clouds

62% 54% 51%

Misconfiguration of the cloud Insecure interfaces/APIs Exfiltration of sensitive data
platform

Source: Cybersecurity Insiders, 2022 Cloud Security Report

Focus

Five Cybersecurity
Trends that Will
Affect Organizations
in 2023
Dirk Schrader
VP of Security Research at Netwrix

Michael Paye
VP of Research and Development at Netwrix
Cybercrime has evolved into a booming
business in recent years, so it’s critical for
organizations to stay on top of trends that are
likely to affect their security. To help, this article
details five key IT security trends to be aware
of in 2023. The analysis is based on Netwrix’s
global experience across a wide range of
verticals, including technology, finance,
manufacturing, government and healthcare.
The business
of cybercrime
will be further
professionalized
The return of malware strains like Emotet,
Conti and Trickbot indicates an expansion of
cybercrime for hire. In particular, the growth
of ransomware as a service (RaaS) is enabling
criminals without deep technical skills to
make money, either by extorting a ransom for
decryption keys or by selling stolen data on the
dark web or to the victim’s competitors. Phishing
attacks are a top vector for gaining access to a
corporate network in order to plant ransomware
or launch other attacks.
Accordingly, in 2023, organizations should
expect an increase in phishing campaigns.
Vital defense strategies include timely
patching and updating of software, as well
as locking down network access with best
practices like multifactor authentication (MFA)
and privileged access management (PAM). In
addition, organizations should provide frequent
cybersecurity awareness training to all users.
Supply chain
attacks will
intensify
Modern organizations rely on complex supply
chains, which often include small and medium
businesses (SMBs), managed service providers
(MSPs), and managed security service providers
(MSSPs). In the coming year, adversaries will
increasingly target these suppliers rather than
the larger enterprises. The reason is simple:
They know that suppliers provide a path into
multiple partners and customers — and that they
often have smaller IT budgets and less robust
cybersecurity defenses.
To address this threat, organizations of all sizes
need to make sure that their risk assessment
process takes into account the vulnerabilities
of all third-party software and firmware. (If you
don’t have a regular risk assessment process
yet, make creating one a top priority!)
7
Understaffing will
expand the role of
security partners
Demand for cybersecurity professionals is
far outpacing supply. This global shortage
of cybersecurity talent will increase risks for
businesses, especially with attacks becoming
even more sophisticated and frequent.
To overcome this challenge, organizations will
rely more on their security partners, such as
system integrators, channel partners, MSPs and
MSSPs. Be sure to vet your partners carefully,
and not just once but regularly — as we just saw,
supply chain attacks are only going to increase
in the coming months.
The human factor
will become a top
security concern
Users have long been a weak link in IT security
— prone to opening infected email attachments,
clicking malicious links and other risky behavior.
Now, rapid advancements in social engineering
8
and easy-to-use deep fake technology are
enabling attackers to trick more users into
falling for their schemes.
Accordingly, comprehensive auditing of user
activity will become even more crucial for
spotting abnormal behavior in time to prevent
serious incidents. In addition, implementing
a zero standing privilege (ZSP) approach will
help organizations prevent abuse of their most
powerful accounts, whether by a disgruntled
admin or an adversary who compromise their
account.
Vendor
consolidation will
continue gaining
momentum
To combat cybercrime, organizations continue
to invest in IT security. But having more tools
doesn’t always mean better security — point
solutions from different vendors operate
separately, offer overlapping or conflicting
functionality, and require organizations to deal
with multiple support teams.
To minimize the security gaps caused by this
complexity, organizations are now looking to
build a security architecture with a selected set
of trusted vendors. This approach offers the
additional benefit of reduced costs from loyalty
pricing, which in turn leads to a faster return
on investment (ROI), an increasingly important
factor in the current economic climate.

Hackers keep inventing new attack tactics

and techniques, and now they are finding new
revenue streams by offering cybercrime as a
service. Moreover, they are expanding their
attacks to target the entire supply chain, as well
as brazenly bribing employees to plant malware
or sell their access credentials.

To respond effectively to the evolving threat

landscape in 2023, organizations need to
focus on protecting their most critical assets. In
particular, they need to implement regular risk
assessments to identify and mitigate their most
pressing risks, along with core best practices
like user activity auditing and ZSP to spot and
thwart active threats. Finally, they need to
prioritize cyber resilience so they can quickly
restore business operations after an attack.
Analysis

Evolution of Cloud
Security: More
Tools, Larger
Budgets, Greater
Threats
Martin Cannard
VP of Product Strategy at Netwrix
Organizations around the world have already moved vital data and workloads to the cloud, and cloud
adoption is continuing. To better understand the challenges that organizations are facing in this area,
Netwrix surveyed 720 IT professionals all over the globe via an online questionnaire and compiled the
results into its 2022 Cloud Data Security Report.

Here are the key findings and our analysis to help organizations understand the main obstacles on
their way to safe cloud computing.

Goals of Cloud Adoption

The need to support remote workers during the pandemic certainly accelerated cloud adoption, but
cost reduction and security remain the top two drivers of cloud adoption.

Primary cloud adoption goals

Reduce costs 61%

Improve security 53%

Organize infrastructure for remote workers 45%

Increase responsiveness to customer need 38%

Gain competitive advantages 28%

Organize infrastructure for remote workers 20%

Reach new markets 11%

Other 5%

10% 20% 30% 40% 50% 60% 70%

11
Cloud Adoption and Security Budgets
Cloud adoption is in full swing: Organizations report that 41% of their workloads are already in the
cloud, and they expect that share to increase to 54% by the end of 2023. And organizations clearly
want to protect these cloud investments, with nearly half (49%) of respondents confirming that their
cloud security budget increased in 2022.

Has your cloud security budget grown in 2022?

49% 30% 21%

YES NO DON’T KNOW

Attacks in the Cloud

However, over half (53%) of organizations suffered a cyberattack on their cloud infrastructure within the
last 12 months. Phishing was by far the most common type of attack, experienced by 73% of respondents.

Most common cloud security incidents

2022 2020 Phishing 73%

40%

Account compromise 31%

16%
Ransomware or other 29%
malware attack 24%
Targeted attacks on 29%
cloud infrastructure 16%
Accidental data 25%
leakage 17%

Data loss
23%
13%

Data theft by 16%

insiders 10%

Supply chain 15%

compromise 6%

Data theft by 14%

hackers 7%

12
Speed of Detection
In addition, the average detection time for most
types of attacks has increased since 2020. The
most significant slowdown was for supply chain
compromise: In 2020, 76% of respondents
spotted this type of attack within minutes or
hours, but in 2022, only 47% found it that quickly.
SUPPLY CHAIN COMPROMISE
Cost of Breaches
Breaches are also getting costlier. This year,
49% of respondents said that an attack led
to unplanned expenses to fix security gaps,
up from 28% in 2020. The share who faced
compliance fines more than doubled (from
11% to 25%), as did the number who saw their
company valuation drop (from 7% to 17%).

DETECTION 2020 2022 Data breach consequences

TIME

MINUTES 23% 20% 2022 2020

HOURS 53% 27% Unplanned expenses to fix security gaps

49%
DAYS 18% 30% 28%

WEEKS 0% 12%
No impact
MONTHS
6% 10% 32%
AND MORE
49%

Compliance fines
25%
Ransomware has become harder to uncover as 11%

well; 86% of organizations needed minutes or Loss of competitive edge

23%
hours to detect ransomware in 2020, but in 2022, 8%

this share dropped to 74%. Decrease in company valuation

17%
7%

RANSOMWARE OR OTHER MALWARE ATTACK Customer churn

16%
DETECTION 2020 2022
6%
TIME

35% 35% Decrease in new sales

MINUTES
15%
HOURS 51% 39% 8%

DAYS 9% 19% Lawsuits

10%
WEEKS 5% 3%
4%
MONTHS 5%
AND MORE
0%
Change in senior leadership
9%
6%

13
Data Security Challenges
Still, the top 3 data security challenges named by survey respondents stayed the same from 2020:
lack of IT staff, lack of expertise in cloud environments and lack of budget. Money is still an issue for
many organizations, but the share of those who struggle with this problem dropped from 47% in 2020
to 34% in 2022.

2022 2020

IT/security team being 46%

understaffed 52%

Lack of expertise in 44%

cloud security 44%

34%
Lack of budget
47%

Lack of visibility into sensitive 26%

data in the cloud 28%

Inconsistency due to multiple workloads 26%

across different cloud platforms 25%

Analysis
Attacks are maturing faster than the expertise, tools and processes for defending against them. Indeed,
increased budgets and more tools doesn’t always mean more security. Indeed, relying on multiple point
solutions from different vendors means complexity — overlapping or even conflicting functionality, as
well as multiple support teams — and complexity leads to security gaps.

One way to solve this problem is to build a security architecture with a select group of trusted vendors
that offer and support an extensive portfolio of integrated solutions. Another vital strategy is to focus
on the most effective security controls first. These include data classification and auditing of user
activity: Respondents who classify their data were often able to detect an attack within minutes while
those who don’t usually needed hours or even days, and auditing of user activity reduced detection
time for phishing, ransomware and account compromise attacks from hours to minutes. More broadly,
it is time to pay closer attention to security measures that reduce both the likelihood and impact of
security breaches by improving the ability to protect against, detect and respond to threats.

14
 ON-DEMAND WEBINAR

Cloud Security Masterclass:

Make Your Cloud Migration
Journey Secure
Watch now

15
 Extra Security

How to Defend Your

Organization Against
Common Malware
Attacks and Living-Off-
The-Land Techniques
Dirk Schrader
VP of Security Research at Netwrix

16
As the sophistication of malware attacks advances
each year, organisations must be especially
vigilant and prepared for any suspicious activity.
Cyber criminals’ tactics are continuing to evolve
and nearly every aspect of a digital environment
can be exploited. Akin to a digital parasite, threat
actors are often armed with the ability to live “off
the land” of their targets, which allows them to stay
hidden while inside a target’s digital environment
and to steal critical data and assets.
Once an attacker infiltrates the victim’s system,
they can then deploy different forms of malware
to collect as many assets as possible to later
blackmail their target and demand a ransom.
System hardening processes are one of the best
and most effective measures an organisation
can take to decrease a chance of success of
such attacks. Aligned with the National Institute
of Standards and Technology (NIST) guidelines,
system hardening allows organisations to take
their cybersecurity into their own hands.
Common malware and
living-off-the-land
techniques
Like most common attack vectors, malware
attacks and living-off-the-land (LOL) techniques
follow the same basic principles when attempting
to compromise a target’s digital assets. To simply
put it, when deploying any form of malware
extortion attackers generally follow five steps to
achieve their objectives: get there, get into, get
ready, get more, and get money.
To ‘get there’ cybercriminals have figured out
numerous ways to gain access into a target’s
digital systems such as, for example, distributing
targeted phishing using malicious websites and
ads. In another level of sophistication cyber
crooks buy the access from so-called ‘Initial
Access Brokers’. Once attackers ‘get into’ the
environment – via exploiting local vulnerabilities
or using weak login credentials – they can then
‘get ready’ to reinforce their LOL techniques to
stay invisible and escalate their privileges while
inside.
In order to ‘get more’ assets, attackers will laterally
move through the target’s digital infrastructure to
extract, collect, and own the valuable information
either needed for a later extortion attempt or to
use for a bigger target connected with the victim.
Ultimately, should the end goal for the attack be to
‘get money’, the attackers will encrypt the critical
data and demand a ransom for a decryption key
from the targeted enterprise.
17
How attack surface System hardening
grows and how to guidelines aligned with
control it the National Institute
To launch a malware attack, cybercriminals will
of Standards and
manoeuvre throughout the organisation’s existing Technology
security layers to locate any vulnerabilities or
weak points for later exploitation. Security gaps
In the myriad of system hardening guidelines
within a target’s data, identity credentials, and
available online, guidelines provided by the
digital infrastructure are the three key aspects
NIST come as the most recommended and most
needed for a successful launch of a malware
trusted source – as well as free of cost. Ultimately,
attack. Any existing weak points become even
as recommended by the NIST, prevention and
more vulnerable during any significant changes
detection are the best first steps to undertake in
or events, such as modifying internal password
order to successfully disrupt the path of malware.
policies or in preparation for a major software
update. Due to this, it is important for organisations
Protection is the first step to achieving the most
to maintain full visibility of their software and files
effective state of system hardening. To do so,
when undergoing such events.
IT security teams must change their traditional
approaches and take on a ‘think like an attacker’
To mitigate any subsequent risks, IT security
mentality. A change of perspective in this way can
teams should strongly consider reinforcing
make it easier to identify normally overlooked
their digital infrastructures in line with system
security gaps and categorise the levels of risk,
hardening guidelines. System hardening is
ways to improve the overall security strategy,
the process of reducing the vulnerabilities and
and establish which assets are of most value to
security risks within a system, application, or
the organisation. As a result, this will reduce the
infrastructure with the overall goal to reduce
attack surface and make it especially difficult for
the attack surfaces and withstand emerging
an attacker to apply their LOL techniques.
attack vectors. When executed correctly, these
measures offer ways for organisations to get
Second to this is the detection of malicious
ahead of, and how to best defend against, these
activity before it can escalate any further. It is
potentially devastating malware threats.

18
vital to correctly determine between what is
suspicious behaviour versus what is normal
within an IT environment that is already constantly
changing. This can be done by checking for any
indicators of compromise (IOC’s) via monitoring
unplanned or abnormal file changes and noticing
any configuration drifts which may occur within a
digital environment.

As digital environments are particularly

vulnerable during major software changes and
infrequent maintenance, organisations and their
IT teams must regularly test for weak points
and suspicious activity – even after system
hardening is complete. Security frameworks like
one provided by NIST, could be a great guide in
this complicated ‘hardening’ journey. In following
with their recommendations and guidelines,
organisations can keep their assets secured
while able to experience a lasting return on
investment.

19
Extra secutity

EISA: The Core

Principles of
Strengthening
the Enterprise
Cybersecurity
Mike Paye
VP of Research and Development at Netwrix
Global spending on cybersecurity is on the rise as
organizations face ever more sophisticated attacks
on a daily basis and up their spending to stay safe.
This trend is affecting cloud security as well, with a
recent Netwrix survey revealing that 49 per cent
of organizations claimed their budget for cloud
security has increased in 2022.
Prior to implementing any specific solutions or
procedures, it is crucial to define the core security
principals that form the enterprise information
security architecture (EISA). To ensure EISA
reflects both current and future business needs,
organizations must consider both their digital
systems and personnel teams, along with their
associated roles and functions.
The core components of
EISA
Ahead of the development process, it is vital
to recognize the key layers of an effective and
successful EISA. Firstly, the business context is
necessary to define the enterprise informational
use cases and how this specific data affects
the achievement of organizational goals. This
conceptual layer is the element which can
provide information regarding risk attributes
and the enterprise profile.
Another key element is the clear identification
of pathways between applications, procedures,
information, and services. Knowledge of how
all these elements interact with each other
helps to develop an architecture that will not
interfere with critical business processes.
Lastly, a conclusion should be drawn on what
is needed to reduce existing vulnerabilities and
maintain the appropriate level of cybersecurity
procedures into the future – being sure to specify
details of the devices, software, processes, and
additional components that are required.
How to develop an
effective EISA
EISA development starts with examining the existing
level of cybersecurity. What security standards and
processes the organization is currently following
and what security gaps do they leave? Identifying
these points can make it easier to later analyze
cybersecurity weaknesses and determine how they
can be resolved. After assessing the organization’s
current cybersecurity status, the next step is to set
new security goals – taking business priorities into
account. Both the technical and strategical contexts
help narrow down the areas of future focus.
As soon as all the preliminary work is done, it is
time to consult with a verified framework that can
21
guide an organization to the actual improvement of
the foundational cybersecurity layers such as data,
Communication is the
identities, and infrastructure. The Open Group main challenge when
Architecture Framework (TOGAF), the Sherwood
Applied Business Security Architecture (SABSA),
developing an EISA
the Federal Enterprise Architecture Framework
There is no one size fits all approach when it
(FEAF), the Zachman Framework, and the COBIT 5
comes to developing a successful EISA, however,
framework have proven to be trustworthy sources
there are several common challenges to lookout
of current best practices, so there is no need to
for throughout the integration process.
start from scratch.

Lack of understanding and communication across

Next is determining how the EISA will be integrated
departments, teams, users, and stakeholders should
into the existing IT environment and dividing
be addressed in the early stages of the process.
the tasks between the in-house and vendors’
Communicating clearly across the organization
development teams. Assessment of internal
about why it is important to prioritize IT security
resources, the available level of expertise, and
best practices, along with the intended goals of the
state of the market should help inform this decision.
EISA, is essential in mitigating emerging risks and
sustaining higher IT security standards.
Finally, organizations must be sure to revise the
security architecture regularly. To address the
Negative or failed past experiences can cause
constantly evolving threat landscape, EISA should
concern and a degree of hesitancy amongst
be tested and reviewed on a regular and ongoing
stakeholders towards newer initiatives such
basis.
as, for example, the possible ineffectiveness of
upcoming IT investments into new cybersecurity
measures. To avoid this, it is important to
manage expectations by providing information
about the costs and return on investment (ROI)
of any new data protection software.

However, this can be difficult to accurately

calculate, and with other factors including
lack of funding, it will not be easy to convince
stakeholders who may already be skeptical.

22
Therefore, an effective EISA plan must address
these concerns at a comprehensive level.

The benefits of an
effective EISA
Having a well thought out EISA development plan
serves as an invaluable tool for planning new
cybersecurity measures throughout all levels of the
organization. A thoroughly planned EISA can also
provide the information – which could otherwise
be unavailable – needed to help make the best
choices when it comes to managing the technology
lifecycle and solutions to utilize throughout the IT
environment. Equally as important, it is a critical tool
for organizations needing to follow compliance
regulations enforced by current industry standards
and legal requirements.

Enterprise security is different from the

traditional understanding of cybersecurity – as
organizations with complex infrastructures need
effective management, regular assessments,
and strong security policies in order to avoid
major cybersecurity incidents. Both security
architecture and enterprise strategy go hand
in hand when it comes to improving business-
wide privacy and cybersecurity effectiveness.
Without a comprehensive and detailed
EISA plan, the entire organization, its digital
infrastructure, and business continuity can be
put in jeopardy of a cyberattack.

23
 Extra secutity

Your Business Will

Face Cybersecurity
Attacks: Here’s
How to Prepare and
Respond
Joe Dibley
Security Researcher at Netwrix

24
With the constant evolution of the cybersecurity
landscape, security attacks are constantly
occurring, whether they’re fully automated or
human-operated attacks. Even though companies
are spending billions of dollars to shore up their
security defenses, vulnerabilities still exist for most
companies.
So, what is to be done? What steps need to be taken
to react to a critical vulnerability announcement to
help prevent devastating damage? The answer
is, “It depends.” That is, it depends on what the
company has done to prepare for cybersecurity
attacks and what its plan is to respond when the
attack occurs.
The saying goes, “If you fail to prepare, you are
prepared to fail.” This is especially true as it relates
to cybersecurity. The following are a few steps to
help you prepare and respond.
Steps to prepare for a
cybersecurity attack
1. Stay informed
Information is critical to our ability to make
good decisions and respond effectively. And it
is vital to our ability to adapt and cope. One of
the best ways to stay informed is to subscribe
to CVE (Common Vulnerabilities and Exposures)
feeds and read threat monitoring websites to
ensure you have full awareness of any new
vulnerabilities.
2. Document your environment
Often overlooked, the documentation of your
digital environment is of utmost importance.
Be sure you know where your sensitive data
lives, and what software and applications your
business relies on.
3. Back up your data
If you have ever lost important data, or even felt
a moment of panic where you thought you did,
you know how critical it is to back up your data.
Data losses can occur in many forms, from hard
drive failures to ransomware attacks, and even
human error or physical theft.
No matter the misfortune, a data backup strategy
gives you the peace of mind you need. Ensure
that critical systems have a reliable backup
process and test it regularly to ensure it works.
4. Patch and update
Patching vulnerabilities and updating systems is
essential for front-line defense, yet unpatched
vulnerabilities remain a leading cause of data
breaches. All systems and applications should
be regularly updated and patched to ensure
you have the latest security fixes.
25
5. Map your emergency process
An emergency management process will
ensure you are ready to respond in the event
of an emergency. But beyond this major benefit,
you may discover unrecognized hazards in
your environment that could aggravate an
emergency and you can work to eliminate them
proactively. You may also uncover deficiencies,
such as lack of equipment and personnel.
A clear, simple, and coordinated process could
save you millions of dollars, so spend the time
to carefully document your internal process for
emergencies, including roles, responsibilities,
and timing.
Responding to a cybersecurity attack
When you are prepared and informed you can
shift focus onto how to respond in the event of
a new critical or zero-day vulnerability being
released that may affect your company. These
steps include the following:
6. Determine the potential impact
A successful cybersecurity attack can cause
major damage to your business. It can affect
your bottom line, as well as your business’s
standing and overall customer trust. Should a
cyberattack or data breach affect your business,
one of the first things you must do is identify the
scope of what has been affected.
26
7. Harden systems
Systems hardening is a collection of tools,
techniques, and best practices to reduce
vulnerability in technology systems and
environments. Systems hardening can be
completed proactively to reduce security risks
by eliminating potential cybersecurity attack
vectors and condensing the system’s attack
surface.
However, for certain systems, when a new critical
vulnerability is released, it may be possible
to work further to reduce the risk of being
compromised. This may include activities such
as limiting network connectivity, segregating
access, or even turning off the system until
patches are made available.
8. Assess the risk
A risk assessment—the process of identifying,
analyzing, and evaluating risk—should be
completed when a new serious vulnerability
emerges. You will want to take a look at your
systems and determine what data may be
exposed if the system was breached. This
will include any PII (Personally Identifiable
Information), privileged accounts, or other
business-critical data. Afterward, implement
cybersecurity controls to ensure those particular
risks are eliminated or minimized in the future.
9. Mitigate the damage
In the case of high-profile vulnerabilities, it is
best to stay up to date by following researchers,
security updates, and other trusted sources
such as the company whose product or system
may be affected. In many cases, these sources
of information will update you on any temporary
mitigation techniques found when no official
mitigation is possible. The best-known example
of this is the kill switch for the WannaCry
ransomware attack which was to sinkhole a
certain DNS domain.
Planning ahead is the
best preparation for
cybersecurity attacks
These steps are all geared toward helping
aid you in what to start thinking about when
a critical severity vulnerability or zero day is
released. Taking some time to think through this
list should help you and your organization jump
into action when such a situation arises.

10. Track your changes

When new critical vulnerabilities are announced,

it can be easy to just change things as you go to
secure the systems in question. Nevertheless,
you should always track the changes made,
especially any temporary mitigations that are
made. You will need the records to reevaluate
those temporary measures when official
mitigations or patches have been released. This
reevaluation will help you to gain knowledge
and confidence that the problem is indeed
resolved.

27
Extra secutity

Bouncing Back
After a Cyberattack:
A Cyber Resilience
Checklist
Dirk Schrader
VP of Security Research at Netwrix
The term “resilience” comes from physics: It’s
the ability of a substance to return to its usual
shape after being bent, stretched, or pressed.
Tennis balls are often cited as examples of
resilience: Toss a ball and it will bounce back
without its shape being changed. This stands
in stark contrast to tomatoes: Throw a tomato
and you'll probably need to jump away avoiding
splashes on your clothes.
The resilience term has been adopted by the IT
community, particularly as it relates to security.
Cyber resilience is the ability to keep IT systems
up and running while under attack. Indeed,
one definition states: “Cyber resilience refers
to an entity's ability to continuously deliver
the intended outcome, despite adverse cyber
events.” The goal is to avoid business downtime
and all associated costs, including the loss of
revenue, productivity and customer loyalty.
Given today’s relentless barrage of
cyberattacks, it’s vital to develop cyber
resilience to ensure your organization can
stay productive and secure. Cyber resilience
involves three key aspects:
▪ Making it hard for an adversary to successfully
complete an attack
▪ Being ready to operate while under attack
▪ Using experience to bounce back better in
the future
With these aspects in mind, cyber resilience
is more than just a new way of talking about
disaster recovery and business continuity.
Evolving your organization to be resilient
towards cyberattacks will embed digital security
into all your critical business processes that
deliver the value of your business.
The questions listed below can help your
organization identify the blind spots and
security gaps you should address to improve
cyber resilience across these three dimensions.
Organizational Capabilities
▪ Are we able to swiftly alert the organization
about an increased likelihood of a
cyberattack?
▪ Are we able to identify all critical business
processes that could be impacted by a
cyberattack?
▪ Are we aware of each critical IT asset in each
of those business processes?
Quite often department heads are not aware of
the cyber risks their digital assets face or how
an outage would impact their abilities. Check
out these questions to improve the visibility
of relevant processes and communication
between non-security and security people.
29
Risk Detection Capabilities These questions might sound familiar
(technically thinking of vulnerability
▪ Can we detect technical and organizational
assessment), however, they cover a lot more.
gaps that make the organization vulnerable
If you have developed ways to continue to
to cyberattacks?
deliver your value-add during an attack, and
▪ Do we anticipate attacks affecting our
to improve any short comings here, you have
business processes using simulations or
made some good way into cyber resilience.
what-if scenarios?

By providing honest answers to these questions,

Every organization evolves: new products
your organization can determine exactly where
and services aim to create additional value-
there is space for improvement in your cyber
generating streams and require specific
resilience strategy. In other words, this checklist
changes. Such changes are inevitably
can help you turn a tomato into a tennis ball
associated with gaps and vulnerabilities: a new
so your organization can bounce back with
asset is not assigned the needed protection
resilience.
profile, or a strict cyber security policy forces
employees to circumvent to be inline with the
new setup. If you can detect these risks, you are
on your way to digital resilience.

Mitigation Capabilities
▪ Can we effectively mitigate or remediate the
risks and vulnerabilities we identify?
▪ Are our business processes aligned with our
cybersecurity operations and architecture?
▪ Are we able to quickly respond to the
emergence of new threats or cyberattacks?
▪ Can we efficiently alleviate the impact of a
cyberattack on critical business processes?
▪ Do we use the lessons learned during
cyberattacks to improve our cyber resilience?

30
 ON-DEMAND WEBINAR

Achieving Resilience
Watch Now

31
Extra secutity

Six Ways to
Minimize Damage
from a Cyber
Infiltration
Joe Dibley
Security Researcher at Netwrix
Ensuring your business is resilient against
today’s rapidly evolving cyber threat landscape
without standing in the way of business
priorities can be a delicate balance. But as
we’ve all heard, this risk of a cyberattack it’s
not a matter of if, but when. Cyberattacks have
become a persistent and permanent threat to
organizations across all industries. The degree
of damage from a cyber infiltration can be costly.
However, before you actually get hit, you can
have a clear process to minimize the damage.
To begin with, you need to ask yourself, “Are we
sufficiently prepared to defend a cyberattack?”
And if your answer is no, the next question is,
“What are we actively doing to avoid, or at least
minimize, any damage a cyber infiltration might
cause?” If your organization is not fully prepared,
consider the following tips to help you reduce
any harm so that you can get back to business
as quickly, and reliably, as possible:
▪ Restrict access and remove unnecessary
privileges. Providing appropriate levels of
access to the right resources can minimize
the impact of any cyber infiltration by giving
the attacker a smaller footprint in which to
operate. You need to minimize the number
of accounts, users with access to accounts,
and their privileges. Less access is easier to
protect, restrict, and review.
You should also make it a priority to know
who has access to what. Once that has been
determined, you can establish processes
to regularly remove unnecessary privileges
and accounts. Third-party access should be
automatically revoked after the contract expires,
as an example. Analytics can be used to identify
unnecessary privileges and tighten access.
▪ Reduce the quantity of inbound network
connections. The goal of most organizations
is to optimize the network their employees
rely on to do their jobs. To ensure this
optimization, identify the sources of
unwanted or unnecessary network
connections and traffic and take steps to
correct or eliminate the root causes in order
to enhance network performance and help
avoid future problems.
Removing inbound network connections
minimizes the risk of a network being exposed
to cyber infiltration and the damage that can
result. By removing these connections, the
attack surface of the network will be reduced,
and the overall safety of the network will
increase.
▪ Ensure antivirus and endpoint detection
response (EDR) solutions are up to date.
It is more common than you might think to
ignore software updates, particularly if you
leave it up to the user, rather than through
an automated central control solution.
Antivirus and EDR solutions provide signature
files that contain the latest lists of known threats.
These files are released daily, and sometimes
33
even more often than that, so it is recommended
to configure them to automatically check for
updates at least once a day.
▪ Log all events in a central location.
Centralized network log records play an
extremely important role in any well-thought-
out security program. They can help in the
detection of anomalous activity both in real-
time, as well as reactively during a cyberattack.
Centralized logging provides two key benefits.
First, it places all log records in a single location,
making it easier for you to do log analysis and
correlation tasks anytime you need. Second, it
provides you with a secure storage area for your
log data. This is important because in the event
when an endpoint becomes compromised, the
attacker will not be able to tamper with the logs
stored in the central log repository, unless the
endpoint is also corrupted.
▪ Use temporary accounts to log in to
servers. Another way to minimize exposure
is to create temporary logins for different
accounts on the server. These logins
can be created easily and set to expire
automatically after a given time. Privileged
Access Management (PAM) tools help to
automate the whole process.
For example, some organizations often hire
sub-contractors to perform small adjustments
on their networks, which may require access to
the admin area of the network. You could create
34
an admin account for them and later delete it
when they have completed their job. However,
sometimes you may forget that you added
someone with network privileges, leaving your
network open to possible security threats and
data safety issues. A temporary account in this
example would help reduce this risk.
▪ Restore and rebuild from reliable backups.
Backup and restore refers to the practice of
making periodic copies of data and applications
to a separate, secondary device and then
using the copies to restore and rebuild.
The key to reliable backups is to find the best
option for your organization that will allow you
to restore and rebuild if the original data and
applications are held hostage or damaged due
to a cyber infiltration, or even a power outage, a
human error, a disaster, or some other unplanned
event. Keep in mind that while a backup copy
can help you recover from a cyber threat, it
cannot prevent data leakage if the cyber criminal
decides to publish your valuable data.
Minimizing damage from a cyberattack is
possible, but it requires constant diligence and
effort. The amount of damage and required
work to overcome an attack can be reduced
significantly if you take the necessary steps
and precautions to provide protection. Before
your organization gets breached, and it will,
implement the steps above and you’ll be better
prepared to defend against an attack should
you need to.
 GUIDE

Privileged Access Management

Best Practices

Learn More

35
Extra Security

How to Reduce Your

RPA Security Risk
Anthony Moillic

Director, Solutions Engineering,

EMEA and APAC at Netwrix
Robot process automation (RPA) — having software
robots perform repetitive tasks — has expanded
dramatically in recent years to meet the needs of
the modern remote and hybrid workforce. In fact,
the RPA market is expected to grow from $1.23
billion in 2020 to $13.39 billion in 2030.
By automating repetitive and tedious processes,
RPA is transforming many legacy processes
making it easier for workers to perform recurring
tasks. From call scheduling to task creation, RPAs
are becoming an embedded part of the new era
of work. Unfortunately, however, RPA is inherently
insecure and can put the sensitive data that it
touches at risk.
What is RPA?
RPA enables users to create software robots (bots)
that can learn and then execute basic and repetitive
(but precise) tasks, such as filling in forms, copying
and pasting data, updating banking information,
or making calculations. As a result, RPA can save
organizations time and money.
RPA is especially popular in financial institutions,
as well as in the industrial sector, which still uses
old applications that do not support APIs for
automation.
What are the Security
Issues With RPA?
There are two main security issues with RPA. First,
RPA tools are so easy to implement that a user
can deploy them, without involving the IT team.
As a result, RPA is often part of the “shadow IT”
problem. Since the IT team is not aware of the
technology, they cannot monitor it, secure it
properly or keep it updated.
But the larger issue is that RPA, even when
deployed through proper IT processes, is still
insecure for the following reasons:
▪ Activity cannot be properly monitored —
Although RPA bots are supposed to use their
own access codes, they end up using human
privileged accounts since creating specific
privileged accounts for each bot is time-
consuming. However, separating the bot’s
actions from those of the human using the
same credentials is too complicated to enable
effective activity monitoring.
▪ MFA is impossible to implement — A bot
doesn’t have a mobile phone to receive a
confirmation request, let alone fingerprint or
other biometrics. This eliminates the security
of using multifactor authentication (MFA)
account verification.
37
▪ Encryption of bots’ actions is not possible —
Since bots are operating on the users’ screen
on behalf of the user, any activity done by bots
can be easily recorded and replicated. This
makes RPA activity easy to “steal” or use by
threat actors seeking to use the user’s account.
These insecurities make companies that use
RPA technology particularly vulnerable. Knowing
RPAs are implemented in a company, a hacker
can target a privileged bot instead of trying to
compromise the privileged credentials of an
employee. Infiltrating the RPA solution makes
it possible to look for credentials used, or even
to modify the bot’s actions to arrange a money
transfer, for example, while remaining discreet
within the IT infrastructure.
by both humans and machines to ensure
security and compliance.
▪ Second, organizations should perform regular
audits to assess the level of security and
ensure that applicable mandates are being
complied with.
▪ Finally, if RPA bots are deployed through a
service provider, they must ensure that the
project is properly secured.
RPA is increasingly the go-to technology for
automating processes and making life easier for
employees. But organizations must be aware of
the security concerns inherent in RPA and take
steps to mitigate them to protect their critical
systems and data.

How Can Organizations

Stay Safe While Using
RPA?
To mitigate these types of risks, there are a few
processes and policies to put in place.

▪ First, it is essential to educate all employees

about cyber hygiene and the serious risks
of deploying RPA without the IT team’s
knowledge. Emphasize that the IT team must
be able to track all activity in the environment

38
 GUIDE

Information Security Risk

Assessment Checklist
Get your copy

39
First-Hand Experience

Standard Bank Namibia

Mitigates IT Risks and
Secures Data Regulated
by PCI DSS
Standard Bank Namibia is a leading African
bank providing financial services to individuals,
businesses and the public sector. It is a
member of the Standard Bank Group, which
was founded more than a hundred years ago.
Like any financial organization, Standard Bank
Namibia stores a large amount of sensitive and
regulated financial data, such as customers’
income information, payment card details,
Social Security numbers and employment
histories. Therefore, it is subject to several
compliance regulations, including PCI DSS.
As a financial entity, the bank is a target for
both intruders and malicious insiders. Ensuring
the safety of the data entrusted to the bank
and the continuity of services is a top priority
for the bank’s executive team. Therefore,
establishing control over critical systems and
maintaining a strong compliance posture
is crucial. To achieve those goals, the bank
needed a software solution that would provide
robust visibility and control over changes made
across the entire IT environment.
Protecting complex IT environment
and proving compliance with a new
solution
Through extensive research, Holger Bossow, Head
of IT Security at Standard Bank Namibia, discovered
a security configuration management product
that delivers the essential critical security controls
recommended by leading security frameworks,
including advanced change and configuration
management and system integrity monitoring.
With the new solution in place, the IT team can now
easily monitor changes to the integrity of system and
configuration files — a critical element in any good
cybersecurity practice. It provides critical details about
each change, including who made it and whether
and when it was approved. Meanwhile, automatic
exclusion of planned changes dramatically reduces
false-positive alerts, enabling the IT team to focus
on unwanted, unexpected and potentially malicious
events in time to prevent breaches.
As a result, the IT team can now ensure compliance
with both internal security policies and compliance
standards — and the solution’s automated reporting
saves the IT team hours of work for each compliance
audit. The solution has now been adopted by other IT
teams at Standard Bank Namibia, including the Oracle,
Windows and Linux teams, further strengthening
security and compliance.
“We certainly feel more confident with where our
cybersecurity posture is today,” says Bossow.
To read the complete case study, please visit:
https://www.netwrix.com/success_story_
standard_bank_namibia.html
41
About Netwrix®

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of
security professionals by enabling them to identify and protect sensitive data to reduce the risk of a
breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000
organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture
across all three primary attack vectors: data, identity and infrastructure.

For more information visit www.netwrix.com

WHAT DID YOU THINK

OF THIS CONTENT?

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

6160 Warren Parkway, Suite 100 1-949-407-5125 Spain: +34 911 982608
Frisco, TX, US 75034 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
Switzerland: +41 43 508 3472
5 New Street Square +44 (0) 203 588 3023 netwrix.com/social
France: +33 9 75 18 11 19
London EC4A 3TW
Germany: +49 711 899 89 187
Hong Kong: +852 5808 1306
Italy: +39 02 947 53539

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in
the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.

42