What to Do if a Supplier Informed us about being Hit by Ransomware

As part of the “SK-CERT recommends” series, we bring you recommendation on what to do if your supplier may have been attacked by ransomware, had data leaked, or may have been hit by another type of cyber incident.

  • Does this supplier provide you with IT services?
  • Does this supplier provide you with any external services (not just IT services)?
  • Could this supplier have access to your sensitive information (including personal data)?
  • Does this supplier have any remote access to your infrastructure?
  • Does this supplier have any access to your systems, for example to provide operational support?
  • Did this supplier provide you with login credentials to any services in the past?
  • Do you share access to any service with this supplier?
  • Did this supplier supply you in the past with a product that they configured themselves? (server, application, Wi-Fi devices, other)
  • Do you have a valid contractual relation with this supplier?
  • Do you have business correspondence or open communication with this supplier?

If you answered yes to at least one of these questions, then you have a problem. The National Cyber Security Centre SK-CERT recommends taking the following steps:

  • report the situation to the National Cyber Security Centre SK-CERT,

and

  • block or change all access passwords allowing a direct remote access or through a VPN, which you have assigned to the supplier,
  • find out from the supplier when exactly the data leak occurred (not when the data was encrypted, but when the data leak occurred, which could be weeks before the encryption),
  • check the VPN and other accesses made by the supplier since the data leak (or for the last few months if you do not have a specific date of data leak) and verify that the supplier was really behind those accesses,
  • identify all user accounts that you gave to the supplier, or for which the supplier sent you the passwords, and block the accounts (operating system, web applications, technical and administrator accounts),
  • if similar passwords were used elsewhere, change these access data as well,
  • increase vigilance while monitoring, focusing on non-standard and unexpected activities, monitoring remote access to your network and network activities,
  • pay extra attention to e-mail and other communications that pretend to be from the supplier, even if they refer to valid contracts or facts originally known only to you and the supplier, and always verify their authenticity, especially if they contain attachments, require sending data or clicking on a link,
  • communicate with the supplier during the incident handling so that you keep a good track of how the supplier is handling the incident and what impact in fact it may have on your activities,
  • review your backup policy, verify the validity of your backups and make sure you have at least one latest offline backup. The backup system should be both password and technology independent from the rest of your infrastructure,
  • check and enhance the current protection of your network, especially the perimeter: what services are accessible on my address space? Are all currently available services needed? Are they updated? Are there components deployed to detect and prevent attacks? Is there inspection of outgoing communications?
  • include scenarios and procedures in business continuity plans that will be applicable to these types of situations.

« Späť na zoznam