What to do if your company has been hacked?

Cyber Attack

Based on statistics it’s likely your company will come under the attack of hackers and cybercriminals at some point. In the UK, for example, 43% of businesses that participated in the Cyber Security Breaches 2018 survey reported that they’ve experienced a breach or an attack in that year alone.

It is important for companies to prepare for an attack now. Comodo Cybersecurity show you how to remediate and mitigate against these attacks.

Tips for Maximizing Cyber Crisis Management Efforts

1. Invest in Advanced Detection and Remediation Tools

The Ponemon Institute’s research showed that the faster a breach is identified and contained, the lower the costs the company incurs. A company that identifies a data breach saves $1 million if they see the issue within 100 days. Containing the cause of the breach is another matter. An organization that contains a breach within 30 days manages to save $1 million more in expenses that those that took longer.

In order to meet those timetables or even avoid encountering a breach altogether, companies need to invest in advanced network and endpoint security. Advanced scanning tools found in such blended solutions have a much higher chance of catching the root cause of breaches.

One such solution comes from Comodo. Comodo uses a Default Deny Approach in handling malware.  Comodo Advanced Endpoint Protection prevents breaches by immediately containing 100% executed unknown files until a trusted verdict is returned. When an unknown file, a potential malicious threat, attempts to execute on an endpoint, the file is immediately encapsulated by Auto-Containment Technology, while users can still run and open the unknown file without harm. While files are in Auto-Containment, they are sent to Comodo’s verdicting engine to be dynamically and statically analyzed in the cloud. 95% of unknown files return a verdict in under 45 seconds. The additional 5% of unknown files that need further investigation are sent to Comodo human analysts who return a verdict in less than 4 hours.

2. Form an Incident Response Team

The Ponemon Institute saw a $14 per record cost reduction during a breach for companies that had incident response teams during the crisis. According to the study, the average cost a company pays per member record compromised is $148. This is substantial if you think about the Equifax breach which affected at least 145.5 million users in the US. Based on the $148 cost per compromised record figure, Equifax should be spending around $21 billion. If Equifax had an incident response team during the time of the breach, they would have saved $2.3 billion.

3. Use Strong Encryption for Assets

Extensive use of encryption also saves companies $13 per member record compromised and possibly even more. A single cyber-attack can also lead to another since the threat actors can plant their assets into the system. These assets, like malware, can re-infect the system and open backdoors for another attack against the network.

What To Do in The First Minutes of an Attack

The employee who encounters the threat first needs to alert the IT and management teams.

When an employee encounters something irregular with their computer, they need to notify the IT team immediately. It doesn’t matter if it’s a false alarm, but if something is out of the ordinary, the techs need to know. There are times hackers and threat actors keep their attacks under the radar so they can steal data without issue. No one should take any irregularity for granted.

IT staff must disconnect the computer from the network and start documentation of the infection.

Once the tech team identifies the compromised computer, they need to remove it from the network immediately. They should start unplugging the LAN cables and move to contain the threat inside the unit. Aside from containing the threat, they will need to check nearby units for infection.

The company should check their backups in the cloud.

A member of the IT team needs to go to their existing backups and make sure they are not compromised in any way. The integrity of the backups will ensure the continuity of business operations after the attack is over and the team contains the bad actors.

The IT team on-site should start implementing cyber security protocols.

If a company creates a cyber security response plan, there should be rules and procedures for how to treat the first minutes of the discovery of a cyber-attack. If the incident response team is not yet on site, the first responders should start implementing what’s stated in the plan. If the plan calls for the scene of the cybercrime to be cordoned off, the IT team should preserve the integrity of that particular part of the network.

The IT team should call the attention of the employees and educate them about the attack or infection.

The company should immediately inform their affected employees about the cyber-attack. Human error can serve as the root cause of a breach and it can also definitely worsen a crisis. Employees need to learn how to act during such a situation in order to minimize and prevent further damage. For example, if the source of the threat is a phishing email, IT staff should immediately inform employees not to click or open a particular message to avoid any malware from spilling onto more computers.

Use security systems to track potential malicious assets.

Companies with security operations centers or blended solutions like Comodo Endpoint Security should definitely use their resources to make sure the threat is controlled. As we have previously mentioned, re-infection can still happen and it’s best that all trace of malware or security vulnerability be controlled as soon as the issue stabilizes.

How to Handle the Aftermath of a Cyber Attack

Once a breach or an attack happens, the company should try to resolve the issue in 30 days or less. During that time, the team should follow these steps in order to mitigate against all forms of damage:

Convene the Incident Response Team

The incident response team should be composed of an incident response manager, who may or may not be your CISO, several cybersecurity analysts and threat researchers. They’ll be at the heart of the investigation and also the ones coordinating with the representatives of the company’s various stakeholders. These representatives should hail from management, human resources, risk assessors, lawyers, and public relations experts. The internal tech team will investigate the cyber-attack while the other representatives will be there to support the work and to mitigate the kinds of damage that the company will encounter.

Cordon Off Assets and Ensure Cyber Security Integrity

The team should immediately control the scene and cut off part of the network that had been compromised. They also need to make sure that the root cause or causes of the attack or the breach aren’t still lingering in the system.

Once they ascertain everything is safe and that first responders or themselves have properly documented the incident, they’ll have to look at all of the assets within the company and check for damage. They should start consulting their detection technologies to make sure there are no additional threats within the network.

After the network has been secured, the team will need to help ensure that systems critical to business operations could be restored immediately. This step is crucial since stopping operations will only hurt the company more.

Document and Investigate

The investigating team will need to walk back through the incident to establish the facts. They’ll have to check what happened during the discovery of the attack and how the attack unfolded later on. These investigators also need to establish the kind of attack and its root causes.

Aside from reconstructing the narrative behind the cybercrime, the team should also document every step of the investigation. The investigation should always follow the steps prescribed by the cybersecurity plan and work in alignment with existing company policies every step of the way. This is important since auditors and investigators from the government will verify and check the extent of actions the company has taken to investigate and remediate the issue.

The team will also have to be sensitive about who they share the information with. Attacks and breaches can occur because of malicious insiders within the company. Once the team identifies who the culprit is behind the attack and who the accomplices are, the team should work with HR to ensure that the people are held accountable in accordance to company policy and the law.

Inform Law Enforcement and the Authorities

When a cyber-attack occurs, law enforcement must enter the picture as soon as possible. The problem with delaying this particular step is that it could be taken as a sign of culpability in the attack. Companies don’t report to the law following an attack because they think investigations can put a halt to operations. Agencies like the FBI will work in a non-disruptive way and cooperate with the victims of an attack.

Notify the Public Regarding the Attack and Engage with Media

There are some breaches that your company will be able to resolve in time before they blow up and no consumers get affected. When that’s the case, these breaches and attacks could be resolved without notifying the public. However, when customers will be affected by a breach, like in service businesses which actively engage with their clients, the company must make a disclosure.

When this happens, the company should own and control the narrative. The incident response team, together with the managers and people from human resources, should have a meeting before the disclosure to talk about every angle of the incident. The team should also stay in contact with a public relations expert who will help them manage how the company is portrayed in the media.

Follow Compliance Requirements After an Attack

Governments and states have become more sensitive to issues of breaches and attacks. Lawmakers have started making laws and policies which make companies accountable for any lack of preparation for the attacks carried out against their systems. In light of these regulations, companies need to make sure they conform to every letter of these requirements to avoid extensive penalties.

A major part of these regulations are the notification requirements. Certain laws like the European Union’s General Data Protection Regulation require companies to report to their clients about the breach within a 72-hour window.

Prep for Legal Consequences

The cold hard reality about a cyber-attack is that a company will never be fully prepared for one and all an organization can do in the aftermath of an attack is to do damage control. After your incident response team concludes its investigation, manages the story, and repairs the damage to structures within the company, they’ll have to work with the company’s legal team. The government or an individual will hold the company liable and there will be legal ramifications to what transpired.

The steps above should help you and your company weather the storm immediately after and within a month of a cyber-attack. This 30-day timeline is actually shorter than the actual period that a threat statistically lies dormant within a system which is around 180 days. That’s half a year that companies could actually have spent in mounting credible and proactive defenses against these threats.

If you’d rather avoid a cybersecurity breach entirely and prevent damage to your company’s reputation and finances, it’s time you invest in Comodo Cybersecurity’s Endpoint Protection System. Comodo Advanced Endpoint Protection (AEP) is designed on the notion that endpoint protection platforms must always verify and never trust unknown executables until proven safe with 100% verdicts, 100% of the time. By eliminating the “fear of the unknown,” Comodo AEP can prevent organizations from being breached, without impacting end user productivity.

Please call our hotline at +1 (888) 551-1531 or send us a message at sales@comodo.com to get a free trial of Comodo’s cybersecurity solutions today.

cybersecurity solutions today

Related Resources:

What Is Endpoint Security? and Why Is It Crucial Today?

What is Endpoint Security

Endpoint Security (or) Endpoint Protection refers to the approach of protecting a business network when accessed by remote devices like smartphones, laptops, tablets or other wireless devices. It includes monitoring status, software, and activities. The endpoint protection software is installed on all network servers and on all endpoint devices.

With the proliferation of mobile devices like laptops, smartphones, tablets, notebooks etc., there has been a sharp increase in the number of devices being lost or stolen as well. These incidents potentially translate as huge loss of sensitive data for enterprises which allow their employees to bring in these mobile devices (enterprise-provided or otherwise) into their enterprise.

About Endpoint Security

To solve this problem, enterprises have to secure the enterprise data available on these mobile devices of their employees in such a way that even if the device falls into the wrong hands, the data should stay protected. This process of securing enterprise endpoints is known as endpoint security.

Apart from this it also helps enterprises successfully prevent any misuse of their data which they’ve made available on the employee’s mobile devices. (Example: a disgruntled employee trying to cause nuisance to the enterprise or someone who may be a friend of the employee trying to misuse the enterprise data available on the device).

Endpoint Security Definition

Endpoint Security is often confused with a number of other network security tools like antivirus, firewall, and even network security. In this page, we list some of the differences between endpoint security (or) endpoint protection and the network against various evolving security threats of today.

Why Is It Called ‘Endpoint’ Security?

As you can realize, every device which can connect to a network poses a considerable danger. And as these devices are placed outside of the corporate firewall on the edge of the network using which individuals have to connect to the central network, they are called as endpoints. Meaning endpoints of that network.

As already stated endpoint can be any mobile device ranging from laptops to the notebooks of today, which can be connected to a network. And the strategy you employ in security these endpoints is known as ‘endpoint security’.

Endpoint Security Is Not The Same As Antivirus

Although the objective of endpoint security solutions is the same – secure devices – there is a considerable difference between endpoint security and antivirus. Antivirus is about protecting PC(s), – single or many depending upon the type of antivirus being deployed – whereas endpoint security covers the entire picture. It’s about securing every aspect of the network.

Endpoint security usually includes ‘provisions for application whitelisting, network access control, endpoint detection and response’, things which are usually not available in antivirus packages. It can also be said that antivirus packages are simpler forms of endpoint security.

Endpoint Security Is Different For Consumers and Enterprises

Endpoint security solutions can be broadly classified into 2 different types. One for the consumers and the other for enterprises. The major difference between the two is that there’s no centralized management and administration for consumers, whereas, for enterprises, centralized management is necessary. This central administration (or server) streamlines the configuration or installation of endpoint security software on individual endpoint devices and performance logs and other alerts are sent to the central administration server for evaluation and analysis.

What Do These Endpoint Security Solutions Typically Contain?

While there’s certainly no limit to what endpoint security can contain – and this list is only going to expand in the future – there are some applications which are core to any endpoint security solution. (Because, well, securing a network is altogether a different ball game from securing a computer).

Some of these applications are firewalls, antivirus tools, internet security tools, mobile device management tools, encryption, intrusion detection tools, mobile security solutions etc, to name a few.

Traditional Vs Modern Endpoint Security

This is a no-brainer. Yet something which needs to be pointed out. Because enterprises are often reluctant to changes. Even if it is for their own good. But endpoint security is one area where enterprises have no choice but to adopt the modern endpoint security. Because they are much more than just an anti-malware tool which can go a long way in securing your network against various evolving security threats of today.

Difference between Endpoint Security and Antivirus

Antivirus is one of the components of endpoint security. Whereas endpoint security is a much broader concept including not just antivirus but many security tools (like Firewall, HIPS system, White Listing tools, Patching and Logging/Monitoring tools etc.,) for safeguarding the various endpoints of the enterprise (and the enterprise itself against these endpoints) and from different types of security threats.

More precisely, endpoints security employs a server/client model for protecting the various endpoints of the enterprise. The server would have a master instant of the security program and the clients (endpoints) would have agents installed within them. These agents would communicate with the server the respective devices’ activities like the devices’ health, user authentication/authorization etc., and thus keep the endpoints secure.

Whereas antivirus is usually a single program responsible for scanning, detecting and removing viruses, malware, adware, spyware, ransomware and other such malware. Simply put, antivirus is a one-stop shop for securing your home networks, and endpoint security is suitable for securing enterprises, which are larger and much more complex to handle.

Difference between Endpoint Security and Network Security

Endpoint security is about securing your enterprise endpoints (mobile devices like laptops, smartphones and more) – and, of course, the enterprise against the dangers posed by these endpoints as well – whereas network security is about taking security measures for protecting your entire network (the whole IT infrastructure) against various security threats.

The main difference between endpoint security and network security is that in the case of former, the focus in on securing endpoints, and in the case of latter, the focus is on securing the network. Both types of security are important. Ideally, it’s best to start from securing the endpoints and building out. You wouldn’t leave the doors to your home open, just because there’s a security guard out there, would you? In the same sense, both are important and should be given equal importance, starting from the endpoints and slowly building out.

In very simple terms, your network would be secure only if your endpoints are secured first. This you should make note of before starting to look for endpoint security and network security products.

Difference between Endpoint Security and Firewall

Firewalls are responsible for filtering the traffic flowing into and going out of your network based on ‘a set of security rules’. Like, for example, restricting traffic flowing into the network from a particular potentially dangerous website. Whereas endpoint security concerns itself not just with network filtering but performs many other tasks like patching, logging, and monitoring etc., for safeguarding the endpoints.

Both antivirus and firewall are crucial elements of endpoint security. Their objective remains the same, though the model adopted (client/server model) and the number of computers they protect differ. And within the endpoint security model, operating with other security tools, they become even more efficient.

Firewall Protection

Comodo AEP – Get Complete Protection!

Comodo Advanced Endpoint Protection (Comodo AEP), Get complete protection for every endpoint on your network.

→ Free Trial for 30 days

→ 7-Layers Enpoint Security Platform

→ Default Deny Security

→ Cloud-based Advanced Malware Analysis

Get Free Trial

Difference between Endpoint Security and Endpoint Protection

Both are pretty much the same. Their primary objective is the same – to safeguard the endpoints as well as the enterprise against the dangers they pose. But there is a subtle difference. Endpoint security usually refers to an on-premise solution. Whereas Endpoint Protection refers to a cloud-based solution.

An on-premise solution is a solution which has to be installed on the network for deployment and a cloud-based solution is one which is available in the cloud and enterprises have to subscribe to it.

Windows 10 and Endpoint Security

Windows 10 although proclaimed to be the safest Windows OS is not without its flaws. Security experts have proved that the in-built security features of Windows like Windows Defender, Firewall etc., too are proving ineffective. Therefore enterprises making use of Windows 10 OS need endpoint security for safeguarding the various endpoints which connect to the network and for safeguarding the network itself.

Why Your Windows – Not Just Windows 10 – Needs Endpoint Security?

Inbuilt Windows Security is never going to be sufficient. Because the security attack vectors of today are just too many to be handled. Which means we no longer live in a world where e-mail attachments or web downloads are the only sources of malware infection. Simply put, your windows OS needs additional layers of protection in the form of antivirus for windows or, maybe, much more, depending on your requirements.

With this in mind, let’s take a look at how you can protect your Windows OS from various security threats:

  1. Keep Your Windows OS Up-to-Date: Today it’s Windows 10. Tomorrow there’ll be another new version. Whatever it may be, ensure your PC is updated to the latest version. This is probably the next best thing you can do apart from providing antivirus for windows. Because the latest update is usually the one which safeguards users against all known security vulnerabilities.
  2. Ensure Other Applications Are Up-to-Date: What’s inside of your Windows OS too matters. We mean other main programs and applications. Ensure all of them are updated and contain the latest security patches. Because it’s a well-known fact that hackers try to exploit popular software like Java, Adobe Flash, Adobe Acrobat etc.,
  3. Use Proactive Security Solution: Unfortunately traditional antivirus alone is not going to be enough. Especially when it comes to combating modern-day malware which employs sophisticated methods. Therefore to tackle the ever-changing cybersecurity threat landscape, users need proactive security solutions like internet security (for home users) and endpoint protection (for enterprises).
  4. Use Local Account Instead Of Microsoft Account: If you are using Windows 10, it’s best to avoid Microsoft account and instead opt for a Local account, as using Microsoft account means saving some of your personal details on the cloud, which is not such a wise thing to do. To opt for a local account, visit: Settings>Accounts>”Your info and select ‘Sign in with a local account instead”.
  5. Keep User Account Control Always Turned On: UAC (User Account Control) is a Windows security responsible for preventing unauthorized changes (initiated by applications, users, viruses or other forms of malware) to the operating system. It ensures changes are applied to the operating system only with the approval of the administrator. Therefore keep it turned ON always.
  6. Perform Regular Back-Ups: Prepare yourself with the ‘worst’ in mind when it comes to dealing with security threats. Therefore perform regular backups of your system (both online and offline) so that all your data is not lost in case your PC(s) are badly affected by security threats or encounter an irreparable hardware issue.
  7. Keep Your Browser Updated: Browsers are what we use to access the internet. Therefore security vulnerabilities in them mean entry path for security threats. Therefore, just as with OS and other applications, keep your web browser updated as well. Other security measures you can take: 1) opt for private browsing mode to prevent sensitive details from being stored 2) prevent or block pop-ups 3) configure web browser security settings to improve security etc.,
  8. Turn Off Location Tracking: If you are using Windows 10 or any other version which contains Location Tracking, it’s best to turn it Off or use it only when it is absolutely necessary. For example, if you want to know about the local weather or the various shops nearby etc., To turn off Location Tracking, go to Privacy >> Location >> click Change button and move the slider from On to Off.
  9. Use The Internet Wisely: All of the security measures listed here would become useless if you don’t exercise caution while online. Therefore ensure you don’t click on dangerous looking links, download malicious email attachments or other web downloads, avoid visiting suspicious looking websites and any other action which the current security practices deem as unwise.

Windows OS is probably the best and that is why it is hugely popular and has so much following – despite the security threats. And there’s nothing wrong with sticking to your favorite OS. Just ensure you beef it up with the right security products like Comodo Endpoint Protection and follow the security best practices. These will ensure your Windows OS stays safe no matter what.

About Comodo Advanced Endpoint Protection (AEP)

Comodo Advanced Endpoint Protection (AEP), which comes equipped with impressive security features, is the best endpoint protection or security tool available in the IT security market. Backed by Containment technology, all the unknown (and therefore suspicious) files are run within virtual containers without affecting the host system’s resources or user data.

Security Features:

  • Antivirus Scanning:Comodo Advanced Endpoint Protection (AEP) has an antivirus scanning feature capable of scanning endpoints against a massive list of known good and bad files compiled from years as the world’s largest certificate authority and from the 85 million endpoints deployed worldwide.
  • VirusScope behavioral analysis: Uses techniques such as API hooking, DLL injection prevention, and more to identify indicators of compromise while keeping the endpoint safe and without affecting usability
  • Valkyrie verdict decision engine: While running in auto-containment, unknown files are uploaded to a global threat cloud for real-time analysis, returning a verdict within 45 seconds for 95% of the files submitted.
  • Human analysis: In the 5% of cases where VirusScope and Valkyrie are unable to return a verdict, the file can be sent to researchers for human analysis who make a determination within SLA timelines.
  • Host intrusion prevention: Rules-based HIPS that monitors application activities and system processes, blocking those that are malicious by halting actions that could damage critical system components.
  • Personal packet filtering firewall: Provides granular management of inbound and outbound network activities, hides system ports from scans, and provides warnings when suspicious activities are detected. Can be administered remotely or by a local administrator

Device Management and Application Security

Device management and application security are central to endpoint security. And both these factors are given equal importance. ‘Strong mobile policies, easy-to-implement default profiles, over-the-air enrollment, antitheft provision, remote data wipe and many other features ensure comprehensive device management. Whereas features like ‘application inventory, application blacklisting and whitelisting, remote management, patch management ensure comprehensive application management as well.

Minimum System Requirements

Comodo Application Endpoint Protection (AEP) is extremely lightweight and therefore has minimum requirements. They are: 384 MB available RAM, 210 MB hard disk space for both 32-bit and 64-bit versions, CPU with SSE2 support, Internet Explorer version 5.1 or above.

Compatible With All Operating Systems

Comodo AEP is compatible with all versions of Windows. Be it Windows 10, Windows 8, Windows 7, Windows Vista or XP. Compatible with Android, Linux and Windows server editions (like Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2 etc,.) as well.

Comodo Advanced Endpoint Protection (AEP) Related Statistics

Our Comodo AEP performance survey indicates that each year 85 Million endpoints are being protected our security software. Its verdict on analyzing unknown files correctly is an astounding 100% and the time taken to return each individual verdict is only 45 seconds. If these stats fail to impress you, you can try out Comodo AEP for a free 30-day trial period and see for yourself how it performs.

Or if you prefer to set up a demo or proof-of-concept project, contact us at EnterpriseSolutions@comodo.com or +1 888-256-2608.

Secure Your Enterprise Endpoints!

What Is Endpoint Security