Best practices for CISOs recovering a Microsoft network after an incident

Credit: Dreamstime

Whenever I am dealing with cloud services or remote consultants, the one thing that gives me the greatest pause is keeping track of and protecting credentials. Doing so requires multiple back-ups, cloud resources, and tested back-up and recovery processes.

We have our normal password management processes, password storage tools, and encryption processes. Then disaster strikes. Your servers are hit with ransomware or hacked. A device with critical passwords is stolen. A multi-factor authentication device is lost.

All these disasters could cause you or someone in your firm to be less than secure in how they handle the transfer and recovery of servers and key operations. How often do you or your consultants test to see if they can handle the recovery process under stress?

Consultant firms often arrange with their clients to stage a disaster and then monitor the results with their staff. Like simulated phishing experiments, these staged disasters are controlled to ensure that data will not be lost and damage to the client is limited to the staged areas.

The goal is to ensure that the consulting staff can handle stress during a client’s disaster (albeit a staged event). It’s also to review how they handle processes and procedures, particularly the handling of credentials. Too often in the heat of the moment you find yourself unable to gain access to your normal processes.

Ensuring that you handle – and plan for – situations where your normal handling of credentials is disrupted is key to ensuring that you don’t place your firm at greater risk after a disaster.

These are some tips and best practices for recovering credentials after a disaster:

Document server permission changes made during recovery

In the heat of the moment, server permissions are often adjusted to recover them or data and one needs to then document the changes made to ensure that once the incident is over that changes are adjusted. Even when you are done with a security incident, review that you haven’t left your systems in an insecure setting.

Resist taking shortcuts while carrying out established recovery processes

If you have a tested recovery plan, avoid the temptation to go off script to speed the process. As the NIST Guide for Cybersecurity Recovery document indicates:

“Recovery teams should integrate specific recovery procedures based upon the processes used within the organisation.


Leave a Reply

Your email address will not be published.