The Recover Function gets things back to normal as quickly as possible
If you’ve been following our series about the NIST Cybersecurity Framework, you know that many K-12 districts are finding the Framework a useful tool for developing a multi-layered cybersecurity strategy. It’s no secret that K-12 cybersecurity issues are increasingly worrisome, especially given the move to remote learning in response to the COVID-19 pandemic.
We started this series by looking at how to get started with a K-12 NIST Cybersecurity Framework. Our next step was to give you an overview of each of the Functions included in the Framework. To make the overviews as useful as possible, we’ve also included “Pro Tips” from Neal Richardson, the Director of IT at Hillsboro-Deering School District in Hillsboro, New Hampshire. Neal has years of cybersecurity experience and joined us for a webinar to discuss his experience in implementing the NIST Framework (watch the webinar recording here).
This is the 5th and last installment of the series, focusing on the NIST Cybersecurity Recover Function. You can reference the first four Functions using these links:
- NIST Cybersecurity Identify Function
- NIST Cybersecurity Protect Function
- NIST Cybersecurity Detect Function
- NIST Cybersecurity Respond Function
About the NIST Cybersecurity Recover Function
The primary goal of the NIST Cybersecurity Recover Function is to create, maintain, and improve your district’s resilience when recovering from a cybersecurity event. It will help you to define recovery and restoration plans, and to communicate effectively to key stakeholders. It’s your roadmap for returning to normal operations and reducing the impact of a cybersecurity event.
After you work through the NIST Cybersecurity Recover Function, you will be in a position to:
- Ensure that your district implements recovery planning processes to restore anything that was affected by a cybersecurity event
- Review your strategies and find opportunities for improvement based on your experience with a new cybersecurity event
- Coordinate internal and external communications with a range of stakeholders during and after your recovery
Getting Started with the NIST Cybersecurity Recover Function
The Recover Function is where you do your “lessons learned” analysis. You need to focus on where your protective measures failed, why they failed, and how you can prevent them from failing in the future.
For example, assume you experience a ransomware attack and the hackers hold your backups hostage. You’ll learn the painful lesson that you must disconnect your backups from the network. It’s becoming more difficult to keep your backups safe from evolving ransomware attacks that often attack backup channels as well as main networks. You’ll need to keep those backups safe to achieve the goal of full data recovery after an attack.
If you’ve ever gone through a ransomware attack and have come out the other side, you know it’s exceptionally painful. You learn pretty quickly where your weak spots are and what you need to do to tighten them up. But, you need to stay on your toes.
It’s essential to fix any issues you uncover after a cybersecurity incident. If you don’t correct those issues, you leave yourself open to a similar attack in the future. Other activities that fall under the Recover Function are user training, awareness training, and penetration testing.
Pro Tip: Neal says this is the most valuable Function in the Framework. While the first four Functions are critical, Recover is where you focus on improving for the future. You’ll need to:
1. Identify the penetration point. Run an audit report to see where the attack penetrated your domain. For example, you should be able to run a report to identify the compromised account.
2. Identify the attacker’s next actions. Did they install apps or download anything? Did they send emails and, if so, who were the recipients? Did they create documents or download any documents? What drives or folders did they access and what did they do in those areas?
This helps you get a picture of how the compromise occurred and what an ongoing attack looks like from a detection standpoint. Armed with that insight, you can update your Protect and Detect plans.
There are undoubtedly many demands on your district IT team. But, the truth is that if your systems are compromised, several things happen:
- You stop supporting your community while your department focuses on addressing the cybersecurity incident
- You can’t support your community because your systems are compromised
- You drain your already tight funding
It makes sense to devote the time now to take advantage of the NIST Cybersecurity Framework. If you’ve never been the victim of an attack, you’re lucky. But, it’s just a matter of time before you become another statistic. For more information, watch the full webinar recording with Neal Richardson here.