The first reports of serious penetration attempts via this vulnerability by cybercriminals and intelligence agencies have appeared in the media. This clearly shows that it is necessary to protect yourself.
A good assessment of the threat and situation is provided by Heise Verlag in its WebCast Heise Show from Dec. 16, 2021.
But what to do if you have noticed that hackers are in your systems?
Tips to minimize or even avert damage:
1. get help
Don't be afraid to get outside help. Start looking for partners now who can help you in such a situation. The German Federal Office for Information Security “BSI” (www.bsi.bund.de) always offers information on how to protect your IT systems.
In case of a detected attack, the BSI offers valuable guides that are continuously updated:
2. check that your data backup is sufficiently shielded
Make sure your backup has few touch points with your production environment. A separate infrastructure, administered separately, offers clear advantages here. Access to the backup environment should only be granted to the most necessary people. Make sure that only a few groups have the right to actively delete backups.
3. make sure that there is an AirGap in your backup environment
If possible, store a backup copy - which is on tape - outside the libraries. For a disk only backup solution, set up an encrypted copy on Immutable S3 storage.
4. take disaster precautions
Back up not only your production data, but also the catalogs and repository databases in your data protection environment. Preferably on tape. Store these tapes outside the library as well. Develop a disaster recovery plan and review it regularly.
In the event of a discovered attack or the suspicion of one:
5. Keep calm
Careless actions will not help you. In fact, it can unintentionally cause damage.
6. Form a task force
Gather all key decision makers into one group. Give this group enough decision-making power to react quickly.
7. Contact your security partner
Your previously selected partner will help you analyze the threat situation and take active measures. Inform the police authorities, for example the state criminal investigation office responsible for you, and file a report.
8. Gather all information about your current situation
Which systems and processes are affected? Can these systems be shielded? Do systems need to be shut down?
9. Establish communication policies
Hackers may have taken over your communications equipment. For critical messages you should use external means of communication.
10. Inform your legal department and the press office.
A report may have to be made to authorities, for example to the BSI. Or a press release may have to be formulated. Have external communications handled only by these two offices.
11. Check the status of your data backup
Check to see if you have taken all measures to protect your data backup. Limit access to your backup environment and change your passwords. Determine if your backup is usable or if it is also compromised. If it is affected, determine the extent of the damage.
With these measures in place, you should already have a baseline to be prepared in case of doubt. You can prepare many of the measures now and write them down in an emergency plan.