Hello, everyone. This is Susan Bradley for CSO Online. Over the weekend, I dealt with
Hello, everyone. This is Susan Bradley for CSO Online. Over the weekend, I dealt with

a misbehaving server that reminded me that no matter how small or how large you are,
a misbehaving server that reminded me that no matter how small or how large you are,

you need to have a security disaster toolkit or a checklist at the ready should any event
you need to have a security disaster toolkit or a checklist at the ready should any event

occur. But as we move away from on premises, servers to cloud servers, perhaps you need
occur. But as we move away from on premises, servers to cloud servers, perhaps you need

to rereview that checklist and see if there's any changes you need to make.
to rereview that checklist and see if there's any changes you need to make.

At a minimum, you need to review your security checklist at least once a year, if not more
At a minimum, you need to review your security checklist at least once a year, if not more

often, and especially if you have any major migrations or big changes or plans in the
often, and especially if you have any major migrations or big changes or plans in the

works.
works.

Now to start NIST, the National Institute of Standards and Technology have several documents
Now to start NIST, the National Institute of Standards and Technology have several documents

online regarding disaster plans and checklists, and it's a way to get started. So if you don't
online regarding disaster plans and checklists, and it's a way to get started. So if you don't

have your own checklists, start here. In addition, the SANS organization has a disaster recovery
have your own checklists, start here. In addition, the SANS organization has a disaster recovery

plan policy and many other policy resources that you can check out on their site. Now,
plan policy and many other policy resources that you can check out on their site. Now,

for many years, the standard operational procedure to deal with a device, especially one that
for many years, the standard operational procedure to deal with a device, especially one that

you thought would be attacked or taken over, was you turned off the device and isolated
you thought would be attacked or taken over, was you turned off the device and isolated

them to ensure that you maintain the log files and evidence. Well, now the standard device
them to ensure that you maintain the log files and evidence. Well, now the standard device

may be it depends depending on where the device is located and what exactly it is. Instead
may be it depends depending on where the device is located and what exactly it is. Instead

of taking the device off line instead, you may flip that device to an isolated network
of taking the device off line instead, you may flip that device to an isolated network

for future investigation. So don't just knee jerk turn off the device. Think about where
for future investigation. So don't just knee jerk turn off the device. Think about where

it is and what ways you have to access. When you're investigating workstations and servers,
it is and what ways you have to access. When you're investigating workstations and servers,

you want to ensure that your processes include backup. The devices are made to ensure the
you want to ensure that your processes include backup. The devices are made to ensure the

system is in its impacted state. Before you restore something and before you put something
system is in its impacted state. Before you restore something and before you put something

back online, make sure you have a capture of it in its impacted state. You want those
back online, make sure you have a capture of it in its impacted state. You want those

actual log files. You want those evidence. And especially in case there's some sort of
actual log files. You want those evidence. And especially in case there's some sort of

FBI investigation you'll need later on. Often in recovery, in the zeal of trying to get
FBI investigation you'll need later on. Often in recovery, in the zeal of trying to get

back online, you don't think of maintaining evidence and you forget what to do. So relax.
back online, you don't think of maintaining evidence and you forget what to do. So relax.

I know that's hard, but slow down. Make sure you have a checklist and do the processes.
I know that's hard, but slow down. Make sure you have a checklist and do the processes.

Now, even before an incident occurs, you may want to have certain things in your toolkit.
Now, even before an incident occurs, you may want to have certain things in your toolkit.

For example, for servers that are in high risk areas, you may want to install or you
For example, for servers that are in high risk areas, you may want to install or you

do want to install Sysmon from Sysinternals. Which once installed on a system, remains
do want to install Sysmon from Sysinternals. Which once installed on a system, remains

resonant across system reboots in order to monitor and log system activity to the windows
resonant across system reboots in order to monitor and log system activity to the windows

log file. The site Github Swift on security has a Sysmon configuration that you want to
log file. The site Github Swift on security has a Sysmon configuration that you want to

check out. And of course, because attackers these days want to do lateral movement inside
check out. And of course, because attackers these days want to do lateral movement inside

an organization. You want to install and use the local administrator password solution
an organization. You want to install and use the local administrator password solution

toolkit. Attackers gain network access through the use of targeted phishing attacks. From
toolkit. Attackers gain network access through the use of targeted phishing attacks. From

there, they'll use a variety means to harvest hashes. And their goal is to get a local administrator
there, they'll use a variety means to harvest hashes. And their goal is to get a local administrator

password. Now, in the old old days, we pick a local master to password it and use it throughout
password. Now, in the old old days, we pick a local master to password it and use it throughout

the network. These days, that's not a good idea, because once an attacker pops one password,
the network. These days, that's not a good idea, because once an attacker pops one password,

they can't get access to the entire network. So again, looking to the local administrator
they can't get access to the entire network. So again, looking to the local administrator

password solution toolkit to solve that issue. The next tool you want to bookmark but not
password solution toolkit to solve that issue. The next tool you want to bookmark but not

download is something called the Microsoft safety scanner. It's a tool that scans and
download is something called the Microsoft safety scanner. It's a tool that scans and

is triggered and is only available for use 10 days after being downloaded. Because obviously
is triggered and is only available for use 10 days after being downloaded. Because obviously

you want the latest signature files included. You'll download it, you'll accept the terms,
you want the latest signature files included. You'll download it, you'll accept the terms,

and you want to install an honor system in order to do a scan to see what's up.
and you want to install an honor system in order to do a scan to see what's up.

You will determine if there is any malicious files on your computer.
You will determine if there is any malicious files on your computer.

The next thing you'll want to make sure you have is what's called a jump bag, and these
The next thing you'll want to make sure you have is what's called a jump bag, and these

things could be personal items or there could be tools. For example, if you'll be traveling
things could be personal items or there could be tools. For example, if you'll be traveling

someplace or going to some location, you may need to have a bag of personal items toothbrush,
someplace or going to some location, you may need to have a bag of personal items toothbrush,

toothpaste, clothes. These days with cloud computing, you'll want to make sure that you
toothpaste, clothes. These days with cloud computing, you'll want to make sure that you

have bookmarked Azure portal links licenses. ISOs of operating systems, the ability to
have bookmarked Azure portal links licenses. ISOs of operating systems, the ability to

have access to needed operating systems to be able to boot back into and restore from
have access to needed operating systems to be able to boot back into and restore from

a backup is key to recovering quickly. So have documentation online as well as off line
a backup is key to recovering quickly. So have documentation online as well as off line

in various paper formats. Yes, old fashioned paper and make sure you have means to access
in various paper formats. Yes, old fashioned paper and make sure you have means to access

such items as your firm's Azure portal, Volue license portal or other access to ISOs and
such items as your firm's Azure portal, Volue license portal or other access to ISOs and

products. You may want to have access to a corporate credit card or some other purchasing
products. You may want to have access to a corporate credit card or some other purchasing

authorization in order to purchase resources and access to services. Think in terms of
authorization in order to purchase resources and access to services. Think in terms of

alternatives to your normal channels of communication. Remember in a disaster, email or other means
alternatives to your normal channels of communication. Remember in a disaster, email or other means

that you normally contact with each other may be off line. So having that jump bag,
that you normally contact with each other may be off line. So having that jump bag,

a list of contact information and alternative ways to contact key from key players, you
a list of contact information and alternative ways to contact key from key players, you

should you'll want to review this on a regular basis. So here's some things you might want
should you'll want to review this on a regular basis. So here's some things you might want

for an on premise situation in a jump bag network cables, USB, cables, hard drives,
for an on premise situation in a jump bag network cables, USB, cables, hard drives,

SSD, external USP drives, flash drives, device interface adapters, a handheld label printer
SSD, external USP drives, flash drives, device interface adapters, a handheld label printer

in order to label drives and things that you're taking out for incident handling hub devices,
in order to label drives and things that you're taking out for incident handling hub devices,

digital cameras, cable ties and cable snips. Screws. Notebooks. Chain of custody forms.
digital cameras, cable ties and cable snips. Screws. Notebooks. Chain of custody forms.

So you document and have a witness of how items were obtained. Incident handling procedures
So you document and have a witness of how items were obtained. Incident handling procedures

and finally, business cards for all members of the team. So that when you go in a situation,
and finally, business cards for all members of the team. So that when you go in a situation,

you could hand out authoritative information about who's on that team. As we go to cloud,
you could hand out authoritative information about who's on that team. As we go to cloud,

we move from to a different set of proper steps in order to do deal with compromised
we move from to a different set of proper steps in order to do deal with compromised

accounts. For example, in Office 365, you'll want to follow the Microsoft recommendations
accounts. For example, in Office 365, you'll want to follow the Microsoft recommendations

and how to secure and restore e-mail function. You want to reset passwords. You want to make
and how to secure and restore e-mail function. You want to reset passwords. You want to make

sure you have multi factor enabled. You want to block the user account from signing in
sure you have multi factor enabled. You want to block the user account from signing in

again, follow the steps here. Then you'll want to go and review the Microsoft security
again, follow the steps here. Then you'll want to go and review the Microsoft security

score and what to do if you haven't already. Take a look at the security roadmap. Look
score and what to do if you haven't already. Take a look at the security roadmap. Look

at the 30 day out steps, the 90 day out steps, the beyond reviewing, constantly reviewing
at the 30 day out steps, the 90 day out steps, the beyond reviewing, constantly reviewing

what threats and risks are coming to cloud security. And finally, you want to review
what threats and risks are coming to cloud security. And finally, you want to review

the Microsoft secure score here in my sample tenant. I have a lousy score. You want to
the Microsoft secure score here in my sample tenant. I have a lousy score. You want to

get that total score higher. You want to be where the attackers go to somebody else. It's
get that total score higher. You want to be where the attackers go to somebody else. It's

easier to attack, not you. So take the time now when you're not in the middle of a disaster
easier to attack, not you. So take the time now when you're not in the middle of a disaster

to plan on having one. Make sure you're ready. Ready for when the event occurs. Not if. And
to plan on having one. Make sure you're ready. Ready for when the event occurs. Not if. And

of course, last but not least. Join us on Tech Talk from IDG, the new YouTube channel
of course, last but not least. Join us on Tech Talk from IDG, the new YouTube channel

for the tech news of the day. Until next time. This is Susan Bradley for CSO Online. See
for the tech news of the day. Until next time. This is Susan Bradley for CSO Online. See

you next time.
you next time.