Cyber Scotland Week - Recovering From A Cyber Attack

Today we will look at how we would begin to recover from the cyber-attack.

Once the malware has been completely eradicated from all of the systems, the process of recovery can begin. – this would be a bit like refurbishing a striped building

Recovery would most likely be a phased eradication to allow us to get critical systems back, with the remainder staying offline and unavailable.  Remembering that some systems may remain unavailable for quite some time, and some may even be lost altogether.  The priority for the recovery of systems will be set by the incident management team and this will focus on vital systems such as communications, payment systems, social care systems, etc.  that allow us to carry out the most important services.  The restoration of a single system will take time, and it's likely that external support will need to be brought in to assist with this. 

Once communications systems are back in service, we may still find that they're ineffective because other councils, government departments and partners will have blocked our email domain and website domain to protect themselves.  It may take some time to provide the necessary assurances of security and for these organisations to fully accept our communications again.  This is standard practice, and one of the first actions taken by OIC during the Sepa and Western Isles attack was to block their domains.

We have sophisticated and multiple backup systems to protect our data but the criminals that launch these attacks may have found ways to damage those as well.  There are no guarantees until everything is carefully checked, and backup servers may well be damaged and inaccessible.  This was found to be the case in the Western Isles attack. Recovery will be slow.  Not only do the servers have to be rebuilt, data restored, and the rebuilt systems checked before release, but every single PC, laptop and tablet must be rebuilt as well. These devices will be released on a priority system and there will be very limited device availability.  IT Support to assist users during the recovery phase will be very limited as IT will be concentrating on getting as much back as possible as quickly as possible.  Services will be using manual systems for some time to come.

Some may ask the question "Why not pay the ransom and get the systems back quickly?".  There are several good reasons for this:

• We would be funding and effectively encouraging criminal activity.
• There is no guarantee that a solution would be provided for the money paid.  These are criminals after all.
• If one were provided, we could not be sure that it didn't come with more malware.  These are criminals after all.
• If we paid a ransom, we would make ourselves a bigger target for other criminal organisations that would see us as an easy victim.

Many thanks for the positive responses received to these email bulletins.

Thomas Aldred

Service Manager (ICT)