As Russia’s invasion of Ukraine rages on, companies of all sizes and in every industry need to be vigilant to protect themselves from cyberattacks. Even in the best of times, rogue cybercriminals and nation-state threat actors are working tirelessly to exploit poor cybersecurity practices within their victims’ system configurations. Given that the situation in Eastern Europe has escalated significantly, several western governments have issued warnings to the public to expect cyberattacks aimed to upheave critical infrastructure. Cyber incidents have impacted many of our clients dealing with attacks on their hardware and software systems across multiple vectors.
With this in mind, the following is meant to serve as recommendations to help companies across multiple industry sectors build an effective cyber defensive posture that can detect and mitigate cyber incidents in a time when they cannot afford to be exposed.
- Assess exposure through third-party connections.
- Double and triple-check backups and their locations.
- Check your malware and antivirus scanners and verify they are working as expected using test sites designed for this (i.e., EICAR).
- Revisit your incident response plan regularly. It should be available in multiple locations.
- Active logging and detection systems installed and monitored/alerting 24×7. Forward logs to a secure and centralized location for consolidation and monitoring. Without this competency, organizations have limited ability to investigate incidents or recognize malicious behavior.
- Define a standard for normal activity and regularly review active directory logs for unusual activity.
- Block known and high-risk websites using URL filtering or client software.
- Set up multifactor authentication (MFA) for email and “Virtual Private Network” (VPN) connections.
- Limit VPN connections to only users who need it.
- Implement firewalls and limit user access to operational technology (OT) networks from office networks.
- Limit contractor access to only needed resources and set up timed expiration for user accounts.
- Ensure employees and contractors are still active. Disable accounts for terminated users.
- Revisit policies about accessing resources from personal accounts or devices.
- Place any resource with an open remote desktop protocol (RDP) port behind a firewall and require a VPN connection to access the resource.
- Disable all ports and protocols that are not business critical.
- Restrict email forwarding or at least regularly audit user-created email forwarding rules.
- Develop a mitigation strategy; understand when, how, and why to reset credentials and revoke permissions. Ask yourself: “How quickly can I isolate infected systems?”
- Require complex passwords and run password testing/cracking software at a regular interval.
- User training is key to preventing and identifying intrusions (it only takes one user to compromise a network). Educate employees on emerging cybersecurity risks and vulnerabilities and how they are delivered.
- Establish blame-free employee reporting and ensure employees are educated on the proper channels to do so.
- Patch firewalls, servers, desktops, laptops, and network devices on an active schedule based on severity. This is especially important for Internet-facing or mission-critical software such as webmail, VPNs, and other remote access tools.
- Back up data daily with multiple versions to restore if hit by ransomware attacks. Store data in the cloud or offsite facilities and encrypt data.
- Encrypt laptops to prevent data access if lost or stolen.
- Implement Internet access for guest devices that do not allow access to internal resources. Mobile devices shouldn’t be connected to office networks and typically don’t need access to corporate resources.
- Establish an upper limit for unsuccessful login attempts.
The cyber defense posture across multiple industry segments will have widespread implications on the way organizations conduct themselves from a security standpoint, hence the need to spend the time and resources ensuring sound “cyber hygiene”. By doing both companies can reduce the opportunities for intrusion, enhance their cybersecurity posture, and minimize risks associated with a breach in the digital age.
- “Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services” – CISA
- “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure” – CISA
- “Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats” – CISA
- “Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement” – Paloalto Networks