Don’t be the Loser at Cyber Security

10920542099?profile=RESIZE_192XI should not be writing this article in 2022, but sometimes the apparent need to be restated.  Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad.  For example, recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack.  See: https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-belgium-city-of-antwerp/

As usual, all parties cried "foul play" and suggested that proper cybersecurity measures should have been in place.  As usual, it all happens a bit too late. There was nothing special or unique about the attack, and it was not the last of its kind either.  Has your INFOSEC team reviewed/updated your cyber incident disaster recovery plan? Are all the documented security measures in place and tested?

Start with the basics:  Perform proper user training that includes all the usual: password hygiene, restrictions on account sharing, and clear instructions not to open untrusted emails or access unscrupulous websites.  It is inconvenient that human actions continue to be the weakest link in cyber defense, but it's a fact.   Have new employees been trained?

Regarding the infrastructure, consider proper asset auditing because you cannot protect what you do not know exists.  Next, implement network segmentation to separate all traffic into possible minor divisions.  If a server does not need to see or talk to another server, then that server should not be connected to the same VLAN, with no exceptions.  Remote access should move from traditional VPN access to zero-trust networking alternatives.  Do all employees need access to all services and servers? Consider setting access levels for all employees.[1]

Consider what needs to be encrypted for transmission and at rest, even if communication is internal only.  You never know what has already been breached, so someone can eavesdrop where you least expect it.

Do not allow users “randomly” plug devices into your network.  Lock ports and restrict Wi-Fi access to known devices.  Users will complain, but that is just part of the tradeoff. Either way, exceptions should be kept to a minimum.  The IT department should be in charge of this with support from senior management.

Servers: Keep everything updated via patching and document it.  This is true for exposed, public-facing servers, such as web servers, but it is equally essential for all servers and devices on the network.  Another step is investigating older/unused/forgotten equipment from networks.  If a server has no reason to exist, decommission it or destroy the instance.  It would be best if you acted ASAP, whether it is a container, VM, instance, or node.  And properly erase, clear, disable or destroy old equipment before disposal.

 An unpatched server is a vulnerable server; it only takes one vulnerable server to bring down the best cyber security program.  If patching is too disruptive to do daily, look to alternative methods such as live patching and use it everywhere you can.

Hackers are experienced criminals, and you do not need your team to make it easier for them so identify and close any/all vulnerabilities as quickly as possible.  Due to the features of live patching, your team does not have to worry about prioritizing vulnerabilities to patch because they can patch them all.

Your cyber threat team should maintain a proactive approach. Keep up with the latest threats and security news.  While some vulnerabilities have a disproportionate share of attention due to being "named" vulnerabilities, sometimes it is one of the countless "regular" vulnerabilities that hits the hardest.  You can use a vulnerability management tool to help with this.

Remember your disaster recovery plan? Start from the simple premise of "what if we woke up tomorrow and none of our IT worked?"   Answer these questions: How quickly can I get bare-bone services up and running?  How long does it take to restore the entire data backup? Are we testing the backups regularly?  Is the service deployment process adequately documented, even if it is a hard copy of scripts?  What are the legal implications of losing your systems, data, or infrastructure for several weeks?

As an organization, you want to avoid getting into a position where your systems are down, your customers are going to your competitor's website, and your senior management is demanding answers and results.   All the questions that have been posed above can be answered.  Plenty of resources on the web are available to help you and your team members from suffering a breach.

It is up to all organizations to take steps and adopt procedures to protect themselves from cyber-attacks. 

The following is what Red Sky Alliance recommends:

  • All data in transmission and at rest should be encrypted.
  • Proper data backup and off-site storage policies should be adopted and followed.
  • Implement a 2-Factor authentication-company wide.
  • For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

[1] https://thehackernews.com/2022/12/cyber-security-is-not-losing-game-if.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!