If you thought you were at the mercy of cyber criminals before the latest Russian aggression, be prepared. Things are bound to get much, much worse. Russia is now overtly exercising its cyber warfare aggression as part of its kinetic warfare that started with the invasion of Ukraine in their annexation of the Crimean peninsula in 2014 and its recent invasion of Ukraine this week.
Why Us?
You may ask yourself, why would an aggressor halfway around the world be interested in a company like yours? The truth is, all Companies look very similar on the web to an aggressor that is not local. Small, Mid-sized companies look almost exactly the same when those Companies use similar resources and services online. Cyber-aggressors are now looking for the lowest of low-hanging fruit. If you are not prepared, you have a target on your back. If your customers or your market requires you to be compliant with InfoSec standards, you may already be prepared. Just read on to make sure you are aware and prepared to prevent and defend your assets from an attack.
Russian-based cybercriminals have already targeted successfully many utility and supply-chain services in the past. Up until last week, these aggressions were executed from Russia by cybercriminals under the publicly deniable protection of Russia. You may have heard of last year’s Colonial Pipeline hack. Colonial Pipeline is America’s largest pipeline operator. This hack shut down the pipeline servicing the Eastern US causing gas station shutdowns and long lines triggering a mad rush that resulted in gas price increases. Oil flow was closed for about a week. Think about the consequences of a sustained attack lasting longer than that would cause. Other supply-chain attaches included a meat-processing company JBS, one of the largest in the US, where 13 plants across the country had to reduce or completely suspend operations, so they could run their business continuity recovery processes. These are only some of the examples during peacetime. If companies are not currently protected, and cyberattacks increase, we may be at a higher risk than you may think.
Public services, utilities, and critical infrastructure; including the critical infrastructure you have set up for running your own business need to be secured. Your setup’s security needs to be tightened up as much as your budget allows. At the very least you need to be prepared to execute your Business Continuity (BC) and recovery processes. This is in case you are the target of an attack. For this bare minimum, you need to have some of your BC plans in place. Otherwise, your recovery attempts will not work. If you have an insufficient budget, you need to either reconsider how much you want your business to continue or make sure you brace yourself. You can choose to gamble your business future on flying under the radar, but that would be extremely risky for any business with an online presence and dependent on information services.
You May Also be asking yourself, what can my company do in lieu of this aggression. How can I protect our assets and information?
The bare minimum is, in fact, your BC plan and recovery preparedness. But there are other simple, low-cost means of protection processes you can implement to provide a higher level of InfoSec while being budget-conscious. Brush up and dust off your backups, make sure you complete your backups with the frequency that you need and make sure your backup storage is not the same physical location of your own infrastructure. I know this is basic common sense, but Companies sometimes make decisions in silos and need to be avoided.
BlueKatana can provide you with a detailed analysis and propose a plan of action for you to be better prepared, now and in the future. You can implement this plan yourself, and at your own pace, or you can use our available resources for this.
What Other Preventive Measures Can We Take?
The solution is a strategically-porous access/selective blockade, prevention from attacks, and protecting the most open resources.
Keep InfoSec Software Up To Date
Easy enough to list and execute. For all your users, you should already have malware and anti-virus software installed on everyone’s devices. If you do, make sure everyone’s software is automatically updated. If not, change those settings to prevent newer threats to fly under the radar and affect your devices. This should be an obvious recommendation but the same concept applies to Administrators and InfoSec team members.
Use Multi-Factor Authentication
About 95% of identity and unauthorized credential use access can be prevented by implementing 2FA (two-factor authentication), or MFA (multi-factor authentication). 2FA is a type of MFA, more specifically a sub-set of MFA, I use both here, because you may find it in your software documentation listed either way. Essentially, they work the same way: it uses two, or more, types of authentication. Those types of authentication are categorized into something you know, something you are, or something you carry.
Something you know could be your password or a PIN. You effectively remember or know your password, and only you can provide it when prompted. But that something you know can also be disclosed if the storage of these secrets is disclosed through a hack or unauthorized access. So this factor cannot be the only one provided, hence the “2” or “multi” in 2FA/MFA. The
Something you are is something that is part of yourself. This category includes mostly biometrics that uniquely identifies you as who you say you are. For example your face for face recognition, your eyes used mostly with iris detection, your fingerprint for a fingerprint reader, etc. Combining this additional factor with the previous one, you not only need to know something, you actually need to be there! This alone is critical and why most email providers are switching to this method. This way, just knowing your email password is no longer a viable way to connect as yourself into your email services. Cybercriminals now would need you to have your fingerprint, face, eyes, etc. making it virtually impossible to gain access to your account.
Something you carry Is what gets used as a potential replacement for those systems that lack the ability to use biometrics. In this case, what you carry could be your cell phone to receive a one-time code, a chip-card like your credit card now has, an access FOB, a physical key, an app in your phone that generates a code, or even a wearable device such as your smartwatch, or a smart ring. What you carry is not considered as secure as what you know plus what you are, because something you carry can be stolen, or lost. However, it is still much more secure than using only a password.
Verify All Remote Users’ Access
In this new reality we live in, most of us work remotely. You may, or may not, use a VPN to connect to your services directly. If your users connect to your workplace network, you certainly need to have a VPN. Some services you may already be using support secure logging and processes to be able to understand, map, and prevent certain activities. Turn those processes on. Decide on whether you should place those alerts, or even prevent actions from being taken by your users.
Monitor And/Or Prevent Traffic With External Entities
Traffic coming in can be filtered, not just through MFA/2FA, but by location and even specified entities. You can create rules that limit access into your network, not only from specific users but coming from a certain list of authorized named entities, locations, geographies, even specific IP addresses. Using these filters can save you from some nightmare scenarios easily.
Implement All Low-hanging Fruit Now
All credentialing services support a form of MFA/2FA at this time. They have made it such that the process of activating it is fast, simple, and fool-proof. This is the single most important step you can take today towards protecting your information. If you have not done so, plan for it Right away. Notify your users, and implement it as soon as possible.
Depending on the specific systems and InfoSec software and access hardware you already use, you may be able to implement additional access verification and monitoring at a low expense. Every individual Company is unique in the sense that their specific combination of tools may enable us to implement one method vs another. Our recommendation to you is that you should implement as many of these as possible and even more, beyond this article, for protecting your livelihood and securing the livelihood of those that depend on your actions.
Always have in mind that with these methods you are always moving towards a more secure environment. While you may surely spend more budget on safer solutions, you will agree that there will come a time when you will reach a point of diminishing returns when you (or your C-suite) will draw the line. Any risk beyond that point, however minimum, will be a gamble your Company will be assuming.
