Doing nothing is no longer an option. You can protect your organisation, and your reputation, by establishing basic cyber defences to ensure that your name is not added to the growing list of cyber victims.
Breaking the attack pattern
Preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage.
Even though it’s normally the most motivated attackers who have the persistence to carry out multiple stage attacks, they will frequently do this using commodity tools and techniques, which are cheaper and easier for them to use. So, putting in place security controls and processes that can mitigate commodity attacks will go some way to making your business a hard target.
Equally, adopting a defence-in-depth approach to mitigate risks through the full range of potential attacks will give your business more resilience to cope with attacks that use more bespoke tools and techniques.
Reducing your exposure using essential security controls
Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more common types of cyber attack on systems that are exposed to the Internet. The following controls are outlined in Cyber Essentials, together with more information about how to implement them:
- boundary firewalls and internet gateways — establish network perimeter defences, particularly web proxy, web filtering, co ntent checking, and firewall policies to detect and block executable downloads, block access to known malicious domains and prevent users’ computers from communicating directly with the Internet
- malware protection — establish and maintain malware defences to detect and respond to known attack code
- patch management — patch known vulnerabilities with the latest version of the software, to prevent attacks which exploit software bugs
- whitelisting and execution control — prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives
- secure configuration — restrict the functionality of every device, operating system and application to the minimum needed for business to function
- password policy — ensure that an appropriate password policy is in place and followed
- user access control — include limiting normal users’ execution permissions and enforcing the principle of least privilege
If your organisation is likely to be targeted by a more technically capable attacker, give yourself greater confidence by putting in place these additional controls set out in the 10 Steps to Cyber Security:
- security monitoring — to identify any unexpected or suspicious activity
- user training education and awareness — staff should understand their role in keeping your organisation secure and report any unusual activity
- security incident management — put plans in place to deal with an attack as an effective response will reduce the impact on your business
10 Steps to Cyber Security sets out the features of a complete cyber risk management regime. There are many effective and comprehensive schemes and open standards that your organisation can apply to support a defence-in-depth strategy, if this approach isn’t already implemented.
Mitigating the 'survey' stage
Any information which is published for open consumption should be systematically filtered before it is released to ensure that anything of value to an attacker (such as software and configuration details, the names/roles/titles of individuals and any hidden data) is removed.
User training, education and awareness is important. All your users should understand how published information about your systems and operation can reveal potential vulnerabilities.
They need to be aware of the risks of discussing work-related topics on social media, and the potential for them to be targeted by phishing attacks. They should also understand the risks to the business of releasing sensitive information in general conversations, unsolicited telephone calls and email recipients.
The Centre for the Protection of the National Infrastructure (CPNI) have published a guide to online reconnaissance to help put into place the most effective social engineering mitigations.
Secure Configuration can minimise the information that Internet-facing devices disclose about their configuration and software versions, and ensures they cannot be probed for any vulnerabilities.
Mitigating the 'delivery' stage
The delivery options available to an attacker can be significantly diminished by applying and maintaining a small number of security controls, which are even more effective when applied in combination:
- Up to date malware protection may block malicious emails and prevent malware being downloaded from websites.
- Firewalls and proxy servers can block unsecure or unnecessary services and can also maintain a list of known bad websites. Equally, subscribing to a website reputation service to generate a blacklist of websites could also provide additional protection.
- A technically enforced password policy will prevent users from selecting easily guessed passwords and lock accounts after a specified number of failed attempts. Additional authentication measures for access to particularly sensitive corporate or personal information should also be in place.
- Secure configuration limits system functionality to the minimum needed for business operation and should be systematically applied to every device that is used to conduct business.
Mitigating the 'breach' stage
As with the delivery stage, the ability to successfully exploit known vulnerabilities can be effectively mitigated with just a few controls, which are again best deployed together.
- All commodity malware depends on known and predominately patchable software flaws. Effective patch management of vulnerabilities ensures that patches are applied at the earliest opportunity, limiting the time your organisation is exposed to known software vulnerabilities.
- Malware protection within the internet gateway can detect known malicious code in an imported item, such as an email. These measures should be supplemented by malware protection at key points on the internal network and on the users’ computers where available. Devices within the gateway should be used to prevent unauthorised access to critical services or inherently unsecure services that may be required internally by your OFFICIAL organisation. Equally, the gateway should be able to detect any unauthorised inbound or outbound connections.
- Well-implemented and maintained user access controls will restrict the applications, privileges and data that users can access. Secure configuration can remove unnecessary software and default user accounts. It can also ensure that default passwords are changed, and any automatic features that could immediately activate malware (such as AutoRun for media drives) are turned off.
- User training, education and awareness are extremely valuable to reduce the likelihood of ‘social engineering’ being successful. However, with the pressures of work and the sheer volume of communications, you cannot rely on this as a control to mitigate even a commodity attack.
- Finally, critical to actually detecting a breach is the capability to monitor all network activity and to analyse it to identify any malicious or unusual activity.
Mitigating the 'affect' stage
If all the measures for the survey, delivery and breach stages are consistently in place, the majority of attacks using commodity capability are likely to be unsuccessful.
However, if your adversary is able to use bespoke capabilities then you have to assume that they will evade them and get into your systems. Ideally, you should have a good understanding of what constitutes ‘normal’ activity on your network, and effective security monitoring should be able to identify any unusual activity.
Once a technically capable and motivated attacker has achieved full access to your systems it can be much harder to detect their actions and eradicate their presence. This is where a full defence-in-depth strategy can be beneficial.