This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.
So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.
The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.
Increased cyber threats
How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.
Steps to take now:
If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:
1. Your organisation should undertake a readiness review and identify:
- all available sources of logging
- where those logs are stored
- how long those logs are retained
- who has access to them
- that logging events are currently being generated
2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.
3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.
These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.
Steps to take in the coming weeks:
1. Improve Defences
The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:
- Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
- Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
- Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.
2. Improve detection capability
Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.
It is important to log events, even if you have no proactive capability to examine them.
If there is a suspected incident the logs will:
- make it easier to prove an attack has taken place
- provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
- allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted
3. Improve response capability
Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.
Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.
The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact firstname.lastname@example.org who will supply you with a form to complete with your organisation’s details.
Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.
If an incident occurs
Please report incidents to the NCSC 24/7 Incident Management team if the following applies:
- Significant loss of data, system availability, or control of systems
- Unauthorised access to or malicious software present on IT systems.
Business as usual
Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.
You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.