As Russia’s invasion of Ukraine drags on — and global sanctions against Russia take firmer hold — cyber attacks coming from Russia have started to both increase in frequency as well as severity. For nearly a decade, Russia has perfected state-level cyberwar by practicing on Ukraine. Now, however, Russian-originated cyber attacks are leaking out to government entities and private corporations the world over. Here is what you and your company ought to do today, in the next week, two weeks from now and past that to protect your company and your employees from this real and present danger.
What to do right now:
The first step to protecting your business is to enable Domain Name System (DNS) filtering services to crack down on malicious internet activity.
The why: DNS filtering immediately improves your ability to both detect and protect against threats from both email and web vectors.
The how: To start, turn on pop-up blockers by default in your web browser. Most popular web browsers also maintain a database of phishing and/or malware sites to help protect you against the most common threats. To take this a step further, you should consider subscribing to DNS filtering services in order to block attempts to access these websites at the network level. Akamai and Quad9 are two pretty great services for Malicious Domain Blocking and Reporting (MDBR) services. Our expert cybersecurity staffers can help you determine and select the right DNS filter service for your business and budget as well.
What to do in the next week
Turn on multi-factor authentication (MFA) for literally any system that offers it
The why: It’s easier than ever for attackers to steal credentials through phishing attacks and other social engineering tactics. With exponential increases in computing power for less and less cost, brute force attacks have become more common than ever, too. MFA protects an organization from up to 96% of these attacks, according to the Center For Internet Security.
The how: Either your IT administrator or Managed Service Provider will be able to enable all these systems that are available. Have them inventory all your systems and determine which ones offer MFA.
Obtain a recent vulnerability scan for all externally facing IT assets; install all possible patches and updates
The why: Most of the worst or most damaging cyber attacks we see come from a security vulnerability in outdated or unpatched software or systems. If you’re able to identify these and close them before an adversary does, you’ve saved yourself a world of potential pain.
The how: There are a number of off-the-rack vulnerability scanning tools you can look into. We have a host of vendors and products we recommend to our clients (or conduct and manage on their behalf). Once you’ve found all your vulnerabilities, patch and update as quickly as possible (being sure to preserve your IT environment’s maximal uptime at peak demand windows).
What to do in the next two weeks
Enable logging on every device for which it’s available; then, configure a log collection system
The why: Logs provide the evidence incident response teams and forensic teams require to recreate attackers’ footsteps within your network. It allows these teams to determine who the adversary was, how they got into the system, how long they were there, and what they did while they were there. Logs can also help identify any suspicious activity in your system, internal and external alike.
The how: Most infrastructure devices and systems have some form of native logging capability. There are a number of commercial options available to help with periodic scans of logs to ensure such logging is in place. For some smaller and medium-sized business, this can sometimes be beyond your in-house IT capability. as with DNS filtering and MFA protocols, we often set up and manage the log systems for our clients to great effect.
Ensure systems are properly backed up, AND that those backups are protected from cyberattacks
I don’t think it’s necessary to hammer this point home (we’ve written a lot about the necessity and importance of backups). But creating a backup environment that can also withstand a cyberattack is a specific and specialized application (one that we can most certainly help you with).
What comes next
CIS has a great collection of additional resources I’ll copy and paste below to check out once the above have been completed:
For resources from CISA, please also see their Shields Up webpage.
Salesforce’s Trailhead learning platform features a training module dedicated to CIS Controls v8.
The Cybersecurity & Infrastructure Security Agency (CISA) provides useful guidance to help organizations understand how to respond to an attack.
The National Institute for Standards & Technology (NIST) provides additional guidance for organizations protecting OT environments. NIST also maintains a helpful library of cybersecurity resources on its website.
And finally, if you’re looking to assess potential commercial solutions or evaluate vendors to handle some of these functions for you, please don’t hesitate to drop us a line.