Updated September 2022
In order to use more sophisticated cyber security tools, organizations need to have a decent understanding of cyber security best practices. Over the years, businesses both large and small have become victims of cyber-attacks that could have been prevented if basic cyber security principles, awareness, and best practices were followed. Some of those best practices include patching devices, inventory control, managing backups and data recovery, securing VPNs for remote work environments, and managing default passwords.
Today, remote work environments have become common, and with those environments comes an increase in cyber threats. According to a 2021 Public Sector Cybersecurity Survey report published by SolarWinds, the public sector is now facing an increasing risk of external cyberattacks due to security measures failing to keep up with the fast pace of cyber threat environments. The Public Sector Cyber Security survey noted that the hacking community (56%) is the largest source of security threats within the public sector, followed by careless and untrained insiders (52%), as well as foreign governments (47%).
Furthermore, the survey found that the public sector is especially concerned about increases in the types of security breaches they experienced – malware (65%), ransomware (66%), and phishing (63%). This is the first time in five years that insider carelessness or lack of employee training is not the biggest threat to the public sector. This means that IT threats have increased, but the ability to detect and remediate those threats has not, thus leaving organizations within the public sector vulnerable.
Developing good security hygiene could mean all the difference if your organization is attacked by a threat actor. Small security lapses lead to attacks and attacks lead to turmoil within your organization’s routine business practices. Let’s take a look at how following basic cyber security principles could help keep your organization from becoming the next big headline.
Image 1: 15 Vulnerabilities Added to CISA's Catalog
Recently, CISA (Cybersecurity and Infrastructure Security Agency) added 15 known exploited vulnerabilities to their catalog. Most of the vulnerabilities on this list are two to three years old, which means that if these vulnerabilities are still being exploited, organizations are not being diligent with patching devices. Patching out-of-date and vulnerable software is crucial and should be done as soon as an update is available.
Unfortunately, many organizations fall into the habit of not prioritizing patching. Why? Simply because patching can be quite inconvenient and time-consuming. However, there is nothing more inconvenient than having your systems and networks compromised by a threat actor who took advantage of your negligence.
How it can be implemented / utilized: If an organization doesn’t have an accurate and up-to-date asset inventory, trying to manage compliance and cyber risk will be extremely difficult. If you aren’t sure if your organization is guilty of letting inventory fall to the wayside, ask yourself these questions:
Have I updated my inventory list across my business or company?
Can I see (in real-time) the state of our overall security posture at any given minute?
Do I know what my asset inventory management program is, and does it help keep my organization safe?
Do I know which assets are critical for business operations and which ones may be less important?
If you couldn’t answer these questions fluidly, then you have a problem. Assets are like moving targets and managing their needs to be developed into a seamless process. Full visibility and control over all assets shouldn’t be optional.
Going through the initial process of accounting for every authorized/unauthorized device, application, software license, IoT, ICS, etc. can be tedious, but it’s worth it. There are cyber insurance companies who can make the process easier and can help you build a platform that allows you to discover your users, applications, and devices continuously and automatically, as well as the relationships between them. If your tools and processes work together to automatically discover and inventory the full range of your authorized IT assets, then you’ll be able to better understand and secure your asset inventory in real time.
A strong and robust security model begins with asset inventory management. Once you take this proactive approach, it will be easy to track and analyze your assets across attack vectors to identify those that are most likely compromised. Having all of your assets in the inventory means that they are readily available via real-time dashboards and are easy to search. Also, they can include automatic and continuous compliance supervisors that uncover rogue assets and unauthorized use.
In order to have a successful backup and data recovery process, your organization will need to have a clear backup strategy that includes defined data protection goals. This policy should outline what, when, and how data and systems will be backed up and restored should you become compromised. Also, it’s important to test your backups regularly to ensure they work.
What’s more interesting is that the average amount of time it takes for companies to realize that they’ve been breached is 197 days. Businesses with the right data breach recovery process contained their breach within 30 days and saved more than $1 million compared to companies that took longer than 30 days to intervene.
Sometimes, technology fails us, and we lose information, but most of the time we lose information due to malicious threat actors who manage to penetrate and circumvent backups. They either steal data for their own use, or strip businesses of their resources. One threat actor that is known for destroying backups is the ransomware gang, Conti. The threat actor mainly targets backup systems to guarantee that ransom payments are made.
Conti has been strategic in designing and deploying backup removal solutions, gaining access to backup user accounts with elevated privileges. After they gain access to these accounts, they are free to do anything they want with the backups they’ve infiltrated – including destroying, corrupting, and encrypting all data. This makes it extremely difficult or impossible to conduct a recovery procedure. We realize that keeping data secure comes with a hefty price tag, but price should be less of a concern when you run the risk of losing valuable data if you’re breached.
What it is: Virtual private networks, or VPNs, are one of threat actors’ favorite entry points into a network. A VPN allows people to access the Internet just as they would be able to if they were connected to a private network. Securing VPNs provides effective security for organizations and can help keep certain resources hidden.
Why it’s important: Attackers gain access to networks if organizations don’t patch their VPNs and other externally facing devices. VPNs provide threat actors with a stable foothold onto target networks through the VPNs' internet exchange point (IXP). If an employee is connecting to a company’s VPN to access a company database that’s stored on a server, a threat actor who has infiltrated the IXP can monitor all data that passes through.
How it can be implemented / utilized: There are several reliable VPNs on the market, so once you choose the one that’s right for you, it’s simple to install and use. Usually, all it takes to set up your VPN is to download it onto your computer, sign in, and choose your server. Once you’re connected, continue to use the Internet as you normally would - with an added layer of anonymity and security.
Example case: VPNs establish encrypted connections between devices, but an attacker can’t monitor VPN-encrypted traffic from outside the VPN. All it takes is one compromised account or device for an attacker to gain access to a VPN and steal what should be gated data. In September 2021, it was reported that a threat actor leaked 500,000 Fortinet VPN login credentials from 87,000 devices over the course of two years. The culprit was a member of the ransomware gang, Babuk. Although the VPN vulnerability had already been patched, the stolen credentials were still valid.
Fortinet stated the attackers were able to obtain the credentials from systems that didn’t implement the patch. The vulnerability, tracked as CVE-2018-13379, is a path traversal vulnerability in Fortinet’s FortiOS SSL VPN web portal which allows unauthenticated users to read arbitrary files (including the sessions file).
Although it was never confirmed that the leaked credentials belonged to remote employees, we can only assume that some of them did. VPNs are virtual, which means that they are often given to remote workers to access company resources. Setting up identity and access management (IAM) solutions and secure web gateways could help keep remote employees secure by filtering content and preventing data from leaving your organization’s network.
How it can be implemented/utilized: Password best practices include:
Never reveal a password to anyone
Different accounts need different passwords – don’t reuse!
Use multi-factor authentication – this adds another layer of protection
Long passwords are best – 16 characters or more
Your passwords should be hard to guess and easy to remember
After the ransomware attack, researchers discovered that the password for the account was inside a batch of leaked passwords on the dark web. It’s suspected that the Colonial Pipeline employee probably re-used that password on another previously hacked account. The VPN account that was compromised, did not use multifactor authentication and it isn’t known how DarkSide obtained the correct username and password.
As a result of the attack, Colonial Pipeline had to shut down the fuel pipeline, leaving gas stations, businesses, and households without fuel. Additionally, the news of a cyber-attack made its rounds and people started panic buying which resulted in gas shortages along the east coast. DarkSide stole about 100 gigabytes of data from the company and threatened to leak it if they refused to pay a ransom. Colonial Pipeline ended up paying DarkSide $4.4 million in ransom.
Why it’s important: It detects viruses and other threats that a human operator would otherwise miss. Without installing an antivirus system, you’re leaving the door open to malicious hackers and software. A computer that’s infected with a virus:
Performs more slowly
Crashes / fail more frequently
Loses data / deletes files
Is unable to perform regular tasks like using the internet or accessing apps
Why it’s important: Authentication in any form relies on one of three things: something you know (a password or PIN), something you have (a pass card or key), or something you are (fingerprint or retina). MFA adds a layer of security by requiring at least TWO of these things to be present before granting access - making unauthorized access significantly harder.
How it can be implemented / utilized: There are several forms of MFA that an organization can adopt - the primary types include:
A text / call to the user’s phone
Entering a code or answering security questions
A notification to an external app
Biometrics like fingerprint or facial recognition
How it can be implemented / utilized: Train your employees to stay alert and cautious towards all links they receive in emails, texts, and other forms of communication. They should never click a link unless they completely trust and know the sender from whom they received it. Some measures employees can take to validate whether a link is legitimate to include:
Hovering their mouse over the link to preview the URL it’s sending you to
Copy and paste the link into an Open Source scanner tool like Virus Total to see if the URL has been linked to any malicious activity
Physical access controls prevent unauthorized users from entering a physical location or object, like a building, room, or IT asset. Logical access controls require that users authenticate their identity before proceeding. This is done by requiring a user to re-authenticate before accessing the secure resource.
Putting cyber security basics into practice can help your organization protect business processes and reduce the risk of a cyber attack. Updating software, securing files, managing passwords, and managing inventory are the first principles you should follow before diving into more sophisticated cyber security tools. Avertium offers the following services to help your organization stay on the right path toward securing your environment:
Avertium, the FBI, and CISA recommend the following regarding cyber security best practices:
Maintain offline, encrypted backups of data and regularly test backups
Identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment.
Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create a risk to the safe and reliable operation of OT processes.
Regularly test contingency plans, such as manual controls, so that safety-critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at the necessary capacity even if the IT network is compromised.
Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
Implement data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.
In addition to backing up data, develop recovery documents that include configuration settings for common devices and critical OT equipment. This can enable more efficient recovery following an incident.
Regarding passwords, require multi-factor authentication for all users, without exception.
Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.
Secure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
Disable the storage of clear text passwords in LSASS memory.
Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.
Disable all unnecessary ports and protocols.
Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control.
Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.
Managing Backups & Data Recovery
Managing Default Passwords
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.