Executive Summary of cybersecurity best practices

In order to use more sophisticated cyber security tools, organizations need to have a decent understanding of cyber security best practices. Over the years, businesses both large and small have become victims of cyber-attacks that could have been prevented if basic cyber security principles and best practices were followed. Some of those best practices include patching devices, inventory control, managing backups and data recovery, securing VPNs for remote work environments, and managing default passwords.

Today, remote work environments have become common and with those environments comes an increase in cyber threats. According to a 2021 Public Sector Cybersecurity Survey report published by SolarWinds, the public sector is now facing an increasing risk of external cyberattacks due to security measures failing to keep up with the fast pace of cyber threat environments. The Public Sector Cyber Security survey noted that the hacking community (56%) is the largest source of security threats within the public sector, followed by careless and untrained insiders (52%), as well as foreign governments (47%).

Furthermore, the survey found that the public sector is especially concerned about increases with the types of security breaches they experienced – malware (65%), ransomware (66%), and phishing (63%). This is the first time in five years that insider carelessness or lack of employee training is not the biggest threat to the public sector. This means that IT threats have increased, but the ability to detect and remediate those threats has not, thus leaving organizations within the public sector vulnerable.

Developing good security hygiene could mean all the difference if your organization is attacked by a threat actor. Small security lapses lead to attacks and attacks lead to turmoil within your organization’s routine business practices. Let’s take a look at how following basic cyber security principles could help keep your organization from becoming the next big headline.

 

patching

When cyber security professionals talk about patching devices, they are simply saying that you need to apply updates to your software as those updates become available. Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a bug is found after the release of a piece of software, a patch can be used to remediate it. Patching helps ensure that assets in your environment are not vulnerable to attackers. 

A great example of how patching can help save your organization a lot of heartache is the 2017 Equifax data breach. This breach affected over 145 million people and was one of the largest breaches of this kind in history. The breach was caused when an employee didn’t apply the most recent patch for Apache Struts – a patch that was available for two months before the company was breached. Another example is the 2012 data breach of Nationwide Mutual Insurance. The insurance company was breached when a vulnerability found in a web application was left unpatched for three years. The data breach exposed the data of 1.27 million and the company had to pay $5.5 million in a settlement.

Recently, CISA (Cybersecurity and Infrastructure Security Agency) added 15 known exploited vulnerabilities to their catalog. Most of the vulnerabilities on this list are two to three years old, which means that if these vulnerabilities are still being exploited, organizations are not being diligent with patching devices. Patching out of date and vulnerable software is crucial and should be done as soon as an update is available.

 

Image 1: 15 Vulnerabilities Added to CISA's Catalog

Cybersecurity Best Practices - CISA's Vulnerability Catalog

Source: CISA

 

Unfortunately, many organizations fall into the habit of not prioritizing patching. Why? Simply because patching can be quite inconvenient and time consuming. However, there is nothing more inconvenient than having your systems and networks compromised by a threat actor who took advantage of your negligence.

 

inventory control

Actively managing your organization’s inventory (end-user devices, network devices, non-computing/IoT devices, and servers) is crucial to keeping your environment safe. Assessing inventory regularly should be the foundation of every organization’s cyber security program. Because devices are constantly added and retired, and employees/users frequently come and go, it’s important to know what you have and how it’s being used.

If an organization doesn’t have an accurate and up-to-date asset inventory, trying to manage compliance and cyber-risk will be extremely difficult. If you aren’t sure if your organization is guilty of letting inventory fall to the wayside, ask yourself these questions:

  • Have I updated my inventory list across my business or company?
  • Can I see (in real-time) the state of our overall security posture at any given minute?
  • Do I know what my asset inventory management program is, and does it help keep my organization safe?
  • Do I know which assets are critical for business operations and which ones may be less important?

If you couldn’t answer these questions fluidly, then you have a problem. Assets are like moving targets and managing them needs to be developed into a seamless process. Full visibility and control over all assets shouldn’t be optional.

Going through the initial process of accounting for every authorized/unauthorized device, application, software license, IoT, ICS, etc. can be tedious, but it’s worth it. There are cyber insurance companies who can make the process easier and can help you build a platform that allows you to discover your users, applications, and devices continuously and automatically, as well as the relationships between them. If your tools and processes work together to automatically discover and inventory the full range of your authorized IT assets, then you’ll be able to better understand and secure your asset inventory in real-time.

A strong and robust security model begins with asset inventory management. Once you take this proactive approach, it will be easy to track and analyze your assets across attack vectors to identify those that are most likely compromised. Having all of your assets in the inventory means that they are readily available via real-time dashboards and are easy to search. Also, they can include automatic and continuous compliance supervisors that uncover rogue assets and unauthorized use.

 

managing backups & data recovery

Managing backups and data recovery is another cyber security best practice that some organizations fall short on. Some organizations wait until they experience a data breach to start thinking about recovering their data via backups. While it can be relieving to know your data will more than likely be recovered, you really should be thinking about your backup and data recovery plan before being breached.

Backing up your data means that you have copies of your computer data on a hard drive – something that is offline. This helps protect the data against accidental loss or corruption. Some backup types include:

  • Standard backups – these backups create copies of files from one or multiple systems across a network.
  • System backups– these backups are copies of a system and may perform scheduled backups of files while having system backups for baseline configurations when new machines join the network.
  • Incremental and differential backups – a differential backup will only backup files that have changed since the last backup, while an incremental backup will only backup the changed data in files. Incremental backups are considerably faster than differential backups.

In order to have a successful backup and data recovery process, your organization will need to have a clear backup strategy that includes defined data protection goals. This policy should outline what, when, and how data and systems will be backed up and restored should you become compromised. Also, it’s important to test your backups regularly to ensure they work.

According to IBM, the average cost of a data breach in 2019 was $3.92 million, up 1.5% from 2018. The average cost was $150 for each record during that time frame. The U.S. has experienced the largest number of data breaches, followed closely by Canada and Germany.

What’s more interesting is that the average amount of time it takes for companies to realize that they’ve been breached is 197 days. Businesses with the right data breach recovery process contained their breach within 30 days and saved more than $1 million compared to companies that took longer than 30 days to intervene.

Sometimes, technology fails us, and we lose information, but most of the time we lose information due to malicious threat actors who manage to penetrate and circumvent backups. They either steal data for their own use, or they strip businesses of their resources. One threat actor that is known for destroying backups is the ransomware gang, Conti. The threat actor mainly targets backup systems to guarantee that ransom payments are made.

Conti has been strategic in designing and deploying backup removal solutions, gaining access to backup user accounts with elevated privileges. After they gain access to these accounts, they are free to do anything they want with the backups they’ve infiltrated – including destroying, corrupting, and encrypting all data. This makes it extremely difficult or impossible to conduct a recovery procedure. We realize that keeping information secure comes with a hefty price tag, but price should be less of a concern when you run the risk of losing valuable data if you’re breached.

 

securing vpns 

Virtual private networks, or VPNs, are one of threat actors’ favorite entry points into a network. A VPN allows people to access the Internet just as they would be able to if they were connected to a private network. Securing VPNs provides effective security for organizations and can help keep certain resources hidden.

Attackers gain access to networks if organizations don’t patch their VPNs and other externally facing devices. VPNs provide threat actors with a stable foothold onto target networks through the VPNs internet exchange point (IXP). If an employee is connecting to a company’s VPN to access a company database that’s stored on a server, a threat actor who has infiltrated the IXP can monitor all data that passes through.

VPNs establish encrypted connections between devices, but an attacker can’t monitor VPN-encrypted traffic from outside the VPN. All it takes is one compromised account or device for an attacker to gain access to a VPN and steal what should be gated data. In September 2021, it was reported that a threat actor leaked 500,000 Fortinet VPN login credentials from 87,000 devices over the course of two years. The culprit was a member of the ransomware gang, Babuk. Although the VPN vulnerability had already been patched, the stolen credentials were still valid.

Fortinet stated the attackers were able to obtain the credentials from systems that didn’t implement the patch. The vulnerability, tracked as CVE-2018-13379, is a path traversal vulnerability in Fortinet’s FortiOS SSL VPN web portal which allows unauthenticated users to read arbitrary files (including the sessions file).

Although it was never confirmed that the leaked credentials belonged to remote employees, we can only assume that some of them did. VPNs are virtual, which means that they are often given to remote workers to access company resources. Setting up identity and access management (IAM) solutions and secure web gateways could help keep remote employees secure by filtering content and preventing data from leaving your organization’s network.

 

managing default passwords

Managing default password is basic in theory but complicated in practice. Most don’t consider updating passwords to be difficult to manage, but when a company has thousands of employees who are responsible for making sure they update their passwords and don’t re-use passwords, things can get tricky. It’s important for organizations to develop a password management system that has a secure way to store passwords and access them when required.

Password best practices include:

  • Never reveal a password to anyone
  • Different accounts need different passwords – don’t re-use!
  • Use multi-factor authentication – this adds another layer of protection
  • Long passwords are best – 16 characters or more
  • Your passwords should be hard to guess and easy to remember
  • Use a password manager if you need to – Lastpass and Password Safe are great options

Most cyber security professionals know the details surrounding the attack on Colonial Pipeline. The ransomware gang, DarkSide, launched a ransomware supply-chain on the company in May 2021. The threat actor gained access to Colonial Pipeline’s virtual private network (VPN) account due to a single compromised password. The account that was compromised allowed employees to remotely access the company’s computer network. At the time of the attack, the account wasn’t in use but could still be used to access the fuel company’s network.

After the ransomware attack, researchers discovered that the password for the account was inside a batch of leaked passwords on the dark web. It’s suspected that the Colonial Pipeline employee probably re-used that password on another previously hacked account. The VPN account that was compromised, did not use multifactor authentication and it isn’t known how DarkSide obtained the correct username and password.

As a result of the attack, Colonial Pipeline had to shut down the fuel pipeline, leaving gas stations, businesses, and households without fuel. Additionally, the news of a cyber-attack made its rounds and people started panic buying which resulted in gas shortages along the east coast. DarkSide stole about 100 gigabytes of data from the company and threatened to leak it if they refused to pay a ransom. Colonial Pipeline ended up paying DarkSide $4.4 million in ransom.

 

how avertium is protecting our customers

Putting cyber security basics into practice can help your organization protect business processes and reduce the risk of a cyber attack. Updating software, securing files, managing passwords, and managing inventory are the first principles you should follow before diving into more sophisticated cyber security tools. Avertium offers the following services to help your organization stay on the right path toward securing your environments:

  • Avertium has virtual CISOs who can provide a high level of service by helping you develop a plan to conduct a physical hardware inventory assessment. This service includes a visibility study to help discover what devices are on your network. This can be done remotely or in person.
  • Avertium offers vulnerability management as a service (VMaaS) to remove any unnecessary applications and implementing XDR tools to prevent ransomware and phishing attacks. Include an EDR, MDR or XDR strategy to stop ransomware before it spreads.
  • Avertium also offers a Zero Trust Network Architecture, like AppGate, to stop malware lateral movement.
  • Avertium offers a Cyber Maturity service so your organization can gain visibility, get control, and know where it stands. Our Cyber Maturity service can help facilitate insight and accountability around the controls your organization uses to protect its sensitive data.

 

avertium's recommendations 

Avertium, the FBI, and CISA recommend the following regarding cyber security best practices:

  • Maintain offline, encrypted backups of data and regularly test backups
    • Identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment.
    • Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes.
    • Regularly test contingency plans, such as manual controls, so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.
    • Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
    • Implement data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.
    • In addition to backing up data, develop recovery documents that include configuration settings for common devices and critical OT equipment. This can enable more efficient recovery following an incident.
  • Regarding passwords, require multi-factor authentication for all users, without  exception.
    • Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.
    • Secure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
    • Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
    • Disable the storage of clear text passwords in LSASS memory.
  • Updating Software
    • Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
    • Consider using a centralized patch management system. For OT networks, use a risk based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.
  • Managing Inventory
    • Disable all unnecessary ports and protocols.
    • Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control.
    • Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.


MITRE TTPs:

Patching

  • [T1591] Gather Victim Org Information
  • [T1190] Exploit Public Facing Application
  • [T1598] Phishing for Information
  • [T1211] Exploitation for Defense Evasion

Inventory Control

  • [T1586] Compromise Accounts
  • [T1190] Exploit Public Facing Application
  • [T1213] Data from Information Repositories

Managing Backups & Data Recovery

  • [T1562] Impair Defenses
  • [T1485] Data Destruction
  • [T1486] Data Encrypted for Impact
  • [T1561] Disk Wipe

Securing VPNs

  • [T1195] Supply Chain Compromise
  • [T113] External Remote Services
  • [T1078] Valid Accounts

Managing Default Passwords



Indicators of Compromise (IoCs):

Conti

  • fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b
  • 106.160[.]77
  • 106.215[.]61
  • 82.19[.]173
  • Gojihu[.com]
  • Sazoya[.com]
  • Yawero[.com]
  • Conti uses remote access tools that beacon to domestic and international VPS infrastructure over ports 80, 443, 8080, and 8443.
  • Conti may use port 53 for persistence.
  • New accounts and tools (especially Sysinternals) that were not installed by your organization.
  • Disabled endpoint detection and constant HTTP and DNS beacons.

DarkSide

  • fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b
  • 106.160[.]77
  • 106.215[.]61
  • 82.19[.]173
  • Gojihu[.com]
  • Sazoya[.com]
  • Yawero[.com]
  • Conti uses remote access tools that beacon to domestic and international VPS infrastructure over ports 80, 443, 8080, and 8443.
  • Conti may use port 53 for persistence.
  • New accounts and tools (especially Sysinternals) that were not installed by your organization.
  • Disabled endpoint detection and constant HTTP and DNS beacons.
 
 

Supporting Documentation 

External cybersecurity threats on the rise in public sector, report says (police1.com)

SolarWinds Public Sector Cybersecurity Survey Report

What is Patch Management? Benefits & Best Practices | Rapid7

The consequences of not applying patches (pandasecurity.com)

What is Asset Inventory Management? | Balbix

Ransomware Conti Is Set To Infiltrate Backups (lifars.com)

Data Backup & Recovery | Certitude Security | Cyber Security

Cybercrime Will Increase — And 9 Other Obvious Cybersecurity Predictions for 2022 - Hashed Out by The SSL Store™

Oversight finds 'small lapses' in security led to Colonial Pipeline, JBS hacks | TheHill

cybersecuirty_sb_factsheets_all.pdf (ftc.gov)

AA22-011A_Joint_CSA_Understanding_and_Mitigating _Russian_Cyber_Threats_to_US_Critical_Infrastructure_TLP-WHITE.pdf

Threat Actor Leaks Login Credentials Of About 500,000 Fortinet VPN Accounts - CPO Magazine

Password Best Practices | UC Santa Barbara Information Technology (ucsb.edu)

End of Year Recap for 2021 (avertium.com)

 

APPENDIX II: Disclaimer 

This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.  

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.

 

 

are you a target for drive-by downloads and botnets? Find out