13+1 PRINCIPLES FOR THE SECURITY OF YOUR NETWORK
Ransomware – a term that we were already aware of a few years ago but most of us rather took it as a “not-our-problem” kind of thing. However, cybercriminals didn’t see it the same way and it was just a matter of time before that kind of extortionate vermin came to do harm in our land, too. And even though the attacks on Benešov Hospital and OKD were not among the first ones, their coverage definitely raised awareness of the topic. Then, the emergence of coronavirus has actually created new opportunities of phishing and ransomware campaigns for cybercriminals; hugely supported by the massive transition of office workers to home office.
There have been many confirmed cyber attacks just in Czechia in the past three months (the real number of organizations that fell victim to a cyber attack in Czechia is likely to be higher but not all the information gets published): Prague Castle Administration, University Hospital Brno, Psychiatric Hospital Kosmonosy, Vltava River Basin Management and Prague 3 City District Administration. Recently, having its branches in Czechia, the medical company Fresenius has also been attacked.
Now that the topic of cybercriminals and the possibilities of protection against them gets more publicity, it could come in useful to refresh a few rules which may significantly minimize the risk of an attack on your infrastructure. I’m going to try to summarize them in this article without getting too technical and complex so that anybody can understand. Hopefully, successfully 🙂
Rule number 1
Don’t try to find a single solution to the whole area of cyber security – there’s nothing like a “Silver Bullet” or “Holy Grail” (i.e. a single “cover-it-all” or “save-it-all”) solution. Simply not. Just as in cars, with a lot of various features that increase the safety (the sole car construction ensures passive safety, then there are the safety belts, airbags, ABS and other electronic systems), it’s their combination that will make you more likely to survive an accident, or get away without getting injured. The same applies to cyber security – it takes various “layers” of security and their correct combination to ensure the maximum degree of protection.
Rule number 2
Use up-to-date versions of operating systems and update them regularly – those “once-in-a-blue-moon” updates leave enough space for an attacker to use unpatched flaws to penetrate your infrastructure. If, for some serious reason, you really have to use operating systems after they expire (i.e. their developer doesn’t issue updates anymore), at least reserve a separate segment in the network for such devices and take special care of them; however, it’s definitely better not to have such devices in the infrastructure at all. Don’t forget to regularly update any other software you use – as well as an out-of-date operating system this can also lead to the infection of your infrastructure.
Rule number 3
Use good-quality antivirus solution. Current antivirus software includes a lot of security mechanisms and their scope is rather vast so they will help you prevent plenty of problems. Nevertheless, the same rule as with operating systems applies here – update, update, update!
Rule number 4
Don’t trust the “experts” who claim that it’s enough to use common sense, not to open suspicious attachments and to behave sensibly “on the web” to prevent the infection – that’s not true anymore. Modern malware can exploit unpatched flaws not only in operating systems, but also in applications, etc., and it can use them to get into your infrastructure without you performing an action knowingly (such as opening an email attachment).
Rule number 5
Even your firewall and network elements deserve your attention and regular updates. After all, firewall or routers are also computers, i.e. hardware, which run some specialized software. And as it’s generally known and the experience has confirmed that there’s a flaw in every kind of software, it’s vital to update such devices regularly, too. If you don’t do so, you open yet another route into your infrastructure for attackers, just as we showed in practice at our conference GREYCORTEX DAY, where we demonstrated an attack on a typical network infrastructure live.
Rule number 6
Unless necessary, don’t work within the administrator account. It’s not really needed for regular work and if an attacker breaks through the security of the device you’re logged on as an admin (most probably unnecessarily), you’ll make their efforts much easier as well as their way to your data (and possibly money).
Rule number 7
If you use any kind of remote desktop at work, don’t leave it on, nor permanently open to the Internet, as it’s often the target of initial stages of an attack and you practically leave the door to your infrastructure open. In general, be careful how your colleagues or suppliers working remotely connect and which permissions they have, which parts of the infrastructure they can access and how their connection to internal tools is secured. All this is linked to the following rule:
Rule number 8
Use VPN only (Virtual Private Network) for external connection to the internal network. If you allow direct connection from the outside without using VPN, sooner or later, some attacker will abuse it. Don’t forget to cancel disused VPN accounts as there’s always the danger of abuse of a long-forgotten access. This applies in general – if you grant anyone access to anywhere and they don’t need it for work anymore, cancel it.
Rule number 9
Divide the visitor (i.e. publicly accessible) and internal / production parts of infrastructure thoroughly and consistently. This doesn’t only apply on guest Wi-Fi, but any part of the infrastructure which can be freely accessed by unknown persons. A lot of attacks on internal infrastructure start by a “visit” of an unwelcome guest from the publicly accessible part of the network.
Rule number 10
Cybercriminals keep improving and coming up with new ways how to convey harmful code to you and your colleagues, so it’s useful to get informed regularly on new ways how someone might try to trick you (or make you do something that will spread the infection) and on new dangers. It’s definitely not a waste of time or money to take part in an interesting conference on such a topic or get regular training from companies that focus on prevention. You’d have to invest a lot more time and money in removing the consequences of actions of unknowing employees. Unfortunately, the human factor will always be the weakest link in the chain of cyber security, so it pays to regularly raise awareness of what may happen.
Rule number 11
If your colleagues work within your infrastructure on their own devices (so called BYOD, Bring Your Own Device), it’s necessary to count on the fact that you’ll have to apply all the mentioned rules on such devices, which is rather a big problem. One of the possible solutions is granting these devices access only to a certain segment of the infrastructure, secure it properly and monitor, which may obviously be quite strenuous.
Rule number 12
If I don’t understand something, I can’t deal with it. If you don’t have sufficient insight into the whole infrastructure and you don’t have the possibility to monitor what’s going on in it, the attacker is invisible to you and you’re practically blind (until the attack shows in its full extent, i.e. in case of ransomware data encryption). That’s why it’s convenient to use the NTA solution (Network Traffic Analysis), such as our solution GREYCORTEX MENDEL. These tools will not only allow you to see (to the tiniest detail) which devices there are in your network and what’s going on in them, but they will also enable you to get timely notifications in case there’s a suspicious and dishonest activity in the infrastructure thanks to the automatic analysis of the entire network performance and running event correlation (if you’re interested in more information, you’ll find it here). Obviously, it’s necessary to process such notifications and secure a remedy to the flaws found, but that’s well beyond this article. If there isn’t an internal department dealing with cyber security, you can get the SOC services (Security Operations Centre) at some of our partners and leave this burden with them. You’ll appreciate the NTA solution especially in case the attacker manages to disable your antivirus solution or to get through your firewall (e.g. by hiding illegitimate, harmful traffic inside the legitimate traffic and thus trick the firewall), as they can’t hide the signs of harmful behaviour from permanent analysis of network traffic. What’s more – the NTA solution will help you with forensic analysis, i.e. subsequent investigation, of where the attack came from or how the infection got inside your infrastructure, which will help you detect and remove weak spots in security.
IN SHORT – WHAT ARE THE MAIN BENEFITS OF OUR NTA PRODUCT GREYCORTEX MENDEL IN YOUR FIGHT WITH CYBER CRIMINALS?
- It’s fully passive and it analyses the mirror of all your network traffic – it can basically monitor everything but at the same time it’s invisible to cybercriminals, they don’t know that you know about them and their activities.
- It doesn’t send any data “home” for analysis (manual analysis by an army of analysts), but analyses everything using machine learning and other advanced methods.
- Unlike us, people, it works 24/7/365 (plus one extra day in leap years) and it never gets tired.
You’ll find practical demos how GREYCORTEX MENDEL helps increase cyber security here.
Rule number 13
Back up, back up and back up again! Ideally, make backups on exchangeable media and take them physically away from your company’s premises (you’ll ensure continuity of work in case of fire, flood or mobilisation by doing so :), but mainly, you’ll make sure that in case of ransomware attack the backups in the same infrastructure won’t be encrypted. If, for some reason, it’s not possible or convenient to take away backups physically, make sure the servers with back-up copies aren’t connected to your infrastructure permanently and thus inaccessible to the attackers in time of an ongoing attack – otherwise they’ll encrypt even these backups and there won’t be anywhere to recover the data from.
And finally, the last rule: Even following all the above-mentioned rules may not ensure 100 % protection against an attack of your infrastructure as present cybercriminals are no “greasy teenagers” who want to prove themselves anymore, but professional groups with huge budgets and possibilities.
But if you stick to all of the above-mentioned, you’ll at least make their attempt to launch an attack immensely difficult, and because they know that the effort must be smaller than the possible profit (for their “business” to make sense), it’s highly probable they’ll attack somebody else instead, someone who’s an easier target not having followed the rules.