The UK security agency has advised organizations of steps to take to strengthen their defenses “when the cyber threat is exacerbated” by zero-day software flaws or geopolitical tensions.
The National Cyber Security Center (NCSC) isn’t alone in warning companies to take action. Last week, the US Cyber and Infrastructure Security Agency (CISA) also warned all organizations to take “near-urgent action” to mitigate critical cyber threats in response to last week’s cyberattacks on websites. and Ukrainian government computer systems. The advice comes amid growing fears of a Russian invasion of Ukraine.
CISA has sounded the alarm after Microsoft discovered wipe-out malware, dubbed “WhisperGate”, on several Ukrainian systems. CISA reminded US companies of NotPetya, the wipeout malware that targeted Ukrainian organizations in 2017 via a tainted update to a popular accounting software package, but also infected the global computer networks of US companies and European. The attack cost European and American businesses billions of dollars according to White House estimates.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Rafe Pilling, senior security researcher at Secureworks’ Counter Threat unit, believes that organizations in the United States and Europe could fall victim to WhisperGate in the same way.
“While organizations outside of Ukraine are unlikely to be directly targeted, clients should consider their exposure to collateral damage via service providers or business partners in Ukraine,” Pilling said.
“Organizations must be extremely vigilant and maintain up-to-date backups of business-critical systems and data, implement recovery processes before they are needed, and ensure that backups cannot be affected. by ransomware or malware wiper attacks.”
So what should potentially affected businesses and public bodies in the UK and elsewhere do to mitigate the risk of collateral damage?
The UK’s NCSC says organizations need to balance cyber risk and defense and notes that “there may be times when the cyber threat to an organization is greater than usual”.
Triggers for increased risk include increased adversary capability from new zero-day vulnerabilities in popular software, or something “more specific to a particular organization, industry, or even country, resulting hacktivism or geopolitical tensions”, explains the NCSC.
The NCSC’s response is to control what you can because you cannot control the threat level. And that means patching systems, verifying configurations, and protecting the network against password attacks.
“It is rare for an organization to be able to influence the threat level, so actions generally focus on reducing your vulnerability to attack in the first place and reducing the impact of an attack. successful,” says the NCSC.
Like CISA, the NCSC provided a checklist of fundamental cybersecurity actions that are “important in all circumstances but critical during times of heightened cyber threat.” It’s important to do them because organizations are unlikely to be able to quickly implement large-scale changes when threat levels rise.
The NCSC list includes:
- Check your system for patches: Make sure your users’ desktops, laptops, and mobile devices are all patched
- Check access controls: ask staff to ensure that their passwords are unique to your business systems and are not shared between other non-business systems
- Make sure defenses are working: check antivirus and firewalls
- Logging and Monitoring: Understand what logging you have in place, where logs are stored, and for how long
- Review your backups: confirm that your backups are running correctly
- Incident plan: Check that your incident response plan is up to date
- Check your Internet footprint: perform an external vulnerability scan of your entire Internet footprint
- Phishing Response: Make sure staff know how to report phishing emails
- Third-Party Access: Have a full understanding of the level of privilege extended to your systems and to whom
- NCSC Services: Sign up for the Early Warning Service, so NCSC can quickly notify you of any malicious activity
- Inform your wider organization: make sure other teams understand the situation and the increased threat