Hackers take $5 million from pipeline operators. This headline demonstrates how dangerous it is to neglect your Internet infrastructure.
Here are 12 tips on what companies should pay attention to.
The current coup by a Russian hacker group called Darkside clearly demonstrates that criminals can repeatedly gain access to IT networks. Often, access to your own data is then blocked. Only after the affected party has paid the required ransom will the data be released again. This type of blackmail has recently become more common. Industrial espionage remains another form. The aim is to obtain very secret information.
IT security experts have long warned that every IT system can be cracked. It is mostly just a matter of time. And this is exactly where every company can start. The more secure your own system is, the less interesting it becomes for criminals because often the effort is then no longer worthwhile.
The American Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have recently issued clear recommendations to reduce the risk of being compromised by ransomware attacks.
12 Measures to protect the IT system
- Require multi-factor authentication for remote IT networks.
- Enable strong spam filters to prevent phishing emails from reaching users.
- Filter emails that contain executable files
- Implement a user education program and simulated spearphishing attacks to deter users from visiting malicious websites or opening malicious attachments, and urge appropriate user responses to spearphishing emails.
- Filter network traffic to prevent inbound and outbound communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL block lists and/or website exception lists.
- Update software, including operating systems, applications, and firmware on IT network resources in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network resources and zones to include in the patch management program.
- Limit access to resources over networks, especially by restricting RDP. If RDP is determined to be operationally necessary after a risk assessment, limit the sources of origin and require multi-factor authentication.
- Set up anti-virus/anti-malware programs so that they perform regular scans of IT network resources with up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and examined for malware.
- Implement protection against unauthorized execution by: Disabling macro scripts from Microsoft Office files that are transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files that are transferred via email instead of the full Microsoft Office suite applications.
- Implementation of an application permission list that only allows systems to execute programs that are known and permitted in the security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from being run from common ransomware locations, such as temporary folders that support popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
- Monitor and/or block incoming connections from Tor exit nodes and other anonymization services to IP addresses and ports for which no external connections are expected (i.e. other than VPN gateways, mail ports, web ports).
- Use signatures to detect and/or block incoming connections from Cobalt Strike servers and other post-exploitation tools.
