14 Critical things to help protect against Cyber Crime – advice from the NZ Government
This information is a bit technical – so if you need help or more information on any of these solutions – please feel free to contact PC KING on firstname.lastname@example.org
1 Enforce Multi-Factor Authentication (MFA)
Credential dumps and credential harvesting attacks are common. They give attackers access to large numbers of usernames and passwords. Protect your business systems and data by enabling MFA on all privileged or remote access systems – such as VPN’s, administrative consoles, webmail
2. Patch your Software
Keep software, like operating systems and applications, up-to-date. It’s one of the most simple and effective steps you can take to secure your environment. We’ve seen many organisations attacked by malware that exploits known vulnerabilities. Applying patches would have helped them avoid these attacks.
3. Disable Unused Services and Protocols
Keeping your systems up-to-date isn’t always enough to keep attackers away. Older services and protocols often have their own vulnerabilities. Leaving them on your network gives attackers more opportunity to breach your network. To mitigate this, scan your network for services and protocols that are no longer used, or known to be vulnerable. If you identify any, carry out remediation based on your findings. The recent ‘WannaCry’ incident demonstrated what can happen when attackers exploit out-of-date protocols.
4. Change Default Credentials
Security is sometimes overlooked in the rush to get new technology into production. A key step to take for any new application or device is to change or remove all default credentials. This will prevent an attacker accessing your network with known usernames and passwords. We continue to see organisations compromised by attackers using unchanged default credentials.
5. Implement and Test Backups
Backups are critical for recovering from incidents like ransomware. Store your backups offline, and test them often. Organisations often need to restore data from their latest backup in response to threats like ransomware. We’ve seen organisations lose data and incur significant operational costs because they didn’t have up-to-date, well-maintained backups.
6. Implement Application Whitelisting
Two of the most common ways to infect a user’s workstation with malware are through email clients, and web browsers. To prevent this, identify a list of applications that your users need. Make sure they can only execute approved applications. Most malware incidents reported to CERT NZ are likely to have originated from opening malicious email attachments, or drive-by downloads. Whitelisting the approved applications will help protect the system from these attacks. It’s a key security control for your network.
7. Enforce the Principle of Least Privilege
Grant users the minimum level of access and control in your network that they need to do their job. Remove their accounts when they’re no longer needed. This will limit the damage that intrusions into your network can cause. We also recommend enforcing separation of privilege. When a user requires administrative privileges, use a separate account. We’re aware of incidents where users held unnecessary administrative privileges. Attackers were able to exploit their accounts to make unauthorised changes to the environment.
8. Configure Centralised Logging and Analysis
Storing and securing your logs in a central place makes log analysis and alerting easier. Logs are a key part of understanding what happened in an incident. Configuring alerts for key actions can help you detect abnormal behaviour and tell you what to investigate. Without good logging, it’s very difficult to discover the nature and extent of a compromise. This makes your efforts to contain and recover from an incident much harder. Logs weren’t available for many of the incidents reported to CERT NZ. This meant it wasn’t possible to do a complete post-incident investigation.
9. Implement Network Segmentation
Proper network segmentation relies on the implementation of other critical controls, in particular disabling unused services and protocols, and enforcing the principle of least privilege. We’ve seen incidents where attackers used common management tools and protocols to gain control of other machines on a network. There are also tools scripted to get credentials. The credentials are then used to access other devices and applications in a network.
10. Use Network Tools
You can prevent attackers spreading through your network by using network tools like firewalls and ‘netflow’ traffic monitoring , and following the other critical controls.
11. Manage Cloud Authentication
We’re aware of incidents where cloud authentication misconfigurations let attackers bypass security controls. They do this by using legacy authentication protocols. Organisations are also moving toward using more cloud-based services. It’s easy to end up in a situation where you have multiple authentication systems. Centralising authentication gives you better control and visibility over who has access to your systems and information. It also provides a unified experience and lets you configure MFA for applications that may not support it.
12. Remove Legacy Systems
Legacy systems are systems that a vendor no longer supports, or systems that an organisation no longer maintains. This includes end-of-life or unsupported software, as well as devices. When it comes to legacy systems, organisations have to choose between two options; to replace them or staying with the unsupported systems. There are challenges in finding the right option as both require time, money, and resources to address. Both options introduce similar risks : Risk 1: If the systems are replaced, there is a risk of affecting that critical process. Risk 2: If the system is not replaced, there is a risk that any known problems or security vulnerabilities in that system that could be exploited. Two available options to mitigate this are to remove/replace the system, or restrict access to the system.
13. Manage BYOD Devices
A mobile device is any portable device that can access and hold organisational data. It’s important to secure these devices, as you would any other device that sits within your network. It’s become more common to use mobile devices for work. Your staff may use a laptop to work remotely travel often and work on their mobile phones. This is convenient and can provide real benefits to your staff and business. But, there are a few security points to consider before you give these devices access to your network. You need to think about physical security. Because these devices are portable, they’re more likely to get lost or stolen. Devices may connect to networks that are not controlled by the organisation, such as a home or hotel Wi-Fi. This means they won’t get the benefit of any network-level security controls, like web proxies. These networks may also be able to see sensitive data in the connections made from these devices. This is because other people manage this routing equipment
14. Maintain Best Practices, including Password Policies
We recommend you also continue with best practices, like maintaining an effective password policy.