Russia’s deployment of troops into Ukraine is the physical side of a war that has been raging for some time in cyber space. How might your UK business get caught in the crossfire of this cyber war?
On the 15th and 16th of February, the Ukranian banking sector was subject to a distributed denial of service attack (DDoS) and the UK NCSC has assessed that the Russian GRU (Main Intelligence Directorate) was almost certainly involved in the attack.
Then on 23rd February this week the websites of several departments of the Ukrainian government including the Ministry of Defence, Ministry of Internal Affairs and the Security Service were taken offline in a DDoS attack hours before Russian tanks crossed the border into Ukraine.
At the start of this week, Lindy Cameron the head of the NCSC wrote in the Sunday Telegraph that UK businesses need to take action during times of heightened tension because ‘Cyber attacks do not respect geographic boundaries.’
The risk of collateral damage
In the Spring of 2017 in Ukraine, the servers of Linkos, a small family owned tax-software business, were compromised by hackers from the Russian military. They added their own malware to the Linkos software which was then distributed to customers across the Ukraine. The malware did nothing until June 27 2017 when it was used to distribute what has become known as the destructive cyber-attack in history – NotPetya.
The NotPetya malware wiped the hard drives of the machines it infected and then wormed its way across company networks using the EternalBlue vulnerability stolen from the NSA. One of the machines it infected was in the regional accounts office of Danish shipping company Maersk.
Within minutes the malware wormed its way across the global network of Maersk. 574 offices, in 130 countries controlling 800 cargo ships, 76 ports and almost a fifth of the worlds total shipping capacity running on 4,000 servers and 45,000 PCs. NotPetya killed them all. Except one. One single domain controller in Ghana, taken offline at the time of the attack due to a local power cut, was the only surviving Domain Controller and from it the network could be rebuilt. The cost to Maersk alone is estimated to be $300 million – and they were not the worst hit business. The total world-wide cost of the NotPetya 2017 attack is reported to be USD$10 billion by the US Government.
Maersk was not a target of the malware – they only had one small office in the Ukraine where the Russian attack was targeted. Yet Maersk and the other businesses affected around the world were all collateral damage – caught in the crossfire of someone else’s cyberwar.
Steps to take to protect your organisation
The UK NCSC recently published a guide on steps businesses can take in order to ensure that they are best placed to protect themselves during times of heightened risk of cyber attacks. The first steps you should consider include:
Apply security patches
Even the most sophisticated cyber attacks will make use of software vulnerabilities – chinks in your network’s armour – so start by ensuring that all the freely available security patches have been applied not only to your servers and Personal Computers but also the to the firmware in your firewalls and network devices. It is considered best practice to have a rolling monthly programme to apply security updates as they are published.
Passwords and MFA
Passwords are the keys to your kingdom, so remind your staff to pick strong and unique passwords for every login they use. Password Managers will help make this much more manageable. Using multi-factor authentication will reduce the risks from password based attacks by 99.9% according to Microsoft.
Ensure defences are working
Confirm that your anti-virus software us up to date and active on all your systems and check your firewall rules are working as designed. If you have not reviewed them for several months, now is good time to make sure they are still appropriate for your business needs.
The answer is always in the logs
The evidence for network intrusions is always found in the logs produced by firewalls and anti-malware systems on your network. The problem is many organisations ignore their logs until after a breach has been detected. However, actively checking your logs using a SIEM system can you help detect a breach or attempted breach much earlier and so reduce the impact and damage.
Test your backups
Ransomware is the biggest threat facing UK business according to the NCSC, and backups that safely store copies of your data out of the reach of ransomware is the only really effective protection if the worst should happen. Are your backups running every day and when was the last time you tried to do a restore to prove they are working?
Don’t make it up on the day
When the fire alarm rings, your staff know what to do because you practice a fire drill once or twice every year. Take the same approach to your cyber security, and write a security incident response plan and then test it with a drill at least once a year.
A balanced and flexible approach
Many organisations have a plan of actions they are taking to improve their cyber security over time – it is often simply not possible to make all the changes and investment in one go. However, during times of heightened cyber risk, it is advisable to revisit those plans to see if any items should be brought forward in order to mitigate the current risks. Review the full guidance from the NCSC here.
An effective way to check if your existing protections are sufficient is to perform a network penetration test – this will tell you if there are flaws or weaknesses in your network security and provide with advice on how to fix them before a threat actor can take advantage of them.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)