The UK’s security agency has told organizations of the steps to take to beef up their defenses “when the cyber threat is heightened” by zero-day software flaws or geopolitical tensions.
The National Cyber Security Centre (NCSC) is not alone in warning companies to take action. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) also warned all organizations to take “near, urgent steps” to mitigate critical cyber threats in response to last week’s cyberattacks on Ukraine government websites and IT systems. This advice comes amid growing fears of a Russian invasion of Ukraine.
CISA raised the alarm after Microsoft discovered wiper malware, dubbed “WhisperGate”, on several Ukraine systems. CISA reminded US businesses of NotPetya, the wiper malware that targeted Ukraine organizations in 2017 via a tainted update to a popular accounting software package, but that also infected worldwide IT networks of US and European businesses. The attack cost European and US businesses billions of dollars in the White House’s estimates.
Rafe Pilling, senior security researcher at Secureworks’ Counter Threat Unit, reckons US and European organizations could become casualties of WhisperGate in a similar fashion.
“While it is unlikely that organizations outside of Ukraine will be directly targeted, customers should consider their exposure to collateral damage via service providers or business partners in Ukraine,” said Pilling.
“Organizations should be extra vigilant and maintain current backups of business-critical systems and data, exercise restoration processes before they are needed, and ensure that backups cannot be impacted by ransomware-style or wiper malware attacks.”
So what should potentially affected businesses and public agencies in the UK and elsewhere do to mitigate the risk of becoming collateral damage?
The UK’s NCSC says organizations need to balance cyber risks and defense and notes there “may be times when the cyber threat to an organisation is greater than usual.”
Triggers for heightened risk include a spike in adversary capability from new zero-day flaws in popular software, or something “more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions,” says the NCSC.
The NCSC’s answer is to control what you can because you can’t control the threat level. And that means patching systems, checking configurations and shielding the network from password attacks.
“It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack,” NCSC says.
Like CISA, the NCSC has provided a checklist of fundamental cybersecurity actions that are “important under all circumstances but critical during periods of heightened cyber threat.” They’re important to do because organizations probably can’t quickly implement widespread changes when threat levels rise.
NCSC’s list includes:
- Check your system patching: Ensure your users’ desktops, laptops and mobile devices are all patched
- Verify access controls: Ask staff to ensure that their passwords are unique to your business systems and are not shared across other, non-business systems
- Ensure defences are working: Check antivirus and firewalls
- Logging and monitoring: Understand what logging you have in place, where logs are stored, and for how long
- Review your backups: Confirm that your backups are running correctly
- Incident plan: Check your incident response plan is up to date
- Check your internet footprint: Perform an external vulnerability scan of your whole internet footprint
- Phishing response: Ensure that staff know how to report phishing emails
- Third-party access: Have a comprehensive understanding of what level of privilege is extended into your systems, and to whom
- NCSC services: Register for the Early Warning service, so that the NCSC can quickly inform you of any malicious activity
- Brief your wider organisation: Ensure that other teams understand the situation and the heightened threat