As the world watches the invasion of Ukraine by Russia, we here in the United States are unfortunately not immune from the situation and neither are our businesses.
As President Biden and our western allies level sanctions on Russia, options for cyberwarfare against Russia are being planned and executed against Moscow. Official Russian government websites have already experienced outages and disruptions and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of retaliatory cyber-attacks on U.S. infrastructure and businesses. Now is the time for your business to prepare for this possibility.
Nick Espinosa, MCAA’s Chief Security expert, advises the following steps be taken as soon as possible:
- Update all operating systems and defensive technologies within your company (and homes). Any firewalls, Windows/MacOS/iPhone/Android operating systems, Antivirus, Endpoint Detection Response Systems, infrastructure equipment such as wireless access points, and other software should be up brought up to date. The CISA has published a list of the top hardware and software that Russian intelligence tends to exploit. Consider any of these products a top priority for updating:
- FortiGate VPNs
- Cisco routers
- Oracle WebLogic Server
- Zimbra software
- Exim Simple Mail Transfer Protocol
- Pulse Secure
- Citrix Servers
- Microsoft Exchange
- VMWare (note: this was a zero-day at time.)
- F5 Big-IP
- Oracle WebLogic
- Microsoft Exchange Servers
- Enable Multifactor Authentication wherever possible, including Microsoft Office 365, other cloud logins, backup systems (if possible), financial institutions and anywhere else critical information is stored for your business. Free authenticator apps include Authy, Microsoft, Google and more. Ideally planning for an Identity Management solution is recommended, however given the timeframe of possible attacks, using the free options are significantly better than doing nothing.
- Ensure that all computers and devices are accounting for and have your Antivirus or Endpoint Detection Response installed. A computer missing this critical software could become the entry point for an attacker to gain access into your data and network or shut you down.
- Double check all backups. Make sure they are current and actually work. Studies have shown that many company miss critical data when they backup. Also, restorations of data need to be tested as well. Finally, having a backup that is ideally in the cloud (or at least off-site) will ensure that if you need to restore data in an emergency you have a safe copy.
- Alert all employees of these possibilities and make sure they maintain heightened vigilance and on the lookout for suspicious emails, odd behavior from their computer or devices, unusual slowness of the internet and more. Let them know that it’s important they notify IT or a manager as fast as possible if they suspect a problem. In a cyberattack we want accurate information as much as we can, but what is worse is the employee who experiences a problem and doesn’t say anything. In an emergency, shutting off the possibly infected computer and also the internet will help stop an attack or the spread of an infection.
- If your business has next generation firewalls and/or Identity Management solutions, enable as much logging as you can and also enable geo-blocking for all incoming internet traffic except for traffic originating in the USA. This will help immediately drop any foreign internet connections attempt to look at your infrastructure or logins. Make sure to account for any employees that workout from outside of the United States or are traveling abroad at this time.
- If your business has industrial control systems, conduct a test of manual controls to ensure that critical functions remain operable if your network is knocked out or known to be compromised.
These seven points are by no means comprehensive to a complete Cybersecurity solution, however these are the most critical points that need to be addressed as soon as possible.
It is important to note that a cyber-attack in which foreign intelligence agencies are involved, tend to not look like the traditional ransomware attacks we hear about in the news. The primary goal for Russian intelligence would be to be as disruptive to infrastructure as possible. They won’t take the time to lock out your data and ask for money. They will simply attempt to either kill your infrastructure, destroy your critical data, or plant dormant infections in your network for later activation and then quickly move on to the next target.
Their first goal, however, is disruption of the overall infrastructure of the United States. In this vein, it is important to note the following could be possible disruptions for your business:
- Loss of internet via your Internet Service Provider due to attack on them.
- Loss of electricity.
- Loss of water and waste water availability.
- Loss of traditional communication systems such as telephone lines.
- Disruption of satellite services (TV, GPS, Communication etc.)
- Disruption or outages of apps and services (i.e., airline/travel apps, credit card machines at local retail stores, video streaming services, financial/banking access etc.)
- Disruption of local government services (paying bills, 911 call centers, traffic infrastructure etc.)
MCAA will continue to provide guidance to help safeguard your businesses, and homes from cyber attacks.