Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: The National Cyber Security Centre has released a ‘Cyber Vitals Checklist’, just as concerns increase that the current tensions over Ukraine may increase the likelihood of a significant cyber attack on the West.

This week’s action: Double-check your defences.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.buzzsprout.com/1914497/10011037

THREE ARTICLES

1: NCSC’s Cyber Vitals Checklist

As reported by Cyber Ireland, “a cyber vitals checklist has been produced by the NCSC to ensure that organisations can check their critical cyber controls are implemented and working correctly.”

The checklist covers 8 areas, with no more than 5 specific actions in each area. So, it’s very consumable and a way for any organisation to benchmark themselves. It’s also good to see key measures like multi-factor authentication, incident response plans, backups, staff awareness training are all included.

Read more: https://ncsc.gov.ie/pdfs/Cyber_Vitals_Checklist.pdf via https://cyberireland.ie/ncsc-cyber-vitals-checklist-version-one-point-zero/

2: UK’s NCSC and US CISA advise organisations to bolster their defences as cyber attacks in and around Ukraine increase

The checklist from NCSC could be very timely, given the increasing tensions between Russia and the West over the Ukraine.

I’ve broken the rules here and linked to numerous articles, which all point to increasing concerns that the situation in the Ukraine may lead to an increasing number of cyberattacks. After all, modern warfare includes cyber warfare.

According to one report in Bank Info Security, “The U.S. Department of Homeland Security is reportedly warning that the U.S. could witness a retaliatory cyberattack at the hands of Russia if it decides to respond to the latter’s potential invasion of Ukraine.” A former CISO for the city of Seattle is quoted as saying “it is likely that any military action taken by the U.S. in Ukraine will be met by actions designed to give the U.S. other things to worry about.”

And in the UK, their NCSC agency is encouraging UK organisations to learn from recent cyber-attacks in the Ukraine, stating that “recent cyber activity in and around Ukraine fits with pattern of Russian behaviour previously observed, including in the damaging NotPetya incident.

NotPetya was a cyberattack launched in June 2017, which was distributed through phishing emails and took advantage of a vulnerability in Microsoft Windows for which Microsoft had released a security fix 3 months earlier. It was also a vulnerability that the US National Security Agency knew about, and exploited, over the previous 5 years.

While we may think of NotPetya as ransomware, this is wrong. NotPetya wiped data and there was no way to retrieve it (even if you paid a ransom). Unless you had a reliable backup, your data was gone forever.

Read more: https://www.ncsc.gov.uk/news/uk-organisations-encouraged-to-take-action-around-ukraine-situation and https://www.cisa.gov/uscert/ncas/current-activity/2022/01/18/cisa-urges-organizations-implement-immediate-cybersecurity (both via https://ncsc.gov.ie/news) and https://www.bankinfosecurity.com/report-dhs-fears-russian-cyberattack-if-us-acts-on-ukraine-a-18370 (via https://www.securethevillage.org)

3: Zero Trust Architecture

To reduce the impact of future cyberattacks, the White House wants government agencies to adopt a Zero Trust security model within the next two years.

A recent memorandum “sets forth a federal Zero Trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of fiscal year (FY) 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns” [..] The Zero Trust approach is based on the notion that local devices and connections can’t be completely trusted. Users need to be authorized, authenticated and continuously validated.

The strategy includes the need for strong multi-factor authentication systems to be in place, which are resistant to phishing attacks – For example, the need to use physical identity verification cards. It also requires each agency to have a full inventory of the computer devices that are allowed to access the network, with each device built to a recognised security standard.

The baseline that defines ‘appropriate security measures’ is starting to get higher.

Read more: https://www.engadget.com/white-house-zero-trust-security-model-omb-cisa-185117609.html via https://www.securethevillage.org

TWO NUMBERS

1: 60 days

To ensure US government agencies don’t spend too much time thinking about this Zero Trust strategy, the memorandum has given them only 60 days to submit their implementation plan.

Read more: https://www.engadget.com/white-house-zero-trust-security-model-omb-cisa-185117609.html via https://www.securethevillage.org

2: 23%

According to a report by Check Point and reported in Threat Post, 23% of all phishing emails scanned by Check Point email security filters in Q4 2021 were found to be using the DHL brand to try to fool the email recipients, earning DHL “the dubious distinction of replacing Microsoft at the top of the the Check Point Software list of brands most imitated by threat actors”

Read more: https://threatpost.com/shipment-delivery-scams-a-fav-way-to-spread-malware/178050/ via https://www.securethevillage.org

ONE ACTION

1: Double-check your defences

As I mentioned earlier, there seems to be an increasing number of advisories being issued about the potential for a significant cyber attack against Western nations. Both the US and UK cybersecurity agencies have released recent statements reminding organisations to check their defences. We all need to do the same.

My Top 5?

  1. Are your accounts protected with multi-factor authentication, especially administrator accounts and accounts into crown jewel systems like email systems and file servers.
  2. Are your systems up to date with their security patches, especially Windows operating systems, Microsoft Office, Adobe Reader, and other commonly-attacked applications like internet browsers.
  3. Do you have recent backups that are not accessible online.
  4. Are your staff being reminded about common phishing scams and what to look out for?
  5. Do you know what you would do in the first couple of hours if you were attacked? For example, who would you call?

If you don’t know where to start, start with my guide to the basics. The checklist published by the NCSC, which I mentioned earlier, is also a very useful guide.

Market Research

I provide IT and cybersecurity guidance to regulated financial services firms and the professional services firms that sell to these regulated entities.

I have noticed that in many of these engagements, I help risk / compliance / data protection people (i.e. 2nd line people) to get their head around cyber and IT, so they no longer feel like they are getting the run-around when they ask about their firm’s cybersecurity measures or when they are trying to figure out if their defences are good enough. 

I am currently doing some market research to see if this is a common issue, and to understand how people have tried to solve the problem, what worked and what didn’t.

If you know anyone in a risk or compliance role who would be willing to speak to me about this, I would appreciate an introduction.