What are Phishing Tools and Malware?
Implementation of robust cybersecurity attack defenses is now a core part of every organization’s operations. Attacks come in increasingly sophisticated forms, but security teams can take steps to mitigate the risk of successful attacks. Here are some measures that will lower the risk.
Documented Policies and Procedures
Successful defense against cyberattacks requires a combination of top-down and bottom-up approaches. The latter comes from employees within an organization who use IT systems for their work. The former comes from managers tasked with protecting users, systems, and data.
A crucial part of any strategy used to counter the risk of cyberattacks is established policies and procedures. These should cover what the IT team (or external suppliers if outsourced) needs to do to protect systems, as well as what each user within the organization needs to do to help implement security.
A search for "example IT security policy and procedures document" will provide many examples of documents that can be used as templates to implement an organization-specific policy.
Proactive Defense Measures
Cyberattacks rarely happen without telltale markers. Discussions about organizations targeted for attack, auctions of user account information, and the setup of dummy domains for phishing attacks can be found on the dark web. If you know where to look, you can get threat intelligence warnings of imminent attacks and take countermeasures to prevent them.
Monitoring the web and dark web for signs of imminent attack is an ongoing and specialized activity. Many organizations don't have the skill base or the resources to allocate staff to it. IntSights provides threat intelligence services that can provide warnings about imminent attacks.
Ongoing Awareness Training
Most successful cyberattacks occur as a result of phishing attacks, successful malware infections, or via some other social engineering-based attack that tricks users. Ongoing awareness training is vital so that employees know how to spot suspicious emails, messages, or websites.
This awareness training should be frequent, short, digestible, and trackable. The policies and procedures document discussed above should include how this awareness training will be delivered and tracked.
Password Management Tools
Unique passwords should be mandatory for all systems that a user accesses. Users should not be allowed to use the same password for multiple systems. Nor should teams of users be allowed to share a password for a system. Passwords should also be strong and hard to guess or brute force.
These rules are great for system security, but they are hard for humans. To make it easier for humans while also maintaining good password use across all systems, consider using a password management system. These generate strong, unique passwords for each system used, and, in many cases, can autofill login details for users without them having to remember (or even know) the passwords for various logins. All the user needs to remember is a single strong password that logs them into the password vault.
Password management systems also allow multi-factor authentication to be implemented if the target system supports it. Users don't need to recall how to generate the secondary multi-factor token.
Briefly mentioned above, implementing multi-factor authentication for all systems that support it is a crucial best practice. Requiring another piece of information in addition to a username and password protects systems if login details are exposed to cybercriminals.
Additional tokens, specific device requirements, and biometrics all provide ways to implement multi-factor authentication when logging into IT systems.
Protected Access Management
The authentication methods listed above are a core part of Identity Access Management (IAM). When combined with permissions, IAM authorizes access to components of an application or IT system. This is the basis of the core access management that most organizations have traditionally used via Active Directory or a similar service.
A best practice for protecting critical systems is to take IAM to the next level and implement Protected Access Management (PAM). A PAM implementation adds additional policies and procedures to restrict access to designated systems. PAM also requires a management workflow to authorize anyone to use a login. No single person can grant access. During a PAM session, all activity is logged and often recorded for later analysis, if required. PAM solutions also implement protections that prevent dangerous system or data altering commands unless executed by a specific, highly authorized account. All PAM login and password combinations are one-time use only, and each access has to start the workflow from scratch.
The border between internal networks and the internet must be secured and protected with reliable firewalls and intrusion protection systems. Modern firewalls can detect known attack methods and any suspicious activity that may be associated with emerging cyberattack methods.
In addition to border firewalls, the deployment of Web Application Firewalls (WAF) between backend application servers and border firewalls is recommended. A WAF can act as a reverse proxy for a web application server and handle all access requests. These requests are checked for suspicious activity at the network and application level. Any request that is deemed suspicious is prevented from reaching the application servers.
Network Deception Technologies
Deception technologies implement dummy applications, databases, and other IT systems on a corporate network. These dummy systems are designed to trick cyberattackers who breach the external firewalls into thinking they have access to internal systems. In reality, the dummy systems are intended as honey traps that allow security teams to monitor the attacker's activities and gather data without exposing the real systems. Deception technologies are often backed by machine learning algorithms that can make the activity on the dummy IT systems seem authentic to cybercriminals.
All data at rest on servers and in transit over the network should be encrypted. If attackers get access to data, or if they intercept it traveling over the internet, then they should not be able to read it due to encryption. Use strong encryption: AES-256 as a minimum for data at rest, and TLS 1.3 for websites and transfers over the internet.
In addition to encrypting data, it should be backed up frequently. These backups should also be encrypted. Some of the backups should also be stored in a location not connected to the network. If a ransomware attack is successful and prevents access to systems without paying the extortion request, then you don't want this malware infecting the backups. If required, these clean backups can be used to restore systems without paying the ransomware demand.
Preventing malware infections is better than cleaning up after them. Good anti-malware and antivirus protection software should be installed on all systems that can run it (some mobile operating systems have built-in protection rather than using third-party products).
Up-to-Date IT Systems
All IT systems need to be kept up to date with the latest security patches and other operating system updates. The same applies to anti-malware and other security software. These need to be configured to get the latest security updates and definitions every day (or multiple times a day if appropriate).
A good practice is to have test systems that mirror the production IT systems. The test system can be used to deploy the latest updates to see if they cause any issues before rolling out the change widely. Gradual rollouts to production are also a good idea after sign-off on tests. Roll out to 10% of users and servers to see if any issues not seen in the test arise. Then roll out more widely if nothing emerges. This process is often a tradeoff between the gradual deployment of updates versus getting a security patch into production as soon as possible. The speed of rollout will usually be decided by the severity of the security issues fixed by the updates.
All WiFi networks in use should use the maximum security available, and the networks themselves should be set not to advertise their network names for devices to discover. If needed, restricted guest networks should be configured. This applies to users working from home. Their WiFi should be secured, or they should use hardened mobile access.
Mobile Device Management
The world is now mobile-first. A lot of business activity happens on smartphones and tablets, not to mention laptops, of course. The mobile nature of all these devices means that they will get lost and stolen. All mobile devices (including laptops) should be enrolled and managed in a mobile device management (MDM) solution. If a device is lost or stolen, it can be quickly reset and wiped so that data cannot be accessed. MDM systems are often part of more comprehensive IT Security Information and Event Management (SIEM) solutions.