The volume and severity of cyberattacks continue to rise, as international cybercriminals mercilessly target organizations of all sizes, including the IT infrastructures of Atlanta and Baltimore and other major U.S. cities. Despite many innovative advances in IT security the past few years, businesses still struggle to secure their systems. Why is this still happening? With the stakes being so high, what can you do to make sure your business is secure?
Let’s consider how a cyberattack has disruptive, crippling effects on a major city. In the wake of a debilitating attack, city officials typically must revert to handling information using paper-based manual processes. Imagine processing tickets or warrants in city courts, or handling payments made by residents following a cyberattack. The city of San Francisco, for example, issued approximately 1.4 million parking citations in 2015, according to an SFMTA report. If a payment for one of these 1.4 million tickets is not properly recorded, a ticket could advance to a bench warrant. So, the next time city police see the unsuspecting resident’s license plate on the streets, it could mean a ride downtown in a squad car.
As city workers are forced to handle previously automated processes by hand, human errors of this kind will increase, with the cascading failures inevitably having dramatic consequences. What should a city’s IT leaders do to prevent such a chaotic collapse?
Attacks Share Similar Characteristics
A majority of the attacks in the news recently have two main characteristics in common. First, cybercriminals used tactics that focused on compromising Internet-facing infrastructure. In 2016, cybercriminals exploited JBoss vulnerabilities in unpatched servers to launch the SamSam ransomware attack on hospitals. In 2018, criminals using the SamSam strain started targeting servers with weak passwords or stolen credentials. They also identified potential victims with exposed Remote Desktop Protocol (RDP) connections, FTP servers or IIS installations with SMBv1 enabled. At least two Indiana-based hospitals, and a handful of municipalities, cities and state agencies have been hit with attacks that used Internet-facing infrastructure as beachheads.
The second common characteristic? Businesses that were victimized primarily followed the outdated, ineffective cybersecurity strategies focused largely on protection, while ignoring the critical detection and response functions. Investing in endpoint security solutions and perimeter defenses alone does not cut it anymore. You can’t, for example, just install antivirus software on your endpoints, or deploy firewalls, and assume that you’re now secure. So, what can you do to enable your customers, employees, suppliers, and partners, while at the same time ensure increasingly interconnected IT systems remain secure?
Time to Employ Best Practices
To address the challenges relating to your Internet-facing infrastructure, adopt these 5 best practices today and begin your journey.
#1 Perform periodic vulnerability scanning and establish patching procedures
Vulnerable Internet-facing servers provide attackers with easy targets for initial compromise. You should absolutely consider vulnerability scanning tools to identify critical vulnerabilities on your systems. Before doing so, however, establish a formal vulnerability scanning and patching policy. There is no one-size-fits-all solution, but some issues to consider include:
- How often should you run vulnerability scanning tools?
- For an identified vulnerability, if a fix is available, how soon can you apply the patch? How would you prioritize patching, when multiple vulnerabilities are identified?
- What is the overall end-user impact? What will the downtimes be? Is there a way to perhaps limit functionality as opposed to completely disabling a service?
#2 Enforce strict password controls
Many recent attacks used brute-force login techniques for initial compromise. These days, you want your password to look like ikWcN#?P^hnBxA&I, and definitely NOT password123. The first step would be to ensure that no Internet-facing device is operating with factory-default passwords. Establish processes to ensure that default passwords are always changed. Consider password managers that can also help generate strong passwords.
#3 Enable Network Level Authentication (NLA)
Exposed RDP connections are also commonly used by attackers for initial compromise. All Internet-facing servers accessible via RDP should be configured to require NLA for RDP sessions. This forces a user to complete an authentication challenge prior to receiving the Windows logon screen. It would also be useful to completely disable SMBv1 (Server Message Block v1), commonly used by threat actors in the WannaCry attacks.
#4 Implement Two-Factor Authentication (2FA)
As threat actors increasingly use stolen credentials to launch their attacks, implementing 2FA can be very useful. 2FA adds an extra layer of protection to the authentication process. It requires users who seek access to a controlled resource, such as a server, to present a second piece of identifying information in addition to a password, before they are given access. You should also consider enabling 2FA for any major admin action that directly impacts the configuration of your network.
#5 Consider a SOC-as-a-Service
And finally, you should consider a security operations center (SOC)-as-a-service, such as Arctic Wolf’s AWN CyberSOC™.
The core of the NIST cybersecurity framework consists of five concurrent and continuous functions: identify, protect, detect, respond and recover. The outdated approach to invest just in endpoint and perimeter defenses only addresses the “protect” function in the framework. This is a dangerous strategy, especially in light of Ponemon’s research showing that, in 2017, companies took an average of 214 days to detect data breaches and 77 days to contain and respond to them.
A SOC is necessary to continuously monitor data centers and servers, user login activity, SaaS applications, cloud workloads, managed laptops and other endpoints, and email systems. A SOC enables IT to correlate events across multiple, disparate systems to extract actionable intelligence to aid effective threat detection and response. Unfortunately, operating and staffing a fully-operational SOC can become very expensive, further convoluting the problem for small and medium-sized enterprises. This is where a SOC-as-a-service can help.
Arctic Wolf’s AWN CyberSOC™ is a turnkey SOC-as-a-service that comes with 24×7 coverage by security experts, detailed processes and support for incident response, and our proprietary cloud-based SIEM technology, all at a predictable annual subscription. AWN CyberSOC™ extends and augments your existing team to ensure your business remains protected as attackers continue to evolve.