Warning of increased risk of cybersecurity attacks (21.06.2022)

The National Cyber Security Centre SK-CERT warns of an increased risk of cyberattacks, especially on the infrastructure of operators of essential services and critical infrastructure elements.

The ongoing war in Ukraine is characterised not only by Russia’s devastating physical attacks on Ukraine’s infrastructure and population, but also by continuous cyberattacks both on Ukraine’s infrastructure and on the infrastructure of EU and NATO Member States. Due to the fact that the Slovak Republic is a member state of the EU as well as NATO, the risk of attackers targeting the Slovak Republic’s cyberspace in their activities increases. The National Cyber Security Centre therefore assesses the risk of cyberattacks on the infrastructure of operators of essential services and critical infrastructure elements as very high.

In order to reduce this risk, it is necessary for operators of essential services and critical infrastructure elements to immediately implement preventive security measures, at least to the following extent:

Operational security of services, systems and networks

  • Implement increased monitoring of networks and systems, focusing on non-standard and unexpected activity, monitoring of remote network accesses and network traffic load. We recommend that such monitoring operate in a 24/7 mode,
  • monitor and control access by third parties (vendors, management service providers) on a regular basis and limit such access to the minimum necessary,
  • limit remote access to your network and systems, and if such access is unavoidable, monitor remote access, limit remote user privileges, enforce multi-factor authentication, and use VPNs for remote access,
  • do not make remote access services such as RDP, SSH, VNC, telnet, etc. directly available on the Internet,
  • disable all ports and protocols that are not necessary for the operation of networks, systems and services,
  • map all public services of your organization exposed to the Internet and subsequently:
    • completely shut down unnecessary and unused systems
    • upgrade obsolete systems
    • review account and password policies on systems accessible from the Internet,
    • remove old accounts
  • Prepare for the threat of DDoS attacks at the L3/L4 level as well as at the L7 level (the recommendations below are aimed specifically at protecting against such attacks at L7) in the following ways:
    • use a CDN (Content Delivery Network) to run web services
    • have backup sites for your systems and services, or redundancy,
    • publish static web pages to the Internet, ideally in an external hosting company (the content management system, installed in an internal network inaccessible from the Internet, generates HTML files, images and stylesheets, which are then transferred to the hosting service)
    • strictly separate sensitive data and operationally critical assets from public websites
    • we recommend that you consider using a DDoS protection service – there are even services that provide basic protection against DDoS attacks (specifically against the L7 layer) for free. Typical DDoS protection from an ISP is generally not DDoS protection at the L7 layer. Check with your ISP to see if they provide such protection and to what extent.
    • Implement a security infrastructure capable of filtering attacker IP addresses in bulk
    • implement a WAF
  • Secure your email systems by using various security methods (e.g. SPF and DKIM, antispam filters). Configure your mail server so that malicious and suspicious emails do not reach users’ mailboxes

Security management

  • Review the effectiveness of your backup management, update your backup procedures using the 3-2-1 rule,
  • review and update your access management, delete all old and unused accounts, restrict access to individual users using the “need to know” rule,
  • update the password policy to prohibit the use of the same password for different services and to enforce the use of strong passwords or passphrases. This measure needs to be implemented not only from a procedural point of view, but also from a technical point of view,
  • implement and enforce multi-factor authentication, including email services and VPN services. We recommend avoiding SMS authentication. Use authentication methods that are resistant to social engineering (e.g. physical tokens),
  • Review the software and firmware update policy and update all systems and services immediately, especially with security patches. Perform vulnerability scans with available tools to determine the extent of vulnerable systems,
  • When using cloud services, make sure they meet security standards at least in the security scope of your own systems – multi-factor authentication, access policy, VPN access, etc. Cloud services cannot be used as a repository for critical information assets (e.g., trade secrets, personal data, infrastructure plans, classified information, etc.),

Incident management

  • Review and update cybersecurity incident management processes and ensure that staff know who to contact in the event of a suspected incident,
  • when a cybersecurity incident is detected:
  • Address the incident immediately,
  • when dealing with the incident, secure all necessary evidence for further purposes (e.g. criminal proceedings),
  • report the incident to the National Cyber Security Centre SK-CERT and communicate with SK-CERT in dealing with the incident,
  • ensure the availability of key personnel in the field of cybersecurity operations and management,
  • ensure that your BCM and disaster recovery plans are operational. In the event of any negative finding or failed test, update these plans so that, in practice, operations can be restored as soon as possible,

Users security

  • Educate your employees about the risks of cybersecurity incidents and inform them of the increased risk of attacks. Make training activities targeted to the roles and responsibilities of individual employees
  • Ordinary users – the principles of social engineering and how to defend against it,
  • administrators – secure infrastructure rules
  • cybersecurity specialists – specialised security training
  • Repeat the training (depending on the role of each user) on a regular basis,
  • Conduct phishing tests and cybersecurity exercises on a regular basis (blue vs. red team, tabletop)

Tips for the end

Many of the recommendations can be implemented on your own, either using existing commercial products or open-source software available for free. NCKB SK-CERT does not make recommendations on specific vendors or technologies. However, for inspiration, we list the following options that are good to know about:

  • The most popular content management systems have plug-ins readily available to export a static page,
  • free tools for monitoring network traffic include IDS/IPS Suricata or Snort with community rules,
  • the most popular open-source WAFs include the ModSecurity project,
  • there are online DDoS protection services that provide a basic level of protection for free

« Späť na zoznam