Warning of Increased Risk of Cyberattacks
The National Security Authority (hereinafter referred to as “the NSA”) issues a warning of an increased risk of cybersecurity incidents by pro-Russian oriented community hacker groups against Slovak targets in relation to securing the networks and information systems of operators of essential services, including elements of critical infrastructure and other organisations. The warning is valid from 28 February to 2 March 2023. DDoS attacks at the L7 level are expected, but this does not exclude the execution of other types of attacks.
The NSA issues the warning pursuant to Article 5(1) r) of Act No. 69/2018 Coll. on Cybersecurity on the basis of information it has obtained through its own activities and within cooperation with other state security forces.
To protect against DDoS attacks, organisations are immediately advised to:
- have backup sites for your systems and services, or their redundancy;
- publish static websites to the Internet, ideally in external web hosting (a content management system installed in an internal network inaccessible from the Internet generates HTML files, images and style sheets, which are then transferred to the web hosting service);
- strictly separate sensitive data and critical assets in operation from public websites;
- consider using DDoS protection services – there are even services that provide a basic protection against DDoS attacks for free (specifically against the L7 layer). A typical DDoS protection provided by an Internet service provider (ISP) is generally not a DDoS protection at the L7 layer. Check with your ISP to see if they provide such protection and to what extent;
- implement a security infrastructure capable of filtering the attacker’s IP addresses in large volume with the following options:
- “geofencing” settings – limiting the countries from which incoming connections are allowed,
- firewall policy settings and allowing only selected IP addresses,
- physical disconnection;
- implement WAF;
- use a CDN (Content Delivery Network) to run web services.
Organisations are advised to follow the basic rules of protection in different areas of security:
Security of operation of services, systems and networks
- implement increased monitoring of networks and systems, focusing on non-standard and unexpected activities, monitoring of remote network access and network traffic load. The NSA recommends that such monitoring should operate on a 24/7 basis;
- monitor and ensure access control of third parties (suppliers, management service providers) on a regular basis and limit such access to the necessary minimum;
- restrict remote access to your network and systems, and if such access is inevitable, monitor remote access, restrict remote user privileges, enforce multi-factor authentication and use a VPN for remote access;
- do not make remote access services such as RDP, SSH, VNC, telnet, and so on directly available on the Internet;
- disable all ports and protocols that are not necessary for the operation of networks, systems and services;
- map all public services of your organization exposed to the Internet and afterwards:
- completely shut down unnecessary and unused systems,
- update outdated systems,
- review accounts and password policies on systems accessible from the Internet,
- remove old accounts;
- secure your email systems by using various security methods (such as SPF and DKIM, anti-spam filters). Configure your mail server so that malicious and suspicious emails do not reach users’ mailboxes.
Security governance
- review the effectiveness of your backup management, update your backup procedures using the 3-2-1 rule;
- check and update your access management, delete all old and unused accounts, restrict access of individual users according to the “need to know” rule;
- update the password policy so that it prohibits the use of the same password for different services and enforces the use of strong passwords or passphrases. This measure needs to be implemented not only from the process view but also from a technical point of view;
- implement and enforce multi-factor authentication, including email services and VPN services. The NSA recommends avoiding SMS authentication. Use authentication methods that are resistant to social engineering (e.g. physical tokens);
- review the update policy of software and firmware and update all systems and services immediately, especially with security patches. Perform vulnerability scanning with available tools to determine the extent of vulnerable systems;
- when using cloud services, make sure they meet security standards at least to the extent of the security of your own systems – multi-factor authentication, access policy, VPN access, etc. Cloud services cannot be used as a repository for critical information assets (e.g. trade secrets, personal data, infrastructure plans, classified information, and so on).
Incident management
- review and update cybersecurity incident management processes and make sure that employees know who to contact in case of a suspected incident;
- in the event of a cybersecurity incident detection:
- handle the incident immediately,
- when handling the incident, gather all necessary evidence for further purposes (e.g. criminal proceedings),
- report the incident to the National Cyber Security Centre SK-CERT and keep communicating with them during the incident handling;
- ensure the availability of key personnel in the field of cybersecurity operation and governance;
- make sure your BCM plans and disaster recovery plans are working. In case of any negative finding or failed test, update these plans so that in practice it is possible to resume operations in the shortest possible time.
Security of users
- Educate your employees about the risks of cybersecurity incidents and inform them about the increased risk of attacks. Make educational activities personalized according to the roles and responsibilities of individual employees:
- ordinary users – principles of social engineering and how to protect from it,
- administrators – secure infrastructure rules,
- cybersecurity specialists – specialised security education;
- repeat the training (depending on the role of each user) on a regular basis;
- conduct phishing tests and cybersecurity exercises (blue vs. red team, table top) on a regular basis.
« Späť na zoznam