By Peter Wright, Managing Director, DigitalLaw UK
The Wannacry and Petya Ransomware attacks have illustrated the vulnerability of networks to Ransomware in 2017. However networks remain at the mercy of Distributed Denial of Service (DDOS) attacks as well, and the spectre of a third party gaining access to a system and acquiring full command and control of that network remains the worst nightmare of any organisation. How can organisations try to reduce this risk? The following ten areas should form the foundation of any network security plan:
Eliminate the risk from legacy systems
One of the factors opening the door to Petya and Wannacry were old operating systems using obsolete versions of Windows (such as XP) that were no longer supported by Microsoft. Old versions of operating systems or internet browsers no longer receive the security updates that they need from the manufacturer to remain safe for use. Ensure all old legacy IT systems from past mergers or office acquisitions are assimilated and upgraded. Just because a older system is a stable platform for a case management system or accounts package is not a viable reason to carry on using it.
Anti–Malware
Ensure that anti-Malware screening is in place. During a nuclear decommissioning exercise earlier this year the contractors found Malware was present on a power station control panel and no one had known it was there. The Malware was largely android based and probably came from someone connecting their mobile device to the control panel via a USB port.
Deactivate USB ports
To prevent the spread of Malware as well as the unauthorised use of unencrypted USB flash drives, consider deactivating all USB ports on desktop terminals and other hardware.
Firewalls
A firewall should deny certain traffic from the network via default, accompanied by a whitelist that allows only certain protocols, ports and apps to exchange data across the firewall into the outside world.
WiFi security
WiFi networks should be secure and encrypted, with only known devices allowed to connect. Guest access should never be provided to the WiFi network, with a specific guest network in place for this purpose.
Advanced threat protection
The types of threats are always changing and developing. A number of systems are now available that monitor both external traffic on to a network, as well as behaviour from internal users, often using artificial intelligence to identify unusual or suspicious patterns and flag them for further investigation or action.
Limit user profiles
In large organisations, individual network user accounts and profiles are often created for each user. Users should only be given access to the parts of the network that they need in order to carry out their day to day roles and responsibilities. Be alive to the risk of staff who spend time in multiple departments who may collect very broad access privileges over a period of time that are not actually essential to their current role and responsibilities but whose access rights have never been rescinded.
Lockdown admin control
The administrator wields ultimate control over a network, so ensure that the password is sufficiently complex and regularly changed, that all admin profiles are monitored for unusual activity and that one admin profile is not used by multiple administrators.
Segregate crucial infrastructure
Ensure that the most crucial information is under the strongest security, be it HR data, a case management system or a finance package. Make sure that key infrastructure such as servers are kept in locked and secure environments with highly limited and regulated access.
External penetration test
Stay on top of new and evolving threats with a regular six-monthly penetration test of the system. Ensure that it can withstand a concerted DDOS, Malware or Phising attack. Just asking the internal IT function to carry this out is not enough, it has to be an external specialist skilled in the most up to date techniques and threats that your network could face. Make this test part of a regular ‘wargame’ simulation. How would your organisation cope with a major attack? Are management reporting lines clear and all necessary actions understood? The occasional test will never hurt.
It should be emphasised that these points are only a foundation and are not intended to be exhaustive, and every organisation should consider conducting a risk assessment against its network to identify where the real work points lie so that a compliance programme can be put in action to minimise risks and demonstrate regulatory compliance in the event of a cybersecurity breach.
By Peter Wright, Managing Director, DigitalLaw UK
Digital Media Centre, County Way, South Yorkshire S70 2JW
Telephone: 0114 294 5894
Email: peter.wright@digitallawuk.com
Web: www.digitallawuk.com
Twitter: @digitallawuk
No comments yet