By Peter Wright, Managing Director, DigitalLaw UK

The Wannacry and Petya Ransomware attacks have illustrated the vulnerability of networks to Ransomware in 2017. However networks remain at the mercy of Distributed Denial of Service (DDOS) attacks as well, and the spectre of a third party gaining access to a system and acquiring full command and control of that network remains the worst nightmare of any organisation. How can organisations try to reduce this risk? The following ten areas should form the foundation of any network security plan:

Peter wright v2

Peter Wright, DigitalLaw UK

Eliminate the risk from legacy systems

One of the factors opening the door to Petya and Wannacry were old operating systems using obsolete versions of Windows (such as XP) that were no longer supported by Microsoft. Old versions of operating systems or internet browsers no longer receive the security updates that they need from the manufacturer to remain safe for use. Ensure all old legacy IT systems from past mergers or office acquisitions are assimilated and upgraded. Just because a older system is a stable platform for a case management system or accounts package is not a viable reason to carry on using it.

Anti–Malware

Ensure that anti-Malware screening is in place. During a nuclear decommissioning exercise earlier this year the contractors found Malware was present on a power station control panel and no one had known it was there. The Malware was largely android based and probably came from someone connecting their mobile device to the control panel via a USB port.

Deactivate USB ports

To prevent the spread of Malware  as well as the unauthorised use of unencrypted USB flash drives, consider deactivating all USB ports on desktop terminals and other hardware.

Firewalls

A firewall should deny certain traffic from the network via default, accompanied by a whitelist that allows only certain protocols, ports and apps to exchange data across the firewall into the outside world.

WiFi security

WiFi networks should be secure and encrypted, with only known devices allowed to connect. Guest access should never be provided to the WiFi network, with a specific guest network in place for this purpose.

Advanced threat protection

The types of threats are always changing and developing. A number of systems are now available that monitor both external traffic on to a network, as well as behaviour from internal users, often using artificial intelligence to identify unusual or suspicious patterns and flag them for further investigation or action.

Limit user profiles

In large organisations, individual network user accounts and profiles are often created for each user. Users should only be given access to the parts of the network that they need in order to carry out their day to day roles and responsibilities. Be alive to the risk of staff who spend time in multiple departments who may collect very broad access privileges over a period of time that are not actually essential to their current role and responsibilities but whose access rights have never been rescinded.

Lockdown admin control

The administrator wields ultimate control over a network, so ensure that the password is sufficiently complex and regularly changed, that all admin profiles are monitored for unusual activity and that one admin profile is not used by multiple administrators.  

Segregate crucial infrastructure

Ensure that the most crucial information is under the strongest security, be it HR data, a case management system or a finance package. Make sure that key infrastructure such as servers are kept in locked and secure environments with highly limited and regulated access.

External penetration test

Stay on top of new and evolving threats with a regular six-monthly penetration test of the system. Ensure that it can withstand a concerted DDOS, Malware or Phising attack. Just asking the internal IT function to carry this out is not enough, it has to be an external specialist skilled in the most up to date techniques and threats that your network could face. Make this test part of a regular ‘wargame’ simulation. How would your organisation cope with a major attack? Are management reporting lines clear and all necessary actions understood? The occasional test will never hurt.

It should be emphasised that these points are only a foundation and are not intended to be exhaustive, and every organisation should consider conducting a risk assessment against its network to identify where the real work points lie so that a compliance programme can be put in action to minimise risks and demonstrate regulatory compliance in the event of a cybersecurity breach.

By Peter Wright, Managing Director, DigitalLaw UK

DigitalLaw UK

Digital Media Centre, County Way, South Yorkshire S70 2JW
Telephone: 0114 294 5894
Email: peter.wright@digitallawuk.com
Web: www.digitallawuk.com
Twitter: @digitallawuk