Help protect your organization from attacks related to possible cyber-warfare. Ask your IT pros, in-house or outsourced, to:
- If your network firewall supports blocking data traffic by country, restrict all connections from all non-essential countries. You might need to allow traffic from specific addresses if one of your providers has a data center in another country.
- If you use Office 365, configure Conditional Access by Country to only accept users logging in from countries where your users will be when they access Office 365. You might need to upgrade your O365 license to enable conditional access by country.
- Configure firewalls on your websites and web applications to only accept connections from countries where you do business. Before limiting countries, ask your web developers if they use tools hosted in other countries. You’ll need to allow connections from those specific companies; else, your web application might malfunction.
- Block your users, in case they get fooled by a fraudulent email message, from accessing websites in countries and categories except those essential for business. When you configure web content filtering, you might be surprised to find out that some of the sites you use must connect to other countries to work correctly. Your team can allow those specific sites without enabling the entire country. Be careful not to overload your IT team with this recommendation.
- If you haven’t already, be sure to implement multi-factor authentication for your VPN, Microsoft Office 365, your privileged user accounts, social media accounts including LinkedIn, and anywhere attackers could inflict damage if they gain access.
- Shut down any unnecessarily exposed ports on your firewall, including remote management. If you must leave ports open, filter by the source address to prevent connections from anywhere except authorized static addresses.
- Configure your spam filter to block email messages from all countries except for those from which you wish to receive messages.
- Implement the email protection features SPF, DKIM, and DMARC to help block fraudulent emails and messages that someone tampered with. There are services to help IT departments accomplish this.
- Discuss Distributed Denial of Service (DDOS) attacks with your Internet provider and web hosting companies and ways they can protect you in case an attacker floods your network, your phone systems, or your websites with so much traffic that it shuts down your systems.
- Uninstall all the programs you do not use. If foreign attackers take over a software company, as they have recently, you won’t be affected if those programs are not installed.
All of these are in addition to the other protections you should already have, including double-checking that all the critical security updates from Microsoft and your browsers are installed on all of your systems, using anti-virus and Endpoint Detection and Response tools, making sure no users are local administrators to make it difficult for attackers to install malware on their computers, using application control, and other recommendations you read in these blogs.
Alert your users to the heightened threat and tell them to be wary of fake news. Remind them never to enter their usernames and passwords when prompted, no matter how convincing a site appears. If they read something that seems scary and instructs them to do something urgently, they must pause before acting. They should ask the IT department if they have the slightest suspicion. If they spot something fraudulent, you might tell them to send an alert to your other users to know the message is fake. They should remove links before they forward the message.
If you have an on-prem Exchange server, attackers will target the server relentlessly. Immediately ensure the Exchange server is patched with all critical updates. Be sure your firewall is configured to block all traffic except specific IP addresses. Talk to your executives about fast-tracking your migration to hosted Exchange if migration is possible.
While the following won’t prevent an attack, you want to be prepared:
- Confirm that the backups of your cloud data function correctly in case attackers delete your Office 365 or other cloud data and render the cloud provider’s backups useless.
- After ransomware attacks, many organizations’ executives are shocked at how long it takes to restore. Be sure your whole disaster recovery process is quick enough to meet your return to operations (RTO) requirements. You might prioritize which services need to be running soonest and make recovery point objectives (RPOs). Practice restoring and measure the time it takes to restore and recover.
Make contingency plans for what you’ll do if the power goes out for an extended time. Consider how you’ll respond if you’re unable to use your online banking. What is your plan if one of your vendors or SaaS providers shuts down for an extended period? Make contingency plans in case your Internet Service Provider goes down. What will you do if fuel becomes unavailable as it was to some regions after the Colonial Pipeline attack? What if your shipping companies cannot deliver packages to you or your customers? Should you take out enough cash to make payroll for your next pay cycle? Planning for these and other risks will allow you to have systems in place in the unlikely event they occur.
You can find additional guidance at https://www.cisa.gov/uscert/ncas/alerts/aa22-011a