As I wrote yesterday, the joint analysis report from the U.S. department of Homeland Security and FBI on the alleged Russian hacking of the Democratic Party now points the finger at two threat groups for being behind the incidents and their common strategies, but also a lot of useful advice for CISOs and security administrators for defending systems against all kinds of cyber intrusions from any attacker.
Two sections stood out which leaders of Canadian organizations responsible for cyber-security should heed:
Because both of the groups named (dubbed APT 28 and APT 29) used spear phishing to gain initial footholds into the party, the report urges infosec pros and management to do the following:
• Implement a Sender Policy Framework (SPF) record for your organization’s Domain Name System (DNS) zone file, which is an email-validation system that detects email spoofing, to minimize risks of receiving spoofed messages;
• Educate users to be suspicious of unsolicited phone calls, social media interactions, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company;
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information;
• Do not reveal personal or financial information in social media or email, and do not respond to solicitations for this information. This includes following links sent in email;
• Staff should be trained to pay attention to the URL of a website in messages. Malicious websites may look identical to a legitimate site, but the URL often includes a variation in spelling or a different domain than the valid website (e.g., .com vs. .net);
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group ;
• Take advantage of anti-phishing features offered by your email client and web browser;
• Patch all systems for critical vulnerabilities, prioritizing timely patching of software that processes Internet data, such as web browsers, browser plugins, and document readers.
Top seven mitigation strategies
Homeland Security also encourages network administrators to do the following, which it says can prevent as many as 85 per cent of targeted cyber-attacks.
1. Patch applications and operating systems – Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites;
2. Application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software;
3. Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers;
4. Network Segmentation and Segregation into Security Zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services and limits damage from network perimeter breaches;
5. Input validation – Input validation is a method of sanitizing untrusted user input provided by users of a web application, and may prevent many types of web application security flaws, such as SQLi, XSS, and command injection;
6. File Reputation – Tune Anti-Virus file reputation systems to the most aggressive setting possible; some products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control;
7. Understand firewalls – When anyone or anything can access your network at any time, your network is more susceptible to being attacked. Firewalls can be configured to block data from certain locations (IP whitelisting) or applications while allowing relevant and necessary data through.
The report also has advice on protecting corporate Web sites from attack and on access control.
Finally, it urges managers to commit to cyber security best practices, including having data backups, performing a risk analysis, having an incident response plan, having a business continuity plan, training staff to be security aware, patching systems, having an application whitelisting process and regularly doing penetration testing.