By: Tom Skoog, Cybersecurity and Data Management Practice Leader

As the conflict between Russia and Ukraine continues, the Biden Administration issued a statement mandating the federal government strengthen its cybersecurity positions and encouraged the private sector to take similar actions. This is in reaction to an expected significant increase in cyberattacks (ransomware, data thefts, etc.) by Russian-based cybercriminals operating with impunity inside of Russia.

Blue & Co is in complete agreement with the administration’s recommendations. Below, we have provided additional thoughts related to each of the administration’s recommendations and the level of effort companies should consider, based on the risk of a shutdown or data breach to your operations.

The administration’s recommendations and our thoughts on each include the following:

Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;

Blue’s Position:

Minimally – – Require all users to use multi-factor authentication to authenticate to your network when remote, and to authenticate to web-based applications (e.g., Office 365).

Ideally – – System admin accounts should be required to use two-factor authentication for ALL access with the admin IDs. Finally, all users should use two-factor authentication for ALL access to all systems, including workstations.

Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;

Blue’s Position:

Minimally – Ensure your firewall is configured to filter unwanted traffic including blocking traffic from certain countries you do not do business with. Install anti-virus software that is continually updated on all workstations, servers, laptops, etc.

Ideally – Email traffic monitoring/filtering, next-generation anti-virus/anti-malware (behavioral) tools, threat detection tools on endpoints (workstations, servers), and third-party monitoring services (24 x 7 x 365) to detect and respond/terminate potential attacks.

Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;

Blue’s Position:

Minimally

• • Patching – Apply workstation patches weekly and server patches monthly. Utilize technology to automate the application of patches and do not allow users to ignore patches. Ensure you are staying aware of non-Microsoft patches (application software, Apache utilities, Adobe, etc.).
  • Passwords – Passwords should be a minimum of eight (8)characters, require complexity/diversity (upper/lower case, numbers, special characters), change every 60-90 days, suspend after 3-5 unsuccessful log-ons.

Ideally

• • Patching – Apply patches within 48-72 hours of receipt from your software vendors or your awareness of the patch existence (workstations and servers).
  • Passwords – Replace passwords with passphrases that are 15+ characters long coupled with two-factor authentication for ALL log-ons. With this password strength, it is recommended by both Microsoft and NIST to stop requiring employees to change passwords.

Back up your data and ensure you have offline backups beyond the reach of malicious actors;

Blue’s Position:

Minimally – Back up your data nightly and ensure one copy of the backup is immutable (cannot be changed) and air-gapped (cannot be accessed from the production network). This can either be to physical media (write once/read many disks/tapes) or logically.

Ideally – Back up your data several times throughout the day (e.g., every 2 – 4 hours). This will limit the amount of data lost in an attack and reduce the time to recover, in the event of an attack.

Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack and as part of this plan, you should engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.

Blue’s Position:

Our experience is very few of our clients have taken the time to create a well-thought-out incident response plan. There are several decisions that need to be made immediately after a cyberattack has been initiated:

• • Are you going to pay the ransom or are you going to try and recover from your backups?
  • How long will it take to recover from your backups if all systems have been infected/locked? Have the systems been prioritized for recovery?
  • If you elect to pay the ransom (which will be paid in a cryptocurrency), do you know how to obtain the necessary cryptocurrency?
  • The list of “what if” questions are extensive.

Testing your plan will identify those questions that you did not consider in your plan.

Encrypt your data so it cannot be used if it is stolen;

Blue’s Position:

Minimally – This is easily accomplished in a Microsoft environment. Windows 10 and Windows Server ships with a utility known as BitLocker which, when enabled, will encrypt the hard drives of your PC’s and servers. Also, provide your employees with a secure email option that encrypts emails considered confidential.

Ideally – Ensure you have encrypted all data within your environment when it is “in transit” and “at rest”. This includes not only your hard drives, but your network connections, email, databases, and backups.

Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly;

Blue’s Position:

Minimally – Conduct annual formal training sessions with all employees and emphasize the training with periodic awareness messages from company leadership

Ideally – Subscribe to an online training service or engage a third party who has online content available. Provide frequent training videos to employees and consider testing or quizzing your employees quarterly/annually. Finally, test the effectiveness of your training by launching internal phishing email campaigns to determine those employees requiring additional training or who require certain cyber restrictions to be placed on their accounts.

In addition to these recommendations, we would also recommend you take the following precautions to reduce the risk of attack:

• Limit administrative access on any system (PC, server, application) to only IT personnel. Those with administrative IDs should be required to utilize two-factor authentication for ALL log-ons. Do not allow your normal users to have administrative access to their workstations.
• Ensure your technology is up to date. After a certain point, a vendor stops supporting a version of their software, and security patches will no longer be supplied by the vendor, even if technical vulnerabilities are identified in that software.
• Do not allow home PCs to connect to your data network unless you can verify the PC has the appropriate encryption, anti-virus software, and any other security controls you have installed on your business-supplied machines.
• Limit the use of common file storage solutions (e.g., Dropbox, Box, Google Drive, Evernote, etc.) unless these environments are managed by your IT organization, and they have ensured the appropriate security mechanisms have been implemented.
• Purchase cyber insurance coverage to cover the costs of downtime, ransom payments (if paid), etc. Your carrier will require that many of these recommendations have been implemented to cover your business

Blue is ready to assist you with any of these recommendations or to provide you with an independent assessment of the strength of your cyber controls and associated business risks.

Please reach out to your Blue advisor, or to our Cybersecurity and Data Management Practice Leader, Tom Skoog at tskoog@blueandco.com or 614-220-4131.