This past December, news broke about a highly sophisticated cyberattack, allegedly perpetrated by Russian hacker group APT29. The attack targeted the federal departments of State, Defense, Homeland Security and Commerce. The attack apparently penetrated agency networks through malware that was embedded in a software release from SolarWinds, which provides network management solutions.
But that’s not all.
Last month, security firm Malwarebytes reported that it had been targeted by the same attacker that compromised SolarWind’s software, only this time the attack was attempted when the attacker gained access to company emails that exploited flaws in Microsoft cloud services.
With new security threats continuously emerging, what can organizations do to harden their security and to better protect themselves from network intrusions and avoid damage? Here are nine suggestions:
1. Review your existing networks
Most companies have firewalls, intrusion/penetration detection, and defined user access controls and permissions -- or do they?
With the growth of citizen development and also the enablement of many distributed networks throughout the enterprise, IT may not have direct control over all of the enterprise’s IT assets. This can create security exposures.
To combat this situation, IT can install zero-trust networks along with asset detection and management software that can identify any new network, software or device that is installed throughout the company. The zero-trust network also manages user access controls and permissions, with immediate identification of any unauthorized user, activity or device that is on the network.
2. Develop a uniform practice of new software and software upgrade distribution
If the plan is to install a new software or security package, or to update software from a vendor across a plurality of devices, the coordination of the software or software upgrade release should be uniformly executed across all end users and locations, and across all devices and platforms.
Commercially available software distribution platforms are available to assist with this task.
The preferred method of performing software and security upgrades is a “push” distribution of any new software release in which IT pushes out the new software or software upgrade to the end device, network or platform automatically. This is in contrast to the “pull” method that notifies the user that a new version of software is available, but that depends upon the user to pull or download the new release onto his or her device or network. “Pull” is the better methodology because you don’t have to worry about users failing to perform a download, leaving themselves (and the company) open to security vulnerabilities that a new software release can resolve.
3. Meet with your vendor
The SolarWinds compromise occurred because malware had gotten embedded in a software release that clients were installing.
The lesson for IT is to vet your vendors’ security practices as they pertain to data centers, operational software, business partners and the end products that they are selling to you. One step you can take is to request a vendor’s most recent security audit of systems, methodology and software -- to see if the security practices at the vendor meet your own. Take time to carefully review the fine print in your contract with the vendor as well, specifically looking for liability coverages in the event that a vendor system is breached.
Finally, it’s important to vet the persons who will be assigned to your account, since human error or nefarious intentions contribute to many security compromises. What do you know about them? What can the vendor tell you about them?
4. Use IP identification as a regular part of your security monitoring
Maintaining a continuous log of IP (Internet Protocol) addresses and geographic locations that are accessing your networks can provide early warning signs of a potential security breach. These logs should be set up with alerts in real time. They should be monitored continuously for anomalies.
5. Optimize your IT security auditor visits to the max
Whenever the IT security auditors come in, it seems there is a collective groan from IT because key contributors will be pulled off tasks to work with auditors and to answer questions.
In today’s volatile security environment, performing IT security audits should minimally be done annually -- with quarterly reviews for vulnerability and penetration exposures. Your auditor should also partner with you in reviewing outside audit results from your key IT vendors if you have questions.
As you’re budgeting for these auditor fees, you should also plan to ask your auditors for additional resources that they can offer free of charge. These auditors visit many other companies. They are in a position to observe security shortcomings as well as best practices. If you need to improve or develop a security area, your auditors can often offer you a free template for a policy that you need to tighten up, or guidance on how you can enhance your security processes from what they have learned elsewhere. Put it on your list to request these.
6. Check out your security setup in all IT environments
It’s not unusual for companies to have airtight security policies and procedures in place for production, but to be lax in software testing and staging environments.
Security should be uniform in all areas of IT, whether they are in production or test.
7. Lock down and turn off devices
This should a “no brainer” by now, but there are still many companies that leave IoT devices and desktop computers open during periods of non-work -- and even logged onto the Internet.
Devices that are not in use for a period of time should be “sensed” by network software and automatically turned off. If a device is misplaced or lost by an employee, the device should immediately be locked down.
8. Review your IT insurance liability policies
Just as you review your vendors’ contracts for security liability protections, you should review your own coverages to ensure that they address every security situation you are aware of. If they don’t, talk to your insurer or solicit new liability insurance bids. Finally, make it a point to keep the board of directors and upper management informed as to what your liability coverages are -- both for IT and for the business itself.
9. Train and retrain users
Regular refresher training in IT and corporate security should be in place for users and IT. If you have edge technology and are depending on end users without formal IT training to assume para-IT duties for edge networks and equipment, these individuals should be given full IT training on the security practices they are expected to execute and adhere to. They should also be given an IT security team member as a contact person and a resource.
By regularly training and retraining employees, and by posting security reminder messages in work areas, you can help employees stay informed and prepared.
For more on IT security, follow up with these articles: