The Blocky for Veeam ® - 5 Step Guide to a Safer Network
The frequency of cybersecurity incidents is constantly rising. Ransomware attacks, which prevent companies accessing their files and data unless a fee is paid, have tripled over the past 12 months. In addition, we are seeing a new trend emerge, where hackers threaten to leak sensitive information if money is not handed over. This presents the additional risk to companies of heavy fines if data breaches violate data privacy polices such as GDPR.
Like many things in life, it is sometimes easy to become complacent regarding the risks associated with certain events, unless we have become a victim first-hand or have witnessed the outcome as a close observer. Cybersecurity falls into this category.
While most companies and individuals feel they have done enough to prevent a cyber-attack by installing and maintaining a basic network firewall and anti-virus scanners; very few take the time to conduct a true risk assessment of their exposure to cybercrime.
Cybersecurity is a broad and complex topic. While we could never attempt to set out a comprehensive and fool-proof cybersecurity strategy in a short article, what we can offer are some very useful pointers that should go a long way to keeping any organization's vital data and operations safe from unwanted intrusions.
Step 1 Create a Security Policy & Disaster Recovery Plan
Like so many unwelcome situations the best course of avoidance is prevention, but in order to prevent something from happening we must first consider various ways to block the possible paths that lead to our feared outcome.
"By Failing to prepare, you are preparing to fail." - Benjamin Franklin
It is alarming how many organizations fail to create and maintain an adequate security policy, or set in place an incident response plan and disaster recovery procedure.
The increase in home working has placed many more endpoint devices needing access to corporate networks over remote connections which strengthens even further the need for a robust security policy.
For this reason, the UK National Cyber Security Centre (NCSC) have developed a Cyber Resilience Toolkit with support from the British Retail Consortium (BRC) to help the retail industry become more secure. This comprehensive guide can however provide and a solid resource for any company looking to establish or improve their cyber security policy. This guide is aimed at both strategic or Director level roles, who are not technical experts but whose role and responsibilities increasingly incorporate cyber security strategy or practice.
Having an incident response and recovery plan is also an essential step towards limiting the impact of a cyber-attack and restoring business operations after an event. Some of the questions this should answer include:
- Who should be contacted following a cyber-attack; government agencies, law enforcement bodies, external security contractors?
- If a ransomware demand is made, who within or outside the organization should be responsible for communication with the hackers; or should contact me made at all?
You may have seen the comical meme circulating on the internet showing a glass fronted IT equipment cabinet with the caption, "In the event of a cyber-attack, break glass and pull cables".
Although this suggests a very blasé and reactive approach, it has some merit whereby any organization should establish and test procedures for limiting further damage by securing vital data assets, and temporarily disabling access to parts of the corporate network.
Password management and best practice is another important element of any cyber-security policy. Many corporate systems rely on user generated passwords which places a burden on staff to both remember multiple passwords, and ensure they are not revealed to others. You may be surprised to hear that many common measures which were indented to improve user password complexity and are actually counterproductive.
These mechanisms place additional burden on staff, encourage password repetition across systems, place extra load on systems administrators when passwords are forgotten, and in some cases can mask the detection of a security breach. The following password policies should be avoided:
- Do not enforce password complexity requirements
- Do not enforce regular password expiry
Instead, the focus should be on providing guidance on password creation, such as adopting the 'three random words' technique which can help users to use suitably complex passphrases that they can actually remember. Ideally, technology should be used where possible to both reduce and help staff to cope with password overload.
The NCSC provide excellent guidance on password strategies that can help your organisation remain secure.
Step 2 Educate your team on Cyber Security
98% of cyber-attacks rely on Social Engineering. The easiest way for hackers to deliver a malware payload, or gain private information, is by duping a company employee to follow a malicious link, open an attachment, or give away sensitive information or data such as usernames, passwords or banking details.
The act of disguising oneself as a trustworthy entity in an electronic communication with malicious intent is covered by the umbrella term 'Phishing', which is reasonably well known. However, there are many forms of phishing which have labels such as 'Spear Phishing' and 'Whaling', which may be less well known to many employees. Training aimed at helping staff recognize the likely forms of phishing attacks is a very valuable exercise for any company to undertake. This can be just in text book form, but a more effective approach would be to run simulated phishing attacks performed either internally, or through an external company.
There are many phishing simulator tools available on the market to assist with phishing training. Infosec Resources is an excellent online cybersecurity awareness and training resource that offers the Infosec IQ Security Awareness Training & Anti-Phishing Simulator as well as a round-up article highlighting the current Top 9 Phishing Simulators.
Step 3 Always update OS security patches and malware definition files
Cyber-attacks seek out vulnerabilities that exist within any layer of the technology stack, this extends from the physical network infrastructure in the lower layers, right through to the business applications at the top. The role of any systems administrator in the context of cybersecurity is very much a constant race against the bad guys, where the hackers always have the upper hand.
The reason for this is that most traditional security tools such as firewalls, anti-malware and anti-virus scanners are based on an approach known as 'blacklisting', whereby lists of known vulnerabilities and malware codes need to be constantly kept up to date. Of course, these vulnerabilities have already been exploited by the time they appear on any blacklist, so this traditional approach is a very reactive one, which always leaves the door open to hackers in that period of time between malware detection, and definition file updates.
Most operating systems and blacklisting based security tools offer automated updating which should be enabled for maximum protection. However, many organizations with under resourced IT departments or limited budgets, such as the public sector, often possess outdated systems and security tools which provide any easy target for cybercrime.
Application Whitelisting is the proactive opposite to security tools that use blacklisting, and operates on the premise that no application code can gain access to a network resource unless it has prior authorization. Security tools based on whitelisting can provide a protective ring fence around vital network resources and ultimately form the basis for a 'Zero-trust' approach to IT security. Zero-trust is a paradigm shift in cyber security which is gaining higher focus due to the increased security risks being presented by the shift to remote working.
This useful article from TechBeacon outlines how whitelisting and blacklisting fit best into a security strategy and how they can operate effectively together.
Step 4 Close Security Gaps
Aside from the network vulnerabilities described in Step 3 which are usually the result of a software development oversight, the other most common entry point for cyber-attacks is when doors to networks have been left wide open.
With Microsoft Windows being is the most commonly installed OS, estimated at between 77 and 87.8% globally, it is unsurprisingly the most targeted platform. Remote Desktop Protocol (RDP) is a pre-installed Microsoft Windows application that makes it easy for your employees to connect to work or home computers remotely, and is used by millions. Because RDP is so widely used, it is a common target for man-in-the-middle cyber-attacks.
With the increased need for remote access as a result of COVID-19, there has been a significant increase in cyber-attacks, particularly on RDP servers.
Although RDP operates on an encrypted channel, there is a known vulnerability in the encryption method in earlier versions of RDP, making it a preferred gateway by hackers. Microsoft estimates nearly 1 million devices are currently vulnerable to RDP security risks. The company issued a legacy patch for its outdated platforms, including Windows XP, Windows Server 2008, Windows 2003, and Windows 2007. (RDP is known as Terminal Services on these legacy platforms). Windows 8, 10, and newer operating systems are not vulnerable in this way.
Following the increase in RDP use this year, Microsoft have issued Security Guidance for Remote Desktop Adoption.
To further secure remote access, mechanisms such as 2-factor authentication should be enabled where available to help verify the identity of individuals attempting to access the corporate network, or performing other tasks such as personal data updates or transaction requests.
Security experts recommend that companies perform a network vulnerability assessment a least once per quarter. This is not only a very beneficial task from a security standpoint, but it may also be a requirement in order to meet certain industry certifications.
Vulnerability Assessments identify and address any security exposures, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. Scanning tools are used to scan all IP addresses on the network and to identify vulnerabilities such as out of date software and patches. Depending on scope, assessments can cover an organisations internal network, external boundary or both.
A vulnerability assessment report will show a detailed network map of all end points which can be referenced against the company's IT asset register. Any unofficially added devices to the network would then be identified. These rogue devices are seldom hardened or secured and therefore introduce unwanted risk to the network.
Step 5 Backup & Lockdown
Maintaining a backup schedule for vital operational and sensitive business data is an essential safeguard against cyber-attacks. Having the ability to restore systems from a backup taken from a known 'safe' point in time will improve and accelerate your chances of recovery following a cyber-attack, and hopefully mitigate the need to meet any ransomware demands.
Of course hackers know this, so the more sophisticated attacks go searching for backup files first in order to encrypt them before compromising the live production environment. Clearly malware codes can search directory structures looking for backup file extensions to encrypt, but most of the larger attacks are human driven.
Data volumes that store backup files must therefore be secured from any unauthorized access. Blocky for Veeam® uses application whitelisting technology as described to Step 3 to secure backup volumes from any modification other than by the list of system processes that have been pre-defined by the systems administrator. So in the case of Veeam®, the Veeam Backup & Replication application could be set as the only process capable of writing to a protected backup volume.
Blocky for Veeam® uses application fingerprinting techniques which make it practically impossible for a malware code to masquerade as an approved application and gain control of backup volumes.
Of course, early cyber-attack detection is essential to help determine the point in time where your backups are 'safe' and free from malware infection. You could have been sending infected data to backup for some time.
Application whitelisting should be considered for any vital data store and used in conjunction with traditional security tools as part of an overall strategy.
The 3-2-1 rule is a best practice guide for backups which suggests that three different copies of your production data should be taken, using two different types of storage media, one of which should be off-site. To further mitigate ransomware protection, Veeam® suggest adding another "1" to the rule whereby one of the media is offline1.
Examples of offline storage include tape, removable hard drives and cloud connected immutable storage. The offsite and offline techniques suggested within the 3-2-1 rule are certainly very effective but for some organisations the added complexity and costs could be beyond the resources available to them.
Hopefully the tips and trends outlined here have given you some new areas for consideration on your cyber security journey. For any questions please get in touch through our contact form, the Blocky team are always ready to help.