News sponsored by the Samsung Galaxy S22 series:

By Caryn Vos, Senior Manager Crypto, Altron Systems Integration Security (Cybertech) and Mira Andric, Practice Leader, Altron Systems Integration Security (Cybertech)

Although the military is usually at the forefront of technology, cyber warfare is still a relatively new phenomenon that impacts business and civilian populations across the world. Russia’s invasion of Ukraine has brought this phenomenon into the spotlight and has escalated the risks local organisations face.

Although South Africa is not a direct target of state-sponsored cyber warfare, there are no borders in technology. Tools, processes, and systems span the globe. There is also the risk that cybercriminals unaffiliated with either Russia or Ukraine launch an opportunistic strike while attention is focused on geopolitics.

We recommend that organisations stay on high alert until the situation is resolved so that cyber-attacks are immediately detected, and appropriate defensive action can be taken. This is especially important if you are using tools and technology of Russian origin, as a failure in these systems could result in downtime affecting local operations.

The most likely targets for cyberattacks include Ukrainian government institutions, defence and military institutions including associated manufacturers, telecom companies, European media for propaganda purposes, and European and US companies invested in Ukraine. Governments allied with either party or who are imposing sanctions may also find themselves under attack.

At this stage, South Africa is not directly in the line of fire, but organisations may be impacted as a result of attacks on business partners, vendors, suppliers, or customers. As a member of the BRICS group of countries (Brazil, Russia, India, China and South Africa) South Africa may be indirectly affected, highlighting the need for vigilance. Consider replacing Russian cybersecurity solutions as they may not be able to maintain required security levels in the future.

Our vulnerability management team believes the most likely form of attack currently is a distributed denial of service (DDoS) attack, followed by phishing. Attackers may also exploit vulnerabilities, attack the supply chain, or carry out a zero-day attack, where previously unknown weaknesses are exploited. In a DDoS attack, multiple external systems are co-opted into flooding a single endpoint with so much network traffic that all available bandwidth and resources are consumed.

Ten Things To Do:

Threats may take the form of a completed compromise, malware, ransomware or wiperware infection, data leak, DDoS, misinformation or disinformation campaign, an imminent threat, or a vulnerability that needs to be patched. Your response capability must be able to deal with any of the diverse situations listed above.

General defense-in-depth best practices for mitigating contemporary ransomware threats can be used to defend against a non-specific nation-grade attack. These include:

1.     Identify and patch any internet-facing technologies, including remote access, secure remote access, and other security technologies such as firewalls.

2.     Implement MFA on any internet-facing authentication interface.

3.     Frequently back up business-critical assets complemented with offline backups. Test back up integrity regularly.

4.     Check endpoint protection and anti-malware. Test solutions and identify any blind spots.

5.     To protect against DDoS, aim to protect networks and services exposed to the Internet from sustained large-scale network flooding that could cut the targeted network and services off from the internet.

6.     Configure firewalls and other perimeter equipment to allow only the minimum of outbound traffic to the internet, especially from the DMZ and any internet-facing or critical systems. Monitor outbound traffic closely for anomalies.

7.     Monitor network for malicious activity and involve incident response teams so that you know what is needed for forensic investigations.

8.     Undertake continuous vulnerability management. Prioritise patches based on whether vulnerabilities have known working exploits. This applies to infrastructure as well as end-user software or devices. Internet-facing services with known vulnerabilities must be patched.

9.     Segment your network to identify trust boundaries and implement tight controls for services and users that want to cross into those zones. The least privileged concepts can also apply here.

10.  Limit services to run with only the necessary privileges to perform their functions. Ensure staff only have access to what they need to perform their tasks.

11.  Practice general threat hunting. In-house teams should schedule a time to identify scenarios for threats applicable to your organisation.