Businesses have been advised to be more “aggressive” with their approach to restricting network access to devices in the wake of the cyber war between Ukraine and Russia.
Governments have published numerous advisories warning businesses of the increased risk of spillover cyber attacks from the ongoing cyber war. Being aggressive with security can help keep out adversaries that are currently scanning businesses for weak points that have network access, Cisco’s experts said at Cisco Live 2022.
Too many businesses are allowing old and disused products such as collaboration software to retain access to the network and exploiting these can lead to organisation-wide cyber attacks, they said.
An “aggressive” approach would also include the blocking of an entire origin network when malicious traffic is detected, rather than just the specific IP address from which it was sent.
“You have utilities that you don't use on your network block; you don't need them to be there,” said Nick Biasini, head of outreach at Cisco Talos. “These are the types of things that we constantly see adversaries doing and it really, really makes a difference if you go above and beyond. [Cisco] can't be that aggressive, but you absolutely can, so please do so.”
Governments have been warning of spillover attacks from the cyber war between Russia and Ukraine. The NCSC revealed at CyberUK in May that the Russian attack on Viasat was an unplanned by-product of efforts against Ukraine, and the US’ equivalent cyber authority CISA has also issued warnings to unprotected organisations.
Biasini added that businesses should avoid using ‘out-of-the-box’ default protections and be far more stringent in what devices and applications are allowed onto the network.
JJ Cummings, managing principal at the threat intelligence and interdiction team at Cisco, said businesses still need to be aggressive with the basics of cyber security too, which are not currently being applied across the board.
Multi-factor authentication (MFA) products “make a big difference” in preventing attacks like data breaches, he said, while doing the ‘boring’ tasks like manually monitoring logs are also essential for maintaining visibility over a corporate network.
He said that committing to carrying out the necessary, yet time-consuming tasks, “is a thing that has to continue” to keep businesses safe from cyber threats. If a business can’t afford to purchase an endpoint detection and response (EDR) product, then log auditing should be a fundamental part of their security.
“In some cases, in the larger firms, I think that's where the sexiness factor comes in,” he said. “We just want to do the fun things… we want to build a threat intelligence programme because that's what everybody's doing today. So, I think there's just not enough focus on those basic programmes.”
Another often overlooked shortcoming of businesses is the poor maintenance of institutional memory, the experts said. Many businesses aren’t keeping up-to-date documentation and leaving knowledge with just one person in the IT team who, when they leave the company, takes that crucial information with them.
“I used to be a defence contractor, [and] when I left it was about two years later, they actually reached out to me and said ‘how can we do this, this, and this?’ and I said, well, what about the documentation I left? ‘Oh, that was you, oh, we shredded that’. Fantabulous,” said Dave Lewis, global advisory CISO at Cisco.
“There's so much institutional knowledge that just lives in people's heads in security organisations and that that is not a good place to be when they leave,” said Biasini. “It's just lost.”
