The conflict between the Russian Federation and Ukraine involves not only the armed forces of both countries, but the war is also increasingly affecting cyberspace. Hacker groups on both sides have launched massive cyberattacks and it is already clear that the unprecedented level of aggression is also focused on IT targets in countries that are not directly involved in the dispute.
Attacks are currently targeting critical infrastructure, especially in the field of public administration, the government, energy and healthcare, but attacks on other important sectors cannot be ruled out. We’ve therefore decided to respond to the current situation before our clients start contacting us about possible preventive measures.
The following attacks can be expected at this time:
- use of social engineering techniques (phishing, vishing, smishing),
- misuse of leaked login data from other services
- attacks on supply services,
- distributed denial of service (DDoS) attacks.
The access point in most attacks is the user or user device. Therefore, we will divide our recommendations on how to boost cyber security into recommendations aimed at regular users and corporate infrastructure and processes.
We recommend the immediate implementation of activities in the following areas for users:
- Regardless of the ongoing conflict, it is vital to systematically increase the resilience of users, especially in their recognition of phishing, vishing and smishing.
- You will find news regarding the current situation on our blog
antivirus.cz (in Czech language only).
- At this moment, we are releasing one of our
Security Academy courses on phishing free of charge.
2. Work with passwords and login details in general
- Encourage the use of secure passwords (at least 12 characters, uppercase and lowercase letters, numbers and special characters). Change your passwords regularly, don't wait until they are compromised.
- Use different passwords for different accounts (you can't use the same password for social networks and the corporate environment).
- We recommend immediately activating two-factor authentication for all services, where possible (not just services in the corporate environment, but also free mail, social networks, cloud services).
We are preparing further details in the form of more intensive communication in this area.
3. Update user systems
- Right now is the best time to upload the latest versions and patches to all user devices, including private ones.
- In general, it is important to keep operating systems up to date, as well as the individual applications you use, both on your computer and on your phone, tablet, wearables, etc.
4. Reporting security events and incidents
- Users need to know exactly how and where to report a security incident and what to do before getting a response to their report.
We recommend the following preventive measures at corporate infrastructure level:
1. In the area of communication infrastructure
a. Ensure that incoming and outgoing communications are blocked based on geolocation.
- We prefer whitelisting areas where you have active clientele, or
- blacklisting areas where you have no activities.
b. Establish a strict antispam policy.
- If possible, whitelist the domains from which e-mail communication originates.
- Activate an antispam solution, if available (e.g., MS Intune).
- Restrict the receipt of external e-mail messages from your own domain.
- Monitor the frequency of e-mail messages; ensure the anti-spam policy has not been breached and that phishing messages have not been spread within the internal network.
(In terms of the last point, we recommend setting a frequency monitoring limit for current accounts. For example, a maximum of 5 recipients per email, or a maximum of 20 recipients per email for personal and marketing accounts, Inform the user of this fact.)
2. Monitoring and incident management
a. Ensure increased visibility across the entire infrastructure, including OT devices
(monitor activities using EDR on end stations, internet facing servers, critical servers, etc.).
b. Improve processes for a quick response.
- This is primarily an incident management procedure for managing cyber incidents in connection with reported incidents by users.
- Scenarios or checklists will also help determine how to proceed in the event of a reported incident in typical situations (on user devices, OT equipment, maintenance tablets, etc.).
3. Setting multi-factor authentication and conditional access
(in case of the O365 Premium license and higher, this is free as part of the licence).
4. Vulnerability management
a. Apply all critical patches immediately.
b. Activate patch management procedures. Reconsider any patches that have not yet been implemented, assuming you accepted the risk at the time. Is this still valid?
c. Actively monitor vulnerabilities in the infrastructure and hardening individual platforms according to CIS recommendations (primarily for internet facing servers).
The question of defence against DDoS attacks, i.e., attacks aimed at disabling services, is so complicated that in most cases it will require
personal consultation. At cloud service level, there are suitable solutions, and global load balancing or filtering incoming communication can help in case of on-prem infrastructure.
The Karel Komárek Family Foundation crisis fund was established in response to specific needs identified by Ukrainian co-workers at our sister company MND, which operates in western Ukraine.
100 % of donations go to direct aid.