NHS Cyber Attack Re-enforces Best Practice
On the 12th May, the NHS and many major companies across Europe have become a victim of a huge, organised cyber attack.
What this proves, more than ever is that the four pillars of "Patch. Match. Catch. Teach." help mitigate this threat.
Patch your system with the latest updates. If the Operating system is no longer maintained, migrate it to something that does. This is of the highest importance. This latest attack would have been mitigated if Windows had been updated to the latest security patches.
However, do not forget phones, tablets, mac's, and Internet of Things devices. Anything that connects to the internet will have firmware. Have a plan within your organisation to make sure all devices have a responsible person and have a plan to make sure these are up to date.
Make sure that users have the correct level of system access to do their job, and that users duties and administration routines have separate accounts. Do not be accessing public websites and activating email using a Superuser/root account.
Invest in tools to better facilitate during an incident. This includes firewalls, Intruder Detection Systems (SNORT, for example), and NetFlow analysis. Conducting post-incident analysis is very important. The incident is only closed until you understand how it happened. Learning who, how, what, and where the attack came from, will allow you to better adjust your Cyber Security posture.
Whilst IDS, Firewalls, Anti-Virus tools are helpful, they are tools, not magic wands. Without understanding how the threat was performed, and the latest attack trends, those magic boxes become rather useless.
Educate your users in how these look, in reality. Generic online training does not work - make sure the training is connected to them. Give them examples. Keep it up to date. Deliver it in a passionate way, or if it has to be online, in short, snappy videos. Whatever you do, do not make it like a "generic Health and Safety" course.
Make sure you have a Security Operations Manual, that includes all of the incident command structure from a Command & Control level, to rapid reaction sheets for system administrators, and Computer Emergency staff. In addition, make sure you do not blame anyone for reporting anything. Be blame free. The difference between a minor incident and a major one is reaction time. You need your users to be proactive and fast in reporting when something has gone wrong. I never mind receiving five false alarms, but I do mind when someone receives something dodgy, but doesn't tell me and it slowly spreads throughout the network.