Cybersecurity measures from a global perspective
At INCIBE-CERT, with the aim of offering improved cybersecurity protection and best practices, we bring together a series of measures and actions that we recommend adopting and reviewing to protect organisations' information and its application in the devices they use, as well as in their digital presence in cyberspace. These measures are aimed at improving their level of protection against cybersecurity incidents and, as such, minimise their risk of cyberattacks that could affect the services of their business.
These measures can be applied, or revised if they are already in place, by any organisation or user in any circumstance considered necessary according to function and their own needs. Their main use lies in the fact that they can be adapted to the different characteristics and capacities (both technical and human) available to the entity wishing to implement them.
These security guidelines can be complemented by more specific and concrete ones that may be more oriented to the scope and activity carried out in each organisation, but we consider that they represent a minimum set of measures that we recommend, prioritised by each organisation according to its specific capabilities:
- Ensure user authentication mechanisms are secure by reviewing and changing all passwords in the organisation, including default passwords for products and services. Establish, along with a general awareness policy, a model for the use of secure passwords. To review their correct application, two actions are recommended: sufficient complexity of credentials and regular change of passwords. It is important that these measures are implemented across all the applications and services in use, and not only for the accounts on work computers.
- Establish specific user awareness measures, which refer to never reusing credentials, as threat actors often compromise organisations by performing credential stuffing attacks, for which they use credentials obtained from previous data breaches against another unrelated service.
- Especially relevant is the use of multifactor authorisation mechanisms through measures which use OTP (One Time Password) elements or similar to access organisation systems, not only for VPN (Virtual Private Network) or remote access, but for all services and applications as far as possible.
- Apply, whenever operational, the principle of least privilege and avoid using equipment with accounts with administrator privileges, assigning users accounts with the minimum permissions necessary to operate the programmes and carry out their activity.
- Keep all software up to date, prioritising updates to software with known and exploited vulnerabilities in the organisation's established patch management cycles and mechanisms to avoid exposure to critical and high severity flaws as quickly as possible. This update policy should also include personal devices within the organisation such as work phones.
- Monitor and identify systems vulnerable to new threats, by using vulnerability analysis tools to complement the organisation’s established patch tools. It is recommended to monitor potential threats and warnings from products and manufacturers used in the organisation, as well as notifications, information feeds and warnings from CSIRTs (Computer Security Incident Response Teams) through newsletters or similar.
- Whenever possible, deploy intruder detection and prevention systems (IDS/IPS, Intrusion Detection System/Intrusion Prevention System), and complement their implementation with other security elements such as SIEM (Security Information and Event Management), making it easier to identify and detect traffic anomalies in order to apply an early response, thus limiting potential impacts. In addition, it is often possible to choose ‘modes of operations’ depending on the level of risk you want to take.
- It is highly recommended to implement an EDR (Endpoint Detection Response) system to protect the company's computers and infrastructure through unified alert management, combining traditional antivirus with monitoring and artificial intelligence tools to provide a fast and efficient response. It is also advisable to adopt DLP (Data Loss Prevention) solutions wherever possible to prevent information leaks from within the organisation itself.
- Promote a catalogue of assets for the company. In particular, it is very useful to have a list of devices used by staff working in the organisation, network connectivity, technologies used in the company's infrastructure, ancillary equipment, IP (Internet Protocol) addresses or ranges exposed to the Internet. In general, this should include all hardware and software equipment in order to know what is installed on each computer to assess the part of the organisation that could be affected by the new threat and the facilities where the most relevant equipment for the organisation is hosted.
- It is desirable to have a programme of internal and external audits carried out by independent entities, allowing them to validate their ISMS and risk analysis and, ultimately, to certify it through the corresponding certification audit.
Networks and systems:
- The development and implementation of a BCP (Business Continuity Plan) is highly recommended to analyse the possible impact on the business, draft operative recovery plans and periodically execute validation tests of the BCP itself. Also recommended is the maintenance, revision and testing of contingency plans.
- The supply chain could be attacked and affect our organisation (supply chain attack) through the engagement of our outsourced service providers. This is why it is recommended to revise established accesses for providers and dependencies within systems and networks, as a security measure to prevent such incidents, in case a third party collaborator is used as a vector of entry into the organisation. External providers should have minimum security standards, in accordance with the security policy of the organisation.
- Implement and develop an optimal level of segmentation for the different networks used, which should include isolated networks with adequate firewall regulations, data diodes (that only allow traffic in one direction), IDS devices and a DMZ (Demilitarized Zone) network to separate the corporate network from the data network. Additionally, review filtering and traffic policies between them to limit access and use additional attributes in communications between applications and services.
- Fortification and hardening of exposed systems in critical environments; DMZ or cloud environments are recommended, increasing security measures of these, hardening and applying security controls, segmentation, least privilege access policies, and blocks available in the least trusted environments, to prevent a cyberattack from spreading across your organisation's environments.
- It is advisable to review and check the organisation's backup strategy, paying special attention to the different media used, both for local and off-site backups, reviewing the business continuity and disaster recovery strategies that allow for the recovery of the activity in case of loss or unavailability of the information. It is important that these measures are regularly tested. A good backup practice is to adopt the 3-2-1 strategy, which is based on diversifying backups to ensure that there is always a recoverable backup. Its key actions are as follows:
- 3: Keep 3 copies of any important file (the original file and 2 backups)
- 2: Store the backups in 2 different places to protect them from different risks.
- 1: Store 1 backup outside of the business (offsite backup), for example in the cloud.
- To minimise possible incidents of DoS/DDoS (Denial of Service/Distributed Denial of Service), it is recommended that for high demand elements, there is a CDN (Content Delivery Network), or that there are at least specific load balancing measures active and connection thresholds are configured on them. Some recommended security measures to apply when using CDN are:
- Configure SSL/TLS (Secure Sockets Layer/Transport Layer Security) in the connection between the user and the CDN.
- Activate the use of HSTS (HTTP Strict Transport Security) to protect HTTPS servers (HyperText Transfer Protocol Secure) against degradation attacks.
- Change the original IP address associated with the server.
- Establish connection limits to protect the website against DoS attacks and brute force login attempts.
- Host the mail on a different server to prevent an attacker from finding the IP address in an outgoing email.
- Avoid service search engines.
- When it comes to configuring a web server, it is advisable to implement a WAF (Web Application Firewall) in addition to a regular firewall, which is specialised in controlling, filtering and monitoring all connections, and blocking them when considered malicious. As well as blocking denial-of-service (DoS) attacks, WAFs are also capable of detecting and blocking attacks such as XSS (Cross-Site Scripting) or SQL injection.
Email and awareness:
- Due to the extensive use of email in organisations, it is advisable to apply the following protection policies and measures as protocol SPF/DMARC/DKIM, antispam measures and especially rules for phishing attempts and identity theft, such as CEO fraud, spear fishing or BEC (Business Email Compromise), which is a technique used by cybercriminals to steal funds from companies by impersonating a senior manager.
- Initiate, maintain or enhance employee awareness and training policies to help employees identify and protect themselves from targeted threats and apply security best practice in the use of technology. Also put lessons to the test by organising cyberexercises.
The application of this set of measures, which can be extended and adapted according to the scope of action and the capacities of each organisation that wishes to implement them, must be carried out gradually. They often require complex technological solutions, with procedural implications with inevitably lengthen the process. That’s why it ideal is to take the implementation and execution times into account and to be aware of the investment of effort that will be required.