Cyber threats are expected to increase globally as a result of the current conflict in Europe. All organizations in Brunei Darussalam are advised to increase awareness and strengthen all critical systems to safeguard data against potential cyber-attacks, such as website defacement, distributed denial of service (DDoS), and ransomware attacks.
BruCERT recommends that the following immediate actions should be taken.
Harden all systems by following basic principles of cyber hygiene to proactively protect your organization against potential threats by implementing the following:
- Review all authentication activity for remote access infrastructure
- Secure and manage systems with up-to-date patching
- Use anti-malware and workload protection tools
- Isolate legacy systems
- Enable logging of key functions
Verify system patches
- Ensure your users’ desktops, laptops and mobile devices are all patched, including third party software such as browsers and office productivity suites. If possible, turn on automatic updates.
- Make sure firmware on the organization’s devices is also patched. Sometimes this is implemented in a different way to updating software.
Verify access controls
Review user accounts and remove any old or unused accounts. If you have multi-factor authentication (MFA) enabled, check it is properly configured. Make sure it is enabled on systems and user accounts according to your policies.
- Change passwords regularly. It is recommended to change passwords every 3 to 6 months with the use of a strong password or passphrase.
- Apply least privilege access and secure the most sensitive and privileged credentials.
- Ensure defences are working
- Use industrial recommended antivirus program.
- Ensure antivirus software is installed and regularly confirm that it is active on all systems and that signatures are updating correctly.
- Check your firewall rules are as expected – specifically check for temporary rules that may have been left in place beyond their expected lifetime.
Enable strong spam filters
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Filter emails containing executable files to prevent them from reaching end users.
- Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.
Disable all unnecessary ports and protocols
- Review network security device logs and consider shutting off unnecessary ports and protocols. Monitor common ports and protocols for command and control (C&C) activity.
- Turn off or disable any unnecessary services (e.g. PowerShell) or functionality within devices.
Logging and monitoring
- Understand what logging you have in place, where logs are stored and for how long logs are retained. Monitor key logs and at a minimum monitor antivirus log. If possible, ensure that logs are kept for at least one month.
Review your backups
- Confirm that backups are running correctly. Perform test restorations from previous good backups to ensure that the restoration process is understood and familiar.
- Check that there is an offline copy of backup - and that it is always recent enough to be useful if an attack results in loss of data or system configuration.
- Ensure machine state and any critical external credentials (such as private keys, access tokens) are also backed up, not just data.
- Confirm that escalation routes and contact details are all up to date.
- Ensure that the incident response plan contains clarity on who has the authority to make key decisions, especially outside of normal office hours.
Check your internet footprint
- Check that records of your external internet-facing footprint are correct and up to date. This includes things like which IP addresses your systems use on the internet or which domain names belong to your organisation. Ensure that domain registration data is held securely (check your password on your registry account, for example) and that any delegations are as expected.
- Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.
- Ensure that all staff know how to identify and report phishing emails.
Third Party Access
- If third party organisations have access to your IT networks or estate, make sure you have a comprehensive understanding of what level of privilege is extended into your systems, and to whom. Remove any access that is no longer required. Ensure you understand the security practices of your third parties.