16 May 2024
There are two routes into the systems of an organisation that attackers use above all. Phishing is one and attacks on edge devices the other. When an edge device is attacked, there is often no specific target organisation, as the attacker tries different weak spots to find an opening.
Often these attacks are based on a specific known vulnerability. Severi Muona, Threat Intel Specialist at Loihde, says that the initial attacks are often extensive, and based on what the attackers find, they then decide what to do next. There are also targeted attacks, but often the set-up is broad and experimental, as opportunistic as possible.
"Whenever a new vulnerability is discovered, it is of course important to update your systems. However, it is not always enough. You should also carry out a security audit to see if the vulnerability has already been exploited. Situations can develop very quickly, and a lot can happen even in just one day," Muona states.
Sometimes organisations are lulled into believing that once the update is made, the problem is out of the way. However, an attacker may have exploited the vulnerability already and left a backdoor that the new update no longer closes.
Information security is always a choice
Muona stresses that information security is always a comprehensive totality, where pressing a single button or failing to do so rarely is particularly decisive.
"For example, when it comes to updates, it is also about the processes when preparing for updates, in other words how vulnerabilities are monitored and how critical updates are implemented. It is also good to think ahead about what to do if an update is not immediately available."
Information security can be improved at both an individual and organisational level. Knowing your own operating environment and needs is essential and even a small adjustment and specification can increase the level of security significantly.
"For example, in an M365 environment, it is worth restricting the countries from which logins are allowed. If your organisation only operates in Finland, you can and should make these restrictions."
"Often, we as security professionals would like to set a lot of restrictions and create the most secure and restricted environments possible. In practice, it is, however, necessary to find a balance between adequate security and the smooth running of operations. It is also worth considering what information is particularly critical and how you can protect it."
By looking ahead, you get an important head start
Muona stresses the importance of internal preparedness. Risk review and management are utterly central to information security.
"Here, it is good to be really concrete. Planning must not be limited to preparing for serious cyber incidents, as this is too vague. There are much more concrete issues, such as who is responsible for which system and who to call if something happens."
The level of preparedness should be reviewed at regular intervals and concrete steps taken to improve information security. Muona also recommends consulting and training for cyber incidents with a dependable partner.
"Knowing your environment is important. You need to be aware of the devices on the network and the systems they use. In particular, critical devices must be identified. Then, if an attack does happen, the organisation will be better prepared."
Visibility, expertise and responsiveness is needed
Risk assessment, MFA, strong passwords, endpoint security, identity and access management, understanding the network as a whole, and knowledge of the devices in use and their system versions are all important aspects of information security. A Cyber Security Operations Centre or CSOC is also an essential link in the security chain. If you use an external service provider, it is worth clarifying who is responsible for what.
"If something abnormal happens, the CSOC analyst is informed very quickly and can start reacting. The main point is that when you have made careful preparations, even if there is an incident, your ability to respond is much better."
Without a CSOC in place, the extent of the breach is difficult to ascertain and in the worst-case scenario, reports of the attack will first come from outside the organisation. If there are no logs, it is difficult to speculate what part of the data mass has fallen into the hands of the attackers.
"Of course, if there are blind spots with no visibility, control does not extend there. Good and extensive visibility is important. In addition, you need to have the ability to react, in other words to stop network events and initiate action to resolve an information security incident, if necessary. It requires not only visibility, but also expertise and the necessary rights in the target system."