Ward Solutions advisory increased cyber risks arising from war in Ukraine.
Previous state backed, criminal and cyber militia based cyber operations from the Eastern Europe region have already caused significant disruption to Irish and European organisations over the last decade. Ireland has already posted a strong diplomatic response to the war in Ukraine and seems set to participate as part of international sanctions. Ireland has an active high profile role in the United Nations as part of the UN Security Council. Ireland hosts significant amount of global cloud and social media vendor services and data in data centres on our island. Ireland is a significant part of the transcontinental internet fabric with strategic fibre optical cables originating, terminating or transiting via our coastline and island. Thus Ireland, Irish Government, Irish FDI and indigenous based organisations have a relatively high profile in the geo-political response and may suffer direct or indirect cyber related fallout from this war. Ward Solutions are therefore advising that there is a significantly increased cyber risk to organisations, consumers and citizens from:
- Increased criminal activity looking to capitalise on peoples fear, emotion and news seeking arising from the war.
- Increased cyber militia activity from activists either looking to attack Russia, Ukraine and other former USSR states or looking to attack Western countries and commensurate direct or collateral damage arising.
- Increase Nation state activity in response to current geo political objectives, malicious reaction to sanctions, counter strikes to actual or perceived nation state cyber activity
- Cyber Insurers have recently moved to provide exclusions in their policies for cyber events arising from Nation State activities or acts of war. There is a risk that organisations assume that they are insured for all cyber incidents – when in fact such exclusions may apply from events arising in current circumstances.
Aside from the direct risk to your own organisations, we recommend that your organisation consider the potential impact of the increased probability of attacks and disruption to national and global critical national infrastructure (CNI) providers such as
Wards primary recommendation in light of the current situation are as follows:
Generate increased awareness across your organisation of the potential increased and additional risks from board level to end user.
Reassess the risks, your risk register and your mitigation strategies, if appropriate, based on the new geopolitical situation and increased or additional risks we have identified in this advisory
Check your cyber insurance cover, limits and exclusions.
Further reduce the likelihood of a damaging cyber event to your organisation. Assuming, you already have normal best practice cyber security recommendations in place, consider these measures in addition:
- Consider geo fencing or blocking GeoIP (inbound and outbound communications) with regions that you don’t regularly or normally communicate with, in particular from Russia, Ukraine, former USSR states, China, North Korea, Iran – but also other states and regions.
- Consider reducing thresholds on levels of privilege and access to the minimum required
- Secure your Active Directory according to best practice guidelines- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
- Ensure that your vulnerability scanning and patching are as up to date per vendor and best practice frameworks, as is practical.
- Implement multi-factor authentication (MFA) on all remote access and cloud based service.
- Disable all ports and protocols not essential for business purposes
- Stay up to date with latest threat intelligence, national cyber security recommendations https://www.ncsc.gov.ie/
Take steps to quickly detect any potential intrusions – assuming you have active security monitoring in place:
- Consider implementing increase thresholds for alerting and monitoring on higher priority systems and services. Only do so if you can respond to and appropriately assess the increased volumes of alerting.
- Allocate additional resources to monitoring, auditing, analysing and triaging alerts, incidents
- Confirm the levels of coverage, levels of update and retest the effectiveness of policies and configurations on your endpoint and gateway anti-virus, anti-malware technologies. Consider augmenting any legacy signature based technologies with next generation AI/ML technologies that offer protect, detect and remediation capabilities in the event of endpoint compromise.
Be ready to respond effectively to cyber incidents when they occur
- Revise your crisis response team and update your incident response plans and playbooks to make sure they are current, relevant and incorporate the additional risks identified above.
- Consider exercising the incident response team in a tabletop exercise to rehearse your roles, responsibilities and play books
Increase your organisations resilience
- Revise your backup and disaster recovery plans in light of the new and increased risks identified above. Plan for worst case scenarios
- Test your backup and recovery plans
- Be aware of recovery times and plan for business operations in the event of significant times to recover
- Reassess the location of backup and recovery services and vendors in light of likely geo political fallout. Consider moving to locations or vendors less likely to be impacted.
- Prioritise finite resources to focus on business critical services first.
- There is a shortage of cyber security resources globally and capable incident response providers. If you need to source additional services, we recommend putting place service contracts, service levels agreements in advance and not waiting for an incident to occur before trying to source such services, as they are unlikely to be available at short notice.
Review your supply chain risk
- Review any suppliers to determine whether they have critical risk or exposure to Russia, Ukraine or Eastern Europe generally.
- Review any suppliers to determine whether they, their products, services may be subject to undue influence from Nation state, in particular Russia and thus at risk of compromise of integrity, privacy, continuity of supply or used as a possible means of ingress to your or your customers networks, systems, data.
- Review your suppliers to determine if they or their operations are at particular risk or targeting by Nation State activity.
- Consider mitigation solutions to address any significant risks arising from the above, including:
- putting in place alternative suppliers, services
- asking providers to change location of operations
- asking suppliers to demonstrate their contingency or disaster recovery plans
Ward Solutions anticipates that the current situation and its risks are likely to exist, develop, fluctuate and continue into the medium term. Any strategies or measures that you adopt will need to be sustained in this timeline.
How Can Ward Help?
For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices.
For all other customers, if you would like additional information or would like support in assessing and protecting your environment, please contact firstname.lastname@example.org or your account manager, as appropriate.