How to strengthen cyber defense: CERT-UA experts point out mistakes and provide recommendations

28 January 08:49

Ukraine is constantly defending itself in cyberspace against increasingly sophisticated cyberattacks. Attackers are constantly improving their methods and actively exploiting weaknesses in information systems. The government’s computer emergency response team CERT-UA, which works daily to detect, analyze and counteract cyberattacks, has identified several recommendations that should help protect against cyberattacks, Komersant ukrainskyi reports.

According to experts, the analysis of numerous incidents that have occurred in recent years proves that the typical mistakes made by businesses and organizations remain unchanged, and they often allow attackers to realize their intentions.

What weakens cyber defense

CERT-UA has identified several main vectors through which information systems are successfully penetrated:

– Known vulnerabilities. Often ignored software updates of publicly available resources, such as a website, mail server, etc.

– Compromised accounts. Credentials can be stolen by malware or “provided” by users who entered them on phishing pages. In the absence of multi-factor authentication, attackers can access the email, VPN, or other system whose account has been compromised.

– Spear-phishing: Lack of employee training and insufficient attention to email verification contribute to successful attacks.

– Self-infection. The use of pirated software creates significant risks.

Problem areas of cyber defense

Based on CERT-UA’s analysis, the main weaknesses that leave businesses vulnerable to attacks were identified:

– Lack of multi-factor authentication (2FA). This allows attackers to easily use stolen logins and passwords to access systems.

– Insufficient remote access protection. Remote access (e.g., RDP) and especially access to server and network equipment administration interfaces should be allowed for specific users from specific workstations (IP addresses).

– Lack of a “demilitarized” zone (DMZ). Internet-accessible services, such as mail servers or web applications, are often not isolated from the main network, which allows an attack to develop deep into the network.

– Insufficient software control. Hackers often use standard utilities such as PowerShell or mshta.exe to execute malicious code. It is necessary to limit the ability of users to run such utilities.

– Insufficient amount of log files. If a cyber incident does occur, sometimes there is not enough data to investigate it because the log files were stored for a short period of time.

What should strengthen cyber defense

CERT-UA recommends that organizations:

– Check the attack surface. Use tools such as censys.io, shodan.io, or Nmap to identify open network ports.

– Implement multi-factor authentication, especially for VPN and corporate email access.

– Isolate systems that are accessible from the Internet. Ensure that Internet applications are isolated so that compromising one component does not allow an attack to extend deeper into the network.

– Filter outgoing traffic. Use a firewall (proxy server) to control outgoing network connections.

– Expand the scope of logs. Configure event logs to store data for at least 180-360 days.

– Control the programs used. Allow only necessary programs to be used, including system utilities.

– Ensure readiness for network isolation. Develop a response plan in case you need to isolate network segments.

CERT-UA reminds of the importance of establishing operational cooperation. Organizations that need assistance in implementing cybersecurity measures can contact us:

CERT-UA: [email protected], tel. 38 (044) 281-88-25.

Василевич Сергій
Editor