With the crisis unfolding in Ukraine, there is an increase in Russian activity directed to the large and small companies that make up the Defense Industrial Base.
According to the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA), this activity is targeting companies with Department of Defense support contracts. These contracts cover command and control, communications, and support systems, weapons, aircraft, and vehicle systems, and the list goes on. The Russian state actions go back to the first Cold War, aided by technology that did not exist in Cold War I. Today espionage and sabotage is conducted from a nice office with a computer terminal, not by an undercover secret agent in a dark alley.
This means an increase in attempts to steal technology and disrupt and compromise business and manufacturing control systems for the Defense Industrial Base manufacturers. Perhaps the good news is that this is nothing new, as there has been a background war against the U.S. Defense Industrial Base for decades by both Russia and China. These nation-state actors have directed considerable resources to gain access to industrial manufacturing systems and compromise or steal technology. A primary focus is Microsoft 365 systems, including cloud services and local networks. The avenues of attack are email and poorly configured or maintained systems, nothing new as demonstrated in the Colonial Pipeline and Solar Wind cyberattacks.
The next question is then what can companies do to secure their systems. Look anywhere, and there will be innumerable lists of 10, 20, maybe even 50 things to do; the Department of Defense, Acquisition and Sustainment has five things to do. These five things are straightforward actions that any company of any size can take without a great deal of cost and effort. They are essentially actions that all companies should be doing. The following is the list of the five recommendations and the recommended actions. Note that the actions listed below are the bare minimum; adequate security will require more.
First is education and training; this is one of the essential things to do, as 90 percent of all successful attacks begin with email. Your employees and system users need to be able to recognize fraudulent emails. They need to understand the concepts of phishing. The COVID-19 pandemic with the isolation requirements has spurred romance scams into a multi-billion-dollar business. Again, here people are unknowingly entrapped due to a lack of awareness.
Second, implement access control; this is very broad and incorporates authentication and monitoring. However, it is essentially restricting access to system resources and information. The best way to do this is by having separate user IDs and passwords for different applications. For example, having the same ID and password for all of your bank accounts is not wise; each account needs to have a separate set of login credentials. The same is for your business applications. As a single user, you should have a set of credentials for system administration and a second set for application user access or business functions.
Third, authenticate users; there are two things to consider first is long passwords or passphrases, second is multifactor authentication (MFA). For passwords, set a minimum of 10 or more characters; the longer, the more complex in terms of numbers, letters, characters, the better. Turn on MFA; this is like putting on a car seatbelt. It takes time to put on a seat belt, but it keeps you from flying out the car windshield. Use MFA, and you will be more secure than 85 percent of all other users.
Fourth, monitor your physical space, often neglected are the physical controls for system security. The way to secure your information is to recognize the requirement for system security is not only cyber or IT security. Managing physical security means controlling physical access and media with controlled information. Know where sensitive media is; it has a lifecycle, and it needs to be disposed of properly. Consider Internet of Things (IoT) physical devices that impact your network.
Fifth, update your security protections. Outdated software puts you at great risk; outdated antivirus software is useless. One of the easiest things to do is to turn on automatic system updates. This is perhaps one of the easiest actions you can take to secure your system.
The threat against companies is constant, and in today's world, it is increasing. The question is, then what can a company do? Our recommendation is to start with the simple things to reduce your vulnerabilities. The goal should be system security, which like a good safety program, is a process that will never end. The five security practices listed here are low in cost and high in impact. The best advice is to start now.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.