You've heard the story before; a small town, held hostage by a strange, foreign, invading force. It's only hope lies in a rag tag band of...information security workers? If you thought I was going to say Patrick Swayze, Charlie Sheen, Jennifer Gray and C. Thomas Howell you are sadly mistaken.
I kid. Maybe. Sort of...
The Red Army isn't going to roll down your main street to get Big Macs at the local McDonalds. Instead, your town, heck, all of our towns, are just sitting ducks waiting for a cyber attack to happen.
I've written stories before on how municipalities are getting nailed left and right for huge amounts of money. Here's a list:
- Kentucky School District Recovers $3.7 Million Stollen During Phishing Scam
- City of Tallahassee Payroll Hacked. Thieves Steal $498,000
- City of Albany NY Attacked by Ransomware!
- Jackson County, GA Pays Cybercriminals $400,000 to Unlock Computers After
And that's only part of it! Honestly, there have been so many municipalities hacked I've gotten tired of covering them! Frankly everybody here at Security7 Networks is so tired of municipalities being hacked we've decided to do something about it.
Here's our list of seven steps EVERY municipality should do RIGHT NOW to help them avoid cyber attacks:
This can apply, in a way to network traffic as well. It's important to know not only where traffic is coming to on your network, but where it's going to as well. Yes, some outbound traffic might be normal, or even welcome. That doesn't mean all of it is.
Outbound traffic should be restricted by source, identity and protocols. Start by making a list of remote services you should be communicating to regularly. After that it's important to scan your network to see if there's any outbound traffic you don't recognize, identify what it is and then block it accordingly.
Consider implementing a DENY ALL outbound traffic policy (with logging enabled) as well that limits outbound traffic of any type to what you expressly allow.
2. Implement Web Filtering to block known bad, unacceptable and unknown traffic
Beyond what some say can result in a possible increase in general workforce productivity, web filtering is better leveraged blocking known bad websites as well as unacceptable and unknown traffic.
Properly setting up web filtering services on your firewalls can save you hours of headache. Most either have a service built in or that you can subscribe to that will do most of the heavy lifting for you. Yeah occasionally you might bump into oddly misclassified websites or what not, but ultimately it does a pretty darn good job of keeping people safe on the internet.
We personally use FortiGuard and recommend it to anyone using a FortiGate device. Of course, Fortinet isn't alone in offering a web filtering product. Others like Cisco and Barracuda (to name a few) do as well.
Botnets are nasty, nasty things. They can be difficult to detect too since they're designed to operate with out an end-users' knowledge. But you're in luck, there are a few common things you can look for.
- IRC traffic (botnets and bot masters use IRC for communications)
- Connection attempts with known C&C servers
- Multiple machines on a network making identical DNS requests
- High outgoing SMTP traffic (as a result of sending spam)
- Unexpected popups (as a result of click-fraud activity)
- Slow computing/high CPU usage
- Spikes in traffic, especially Port 6667 (used for IRC), Port 25 (used in email spamming), and Port 1080 (used by proxy servers)
- Outbound messages (email, social media, instant messages, etc) that weren’t sent by the user
- Problems with Internet access
- Filter and analyze messages
- Open and close ports
- Perform in-line spam screening
- Proxy your IM traffic
- Perform SSL session inspections
- Prevent security breaches
We're big believers in not being able to manage what you don't measure. By analyzing your network traffic you get a much better idea what's going on day to day. DPI can help you accomplish that.
Todays world is all about apps! I don't mean appetizers (but if that's where your first thought went I like where your head's at). I mean applications. You can't do anything with out 'em! They enable us.
There are a lot of products out there to consider when it comes to protecting your end-points. We'd never shy away from our love of Cylance but we'll be the first to admit they're not the only game in town and there are a lot of solutions out there that would probably work for you. What matters is you pick something and install it.
I personally am a big believer in the idea that the best way to protect yourself from something is to know as much as you can about it. If malware is as much a threat to municipalities as it appears to be (and it is) the best way to avoid an infestation is to not only educate yourself regarding the matter but the other people in the organization as well.
Yes, a next-generation end-point protection product can help you avoid such an awful fait, but it's much better to be proactive than reactive and a great way to do that is via security awareness training for your end-users.
Another way to accomplish this is set up external email notifications that remind people not to do things like download and open attachments from people you don't know. External email notifications are exceptionally easy to set up and implement (as you can see in this article: https://www.securit360.com/blog/configure-warning-messages-office-365-emails-external-senders/)
Managing a network, any network takes a lot of work. And it can sometimes feel a bit overwhelming, especially if you know there's probably a target painted on your back, purely based on who you work for and regardless of your best efforts. All you can ever truly do is be prepared to the best of your ability. We hope this list might help you achieve what you're after.
Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.