CERT NZ issues critical security controls for 2019
FYI, this story is more than a year old
New Zealand’s Computer Emergency Response Team (CERT NZ) has released its 2019 list of critical controls that it believes could help organisations fend off cyber attacks.
The annual list is designed to help businesses prioritise their security controls based on CERT NZ’s local and international threat intelligence.
This year CERT NZ has made two major changes since last year’s iteration: It has replaced sections on BYOD device management and legacy system removal with controls on cloud authentication management and network segmentation implementation.
The 10 critical controls for 2019 are:
- Enforce multi-factor authentication
- Patch software
- Disable unused services and protocols
- Change default credentials
- Implement and test backups
- Implement application whitelisting
- Enforce the principle of least privilege
- Configure centralised logging and analysis
- Implement network segmentation
- Manage cloud authentication
CERT NZ offers the following tips for dealing with each critical control:
Enforce multi-factor authentication
“Credential dumps and credential harvesting attacks are common. They give attackers access to large numbers of usernames and passwords.”
Businesses can enable multi-factor authentication on privileged and remote access systems including VPNs, administrative consoles, webmail, and applications such as Citrix.
“We saw several phishing campaigns focused on credential harvesting in 2018. One example was the Office365 campaign. In the cases we saw, enabling MFA would have prevented unauthorised access to the accounts with leaked credentials.”
Keeping software, operating systems and applications up-to-date is one of the most effective steps to securing business environments.
“We've seen many organisations attacked by malware that exploits known vulnerabilities. Applying patches would have helped them avoid these attacks.”
Disable unused services and protocols
Older services and protocols can have unique vulnerabilities that aren’t protected by patching. Those vulnerabilities provide opportunities for attackers to get into a network.
Businesses should scan their networks for services and protocols that are known to be vulnerable, and those that are no longer used. They should then remediate the issues.
“The recent WannaCry incident demonstrated what can happen when attackers exploit out-of-date protocols.”
Change default credentials
Businesses should immediately change all default credentials when any new application or device is introduced to a network. This will stop attackers from getting into a network with known usernames and passwords.
“We continue to see organisations compromised by attackers using unchanged default credentials.”
Implement and test backups
Backups make good business sense and are critical to recover from all kinds of incidents – whether ransomware or any disaster situation.
“We've seen organisations lose data and incur significant operational costs because they didn't have up-to-date, well-maintained backups.”
Implement application whitelisting
Email clients and web browsers are two common ways that attackers infect a user’s devices. To prevent infections from happening, businesses should identify and whitelist applications that are approved for use.
CERT NZ says most malware incidents it has seen may have come from malicious email attachments or ‘drive-by downloads’.
“Whitelisting the approved applications will help protect the system from these attacks. It's a key security control for your network.”
Enforce the principle of least privilege
Users should only be able to access and control systems they need to do their jobs – this is the minimum level of access. Remove old user accounts when they are not needed anymore. When a user needs administrative privileges, CERT NZ advises businesses to create a separate account.
“We're aware of incidents where users held unnecessary administrative privileges. Attackers were able to exploit their accounts to make unauthorised changes to the environment.”
Configure centralised logging and analysis
Without effective logging, it’s difficult to work out where an attack came from.
If all logs are secured and stored in one place, it can make alerts and log analysis easier to understand what happened during an incident. Alerts can flag abnormal behaviour and suggest what to investigate.
“Logs weren't available for many of the incidents reported to CERT NZ. This meant it wasn't possible to do a complete post-incident investigation.”
Implement network segmentation
This control relies on how other controls such as the principle of least privilege and disabling unused services are implemented.
Network tools such as firewalls and keeping other critical controls in check can prevent attacks from spreading through a system.
“We've seen incidents where attackers used common management tools and protocols to gain control of other machines on a network. There are also tools scripted to get credentials. The credentials are then used to access other devices and applications in a network.”
Manage cloud authentication
As organisations move towards cloud-based services, it’s common to have multiple authentication systems. By using a centralised authentication policy, businesses have better control and visibility into who is accessing what. It can also help to configure multi-factor authentication for applications that may not support it, and provides a unified experience.
“We're aware of incidents where cloud authentication misconfigurations let attackers bypass security controls. They do this by using legacy authentication protocols.”
CERT NZ also strongly recommends that organisations continue with their own best practices, such as managing effective password policies.