More than ever, infrastructure security is at risk and measures should be put in place so as to prevent or react in the …
- “unlikely event of a loss of cabin pressure”?
- “the most-likely event of a network security breach!”
- None of the above
Well, those of you that chose “B” guessed (or even better, “risk-assessed”) correctly!
As part of its ongoing effort to inform businesses about digital infrastructure security, the National Cybersecurity Authority of Greece, is publishing a short guide to measures and key guidelines for effectively protecting information systems from cyber-attacks.
The measures included in the guide formulate a set of actions called digital “defense-in-depth” and include good practices for limiting and dealing with the most common types of attacks on systems, applications and networks.
Regardless of the business in which a business operates, cybersecurity must be a high priority, especially in the current era where more and more day-to-day activities are taking place over the internet.
The short guide is a follow-up to the guidelines issued by the Ministry of Digital Governance last March on safe work from home and protection of systems and applications.
The National Cyber Security Authority points out that the security of information and telecommunications infrastructure is an ongoing process and calls both businesses and citizens to keep their equipment up to date (computers, smartphones, tablets, routers, etc.) based on manufacturers’ instructions and trust only reliable sources of information for their protection.
Any information and network security management system should have in place a risk-based approach methodology, so as to protect confidentiality, integrity, availability and privacy and balance it with human and money resources.
More specifically, the Greek National Cybersecurity Authority poses as mandatory the following:
- Develop security policies, guidelines, and procedures for the protection of information and related systems, which extend to service and goods providers as well as cloud service providers.
- Use properly configured and up-to-date anti-malware software with central management. Also, there should be a plan (patch management) for the scheduled installation of security updates (security updates) in operating systems and applications.
- Account management and access control.
- Access to information and systems should be based on roles and tasks, according to the “need-to-know-basis” and “least privilege” approaches.
- Management accounts should be used exclusively for management tasks. Depending on the criticality of the data and the systems, additional measures are recommended, such as the use of computers exclusively for management and the two-factor-authentication method.
- Use strong passwords. Recommended password should be at least 10 characters long with a combination of uppercase, lowercase, special characters, and numbers.
- Keep log files on the network, servers, operating systems, and applications, which should be regularly monitored for system attacks and breach attempts.
- Implement a multi-level defense.
- Secure your outside perimeter using firewalls, IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), access control lists etc.
- Internally, segment your network, either physically or virtually (vlans). In addition, implement access rules (assigned to users and devices), restrict rights, and create DMZs.
- Implement, on a regular basis, staff awareness programs and security culture training (security awareness training). The vast majority of modern cyber-attacks start with social engineering attacks (eg phishing email, spam).
- Remote access to the Organization’s systems should be done using a VPN with strong encryption, as well as a two-factor authentication.
- Develop an incidence response plan that includes clear roles and actions and is tested periodically.
- Keep regular backups of your data, ensuring their effective recovery in case of loss. Also, backups of critical and sensitive data should be stored securely and with limited access.
- Apply encryption mechanisms to critical and personal data held by the organization, to ensure their confidentiality and privacy at all stages of their life cycle.
- Implement protection and recovery measures from natural and environmental threats (power outage, floods, fires, etc.).
In addition to the above forementioned guidelines posed by the Greek National Cyber Security Authority, a list of good practices follows addressed to people managing or working on such infrastructures. Digital security is not always the case, there is an increased amount of breaches being a result of a “physical” breach.
Personnel should be cautious and report suspicious behavior and activity at all times! Directions in the form of questions such as the following should be put to personnel’s attention.
- Are you aware of anyone recording or monitoring activities, taking notes, using cameras, maps, binoculars, etc., near a key facility?
- Have you observed abandoned vehicles, stockpiling of suspicious materials, or persons being deployed near a key facility?
- Are you aware of anyone who does not appear to belong in the workplace, neighborhood, business establishment, or near a key facility?
- Are you aware of anyone attempting to gain information in person, by phone, mail, e-mail, etc., regarding a key facility or its personnel?
- Are you aware of any attempts to penetrate or test physical security or procedures at a key facility?
- Are you aware of anyone attempting to improperly acquire explosives, weapons, ammunitions, dangerous chemicals, uniforms, badges, flight manuals, access cards, or identification for a key facility or to legally obtain items under suspicious circumstances that could be used in a terrorist act?
- Have you observed any behavior that appears to be preparation for terrorist activity, such as mapping out routes, playing out scenarios with other people, monitoring key facilities, timing traffic lights or traffic flow, or other suspicious activities?
- Has your system or website’s availability been disrupted? Are your employees, customers, suppliers, or partners unable to access your system or website? Has your service been denied to its users?
- Are you aware of anyone attempting to gain information in person, by phone, mail, e-mail, etc., regarding the configuration and/or cyber security posture of your website, network, software, or hardware?
- Are you aware of anyone attempting (either failed or successful) to gain unauthorized access to your system or its data?
- Has anyone made unauthorized changes or additions to your system’s hardware, firmware, or software characteristics without your IT department’s knowledge, instruction, or consent?
- Are you aware of anyone in your organization receiving suspicious e-mails that include unsolicited attachments and/or requests for sensitive personal or organizational information?
- Are unauthorized parties using your system for the processing or storage of data? Are former employees, customers, suppliers, or partners still using your system?
Let us summarize the most important.
Cyber Security Guidance
- Make your passwords complex. Use a combination of numbers, symbols, and letters (uppercase and lowercase).
- Change your passwords regularly (every 45 to 90 days).
- Use different password per website/service/software. Never use a “master password” for all.
- Do NOT give any of your usernames, passwords, or other computer/website access codes to anyone.
- Do NOT open e-mails or attachments from strangers.
- Do NOT install or connect any personal software or hardware to your organization’s network or hardware without permission from your IT department.
- Make electronic and physical back-ups or copies of all your most important work.
- Report all suspicious or unusual problems with your computer to your IT department.
Management & IT Department
- Implement Defense-in-Depth: a layered defense strategy that includes technical, organizational, and operational controls.
- Establish clear policies and procedures for employee use of your organization’s information technologies.
- Implement Technical Defenses: firewalls, intrusion detection systems, and Internet content filtering.
- Update your anti-virus software daily.
- Regularly download vendor security “patches” for all of your software.
- Change the manufacturer’s default passwords on all of your software.
- Monitor, log, and analyze successful and attempted intrusions to your systems and networks.
Physical Security Guidance
- Monitor and control who is entering your workplace: current employees, former employees, and commercial delivery and service personnel.
- Check identification and ask individuals to identify the purpose of their visit to your workplace.
- Report broken doors, windows, and locks to your organization’s or building’s security personnel as soon as possible.
- Make back-ups or copies of sensitive and critical information and databases.
- Store, lock, and inventory your organization’s keys, access cards, uniforms, badges, and vehicles.
- Monitor and report suspicious activity in or near your facility’s entry/exit points, loading docks, parking areas, garages, and immediate vicinity.
- Report suspicious-looking packages to your local police. DO NOT OPEN or TOUCH.
- Shred or destroy all documents that contain sensitive personal or organizational information that is no longer needed.
- Keep an inventory of your most critical equipment, hardware, and software.
- Store and lock your personal items such as wallets, purses, car keys, identification documents and mobile devices when not in use.