26/04/18 |

Customer advice: Your business and the Russian cyber-attacks

By Barry Brailey, Principal VSO, Aura Information Security

Last week, the US and British governments publicly stated that Russia was responsible for conducting a global campaign to compromise computer routers and firewalls around the world. Subsequently, Government Communications Security Bureau (GCSB) director-general Andrew Hampton confirmed that New Zealand organisations were also impacted, showing that despite our remote location we are not immune to such attacks.

As these attacks could potentially affect your business or organisation, Aura Information Security is recommending that you take extra precautions to ensure you are protected. Below is our advice on what you should be doing and how such attacks can be repelled on an ongoing basis.

What is the threat? 
This particular threat comes via a known exploit that affects a feature included with certain Cisco equipment, further proving that existing exploits are still routinely used as a method of compromise. The exploit is being misused to gain access to targeted networks (and the networks of any other organisations using this equipment, including multiple New Zealand companies).

Cisco has already published full details of the feature, called Smart Install Protocol (SMI), and how it can be misused. CERT has also provided technical advice on the issue.
These attacks have potentially occurred owing to political issues taking place far from New Zealand and in which our country has a negligible interest, beyond the ‘Five Eyes’ signal intelligence alliance between Australia, Canada, New Zealand, the United Kingdom and the United States.

How do you know if it has affected your business?
If your business is currently running any affected equipment and particularly if you have made use of SMI, your organisation could indeed be among those that are compromised. It’s important to note that being compromised and having had anything go obviously wrong are not necessarily the same thing. Compromised equipment may be used to ‘potentially lay a foundation for future offensive operations’ – that is, it is in the control of attackers, but hasn’t been used to do anything untoward yet.

What you should do to mitigate the risk?

Like many compromises, this one is in fact not new (it apparently may have emerged in 2015 and Cisco has released advice relating to this for well over a year now), which again highlights the necessity for always ensuring all equipment and devices are kept up to date with the latest patches and in line with all security best practices. In the wake of this news, we advise every business running affected equipment to check configurations and be sure no back doors are left open. That means all equipment, and anything related to running the operating system (IOS/IOS XE), should be thoroughly investigated.
Beyond this occurrence, it’s important to plan for the future to ensure the risk of your business being affected by any cyber-attack is minimal. As already noted, most attacks, whether state sponsored or perpetrated from a hacker’s basement, seek out known vulnerabilities. They are also routinely automated; hence the collateral damage. Known vulnerabilities almost always have known and readily available solutions. Check, patch and keep everything up to date – regardless of the manufacturer or brand of your network and computer equipment.

It is also probably a good time to review, check and verify the status of your complete environment. A good idea is to include ‘device hardening’ in this process: disable all unnecessary or unused services and protocols that could potentially provide a window of opportunity for hackers.

And remember: the best security starts with close attention to the basics. Passwords, routinely updated software, firewall, antivirus; these are among the most basic of measures and respecting them will get most of the job done. A final word on passwords and network gear: make sure it is not still using the default and therefore widely known passwords. Sounds silly – but it is a surprisingly common oversight.

Consider a boundary review
Finally, if your business has carried out all the above to address the vulnerability, that puts you in an excellent position to consider carrying out additional security updates and testing – particularly a boundary review or penetration test. These will be far more effective after the fact as otherwise, experts’ time is potentially being spent on fixing the small things rather than finding the big holes in your business’ security armour.

Get the latest Aura news
Stay up-to-date on Aura news and events – follow us on LinkedIn and Twitter.
Follow our research
View our team's work on our dedicated Aura research blog…
Search our archives
Looking for something specific? Search the Aura archives…