It is no news that having sufficient protection of digital information is becoming increasingly important for all organisations. But there are some things that most can do to strengthen their cyber resilience. ENISA and CERT-EU have listed a number of recommendations that all should follow for better cyber resilience – we have elaborated on two on them that we have useful knowledge of.
How to build your resilience
In a publication by ENISA (The EU Agency for Cybersecurity) and CERT-EU (the CERT of all the EU institutions, bodies and agencies), they have stressed the urgency of following some important points that are needed for strengthening your cyber resilience. But there are a few that can be fulfilled by using sufficient cybersecurity products:
- Ensure that all software is up to date
- Employ appropriate network segmentation
These are both vital points in building strong cyber resilience.
Ensure that all software is up to date – and securely updated
One of the easiest ways to protect yourself is to update all software, and especially if they are security updates addressing known vulnerabilities. This need is due to the fact that in complex software it is almost impossible to avoid errors and bugs which should be corrected quickly when found to ensure stability and security of the systems. In addition to correcting bugs, the manufacturers behind operating systems, firmware and applications drive a functional growth which means that the systems gradually become obsolete and hard to maintain if they are not updated.
However, it is important to make sure that the updates themselves do not pose a security risk as an update means that information is imported or added to the system, and this can lead to unwanted malware entering the system. The integrity and availability of the systems must be maintained, and many system updates are usually not sufficiently screened or evaluated in the environment in which they are used or in combination with the applications running. To avoid the risks and to maintain the integrity and availability of the systems and at the same time enable secure updates, special solutions are needed.
One solution is to use a data diode that ensures unidirectional communication. The data diode is connected in a way that secures that information can be imported into the system, but since no traffic can be transferred in the opposite direction, information leakage is hindered.
Another solution to further ensure that the update has not been manipulated, the import of update packages can be conducted using file sanitation consisting of two data diodes and a server for antivirus scanning, such as Advenica’s File Security Screener. The file sanitation conducts an independent control making sure that the update is valid. However, even in this case it is best to let the receiving update server verify the signature and thereby get another control of the accuracy of the update.
Learn more about how to conduct secure updates in our solution description!
Employ appropriate network segmentation
To protect your sensitive systems and information you need to use network segmentation. Network segmentation reduces the risk and limits the damage of a cyberattack. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly. Attackers do not normally take the direct path to the target, such as electricity distribution. Instead, they worm their way in via weak points far out in the architecture, via email or customer service, to reach their goal. State-funded attackers are also equipped with patience, prepared to work long-term doing everything in small steps, and are unfortunately often one step ahead. The harsh reality is that industrial control systems may have been attacked without anyone noticing.
Segmenting network environments can be a very complex task including many different competencies and can have a major impact on ongoing operations. The complexity depends on aspects such as how big the environment is, what the current situation looks like, budget, what staff is available and the will of the management.
Here are five steps that you can use as a starting point when you start planning your segmentation project:
- Create a zone model
- Define what should be segmented
- Perform a security analysis of included systems
- Arrange the systems according to the zone model
- Implement, test and put into operation
Learn more about network segmentation in our know-how!
Do you want to know more about how we can help you build your cyber resilience? Read more about how we can protect your digital information!