After a few tense weeks—during which the U.S. assassinated a top Iranian general, followed by Iran launching missiles at a pair of American military bases in Iraq—the U.S. and Iran seem to have backed away from possible armed conflict.
While the immediate conflict between the two countries seems to have passed, the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA), which oversees the security of critical infrastructure in the U.S., are continuing to warn private businesses (as well as state and local government agencies) that a retaliatory cyberattack remains a strong possibility.
While Iran might not have the cyber-capabilities of Russia, China or North Korea, Homeland Security and the FBI remain wary of what the country, along with hacking groups associated with the Iranian government, might be planning for the coming weeks and months. Since the U.S. first reportedly targeted the country’s nuclear program with Stuxnet in 2010, Iran has invested in its own offensive cyber-programs.
Six months before the current conflict, CISA issued a warning concerning what it calls “wiper” attacks tied to Iran, which could render computer systems useless and destroy valuable data.
Several security experts believe that Iran has already used this wiper malware against targets in Saudi Arabia dating to 2012. In addition, Iran-associated hackers have previously targeted several major U.S. banks with distributed denial-of-service attacks that disrupted service for customers.
While the odds of a cyberattack seem more a matter of “if” than “when,” security experts say that enterprises and businesses should take advantage of the heightened sense of awareness and use this time to get back to good, fundamental cybersecurity practices and hygiene.
Iran Tensions: Back to Fundamentals
For any business, the IT and security department should be on the same page, with CISOs keeping tabs on the latest risks and threats that are targeting the network, and CIOs and their teams creating plans to deploy patches and update older systems.
For Terence Jackson, the CISO of Thycotic, a Washington D.C.-based security firm, with news of Iran and threats of a cyberattack response, now is the time to rethink some of the fundamentals of cybersecurity. This includes basics such as patch management, network segmentation, endpoint protection, and enforcing least privilege access for employees, as well as testing backups and disaster recovery procedures.
“The industry will sell on Fear, Uncertainty and Doubt (FUD), however, the reality is that we all face numerous threats each and every day,” Jackson told Dice. “The goal is to stay as ready as you can and make sure your people, processes and technology have been tested prior to the real event. We live in a world of ‘When, Not If.’”
The message about getting back to basics is also coming from some of the highest levels of the U.S. government responsible for the nation’s security. In its alert from Jan. 6, CISA notes: “In times like these, it's important to make sure you've shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident—take it seriously and act quickly.”
For those looking beyond the basics, John Dumont, a senior director with the Crypsis Group, a McLean, Virginia-based incident response, risk management and digital forensics firm, believes that many private firms, as well as public entities, can benefit from creating a security checklist. IT departments and the security counterparts should consider:
Alert employees to phishing: Many nation-state attacks have been shown to leverage phishing attempts, and it is a common tactic among all threat actors. Providing employees with adequate education about the dangers of phishing is key.
Auditing and limiting the use of privileged accounts: This is especially key with domain admin accounts. After threat actors gain a foothold in the network, they will look to escalate privileges and move laterally through the network.
Deploying endpoint detection and response: It only takes about two hours for an advanced threat actor to “breakout” from a compromised endpoint. Security at endpoints is therefore key.
Integrating multi-factor authentication as part of organizational policy: This can greatly reduce the risk of an adversary gaining control of valid credentials. Implement plans and procedures for taking and testing backups. This is one way to ensure backups are stored off-system and are protected from common methods that adversaries may use to gain access and destroy the backups.
Don’t leave RDP accessible to the public-facing internet: Disable Remote Desktop Protocol (RDP) service or use a remote desktop gateway to manage connections and security configuration of RDP within a network.
“While enterprises shouldn’t wait until high alert to take action on security best practices, situations like these provide CISOs with good ammunition to request much-needed budget for strengthening security,” Dumont said. “Not only is Iran predicted to raise the ante in cyber activity, attacks across the board are an ever-increasing threat to the enterprise.”