Do the basics well

Attacks against local entities have been on the rise over the last 3 years and the TT-CSIRT has issued several advisories, alerts and guidance noting this uptick during that time. The necessary increase in digital transformation initiatives being pursued by both the public and private sector also inadvertently increases our viability as a target for threat actors. Coupled with the added attention which cybercriminals are paying to the region, we see that local organizations can no longer afford to throw a blind eye to cyber security. Cyber security should be treated as an enterprise risk as opposed to being a problem for IT to handle.

New technology driven ways of doing business broadens our attack surface...

The top threats to organizations in Trinidad and Tobago continue to be ransomware, phishing, malicious insiders, data leakage and hacking. Local entities are attacked on an almost daily basis. The majority of these attacks are unsuccessful but when they are it can be devastating.

The vectors by which these attacks are carried out are numerous but these are the most common in our analysis of successful attacks on local organizations:

• Exploitation of system vulnerabilities
• Phishing emails with malicious links and/or attachments
• Compromised user credentials
• System misconfigurations

Do the basics well…

How can local organizations combat this evolving threat landscape? – Do the basics well. In the majority of instances where TT-CSIRT has been called on to respond or provide guidance, the compromise could have potentially been avoided if the organization did the basics well.

Organizations should ensure that these measures are implemented, tested and reviewed to address the four (4) attack vectors highlighted above:

• Exploitation of system vulnerabilities
  • Update and patch your systems and software in a timely manner
  • Subscribe to advisory feeds from your vendors and TT-CSIRT for security update notices
• Phishing emails with malicious links and/or attachments
  • User awareness and training
  • Email filtering
  • Endpoint protection
• Compromised user credentials
  • Multi Factor Authentication
• System misconfigurations
  • Use best practice and hardening guides like those provided by the Center for Internet Security (https://www.cisecurity.org/cis-benchmarks/)

It is critical to maintain offline, encrypted backups of data…

But attacks aren’t limited to the vectors above. Here are other basic things that should be done to protect your organization from attacks and to ease the pain of recovery in the event you have been compromised:

• Maintain backups – It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete any accessible backups.
• Conduct regular vulnerability scanning to identify and address easily exploitable vulnerabilities, especially those on internet-facing systems.
• Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.

It is important that entities possess sufficient internal capacity in order to hold their MSP accountable…

These are simple measures that can improve the cyber security posture of any organization. However it is noted that entities sometimes do not have the financial resources or technical capacity to execute some of these measures. Many organizations opt to use managed service providers (MSPs) in an attempt to tackle their cyber security issues. However it is important that entities possess sufficient internal capacity in order to hold their MSP accountable and ensure that they are doing the job they have been contracted to do.

To summarize, as the threat landscape evolves and the number of attacks increase, organizations need to take proactive steps to safeguard themselves and the people they serve. Doing the basics well is the first and most important step in protecting your organization’s future.

References to other important information and resources from TT-CSIRT:

• Ransomware Joint Advisory – https://ttcsirt.gov.tt/ransomware-joint-advisory/
• Ransomware Prevention – https://ttcsirt.gov.tt/ransomware-prevention/
• Ransomware Response Checklist – https://ttcsirt.gov.tt/ransomware-response-checklist/
• Social Engineering Tactics – https://ttcsirt.gov.tt/social-engineering/
• Get Safe Online TT (Individuals) – https://www.getsafeonline.tt/
• Get Safe Online TT (Businesses) – https://www.getsafeonline.tt/business/