To build a secure network, we must use different components, each with a specific goal in terms of security. For easier readability, we group these components into two categories: Content filtering, and traffic monitoring.

The first one, content filtering, groups elements that have active actions on the network and can manipulate traffic (authorize, deny, alter, etc). This includes:

• Firewalls, filter network flows and ensure tight control of the communication between hosts of different security sensitivity.
• Forward proxies, that control outgoing communications toward the non-safe internet.
• Network Access Control (NAC), which mitigates physical, malicious, or accidental, intrusion into your network.
• Virtual Local Area Networks (VLAN), compartmentalize hosts and services in conjunction with firewalls.
• Virtual Private Networks (VPN), that inter-connect multiple remote internal networks securely despite passing through the non-safe internet, if needed.

The second category, traffic monitoring, groups elements that only monitor the network so don’t alter the traffic. This is mainly done by Intrusion Detection Systems (IDS)

• IDS monitor traffic and detect unwanted behaviour.
• Endpoint Detection and Response (EDR), endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.

All these elements should adhere to some best practices to achieve their goals and must be nested correctly.

Firewalls

Choose your firewall

There are mainly 3 kinds of firewalls: stateless, stateful and next-generation.

The stateless and stateful firewalls both inspect the packet headers before taking a decision, so they only look at IP and port, source, and destination. In addition, the stateful firewall stores information about active connections. When a connection is open, the firewall tracks and updates its internal state record as new packets are inspected. That gives it the possibility to detect anomalies. For example, a DNS response with no corresponding request.

So, we always recommend a stateful firewall instead of a stateless.

A Next-Generation Firewall (NGFW), however, can inspect the payload of most of packets. The processing capacities and therefore price are of course higher. But it is the current best firewall technology on the market.

System

As a rule of thumb, we want to reduce the attack surface of our systems as much as possible, and everything that remains accessible should be controlled tightly.

Our first focus will be the configuration and maintenance of the firewall itself. As such, we should insist on using nominative accounts, ideally authenticated via a directory service thanks to the LDAP protocol, with Multi-Factor Authentication and a valid certificate for proper security.

Read our paper about Multi-Factor Authentication: https://www.cert.be/en/paper/better-protect-accounts-multi-factor-authentication.

The service account used for querying the active directory should have the least privileges possible.
All nominative accounts should respect the principle of the least privileges. For example, an analyst would only have read access whereas an administrator could have read and write. Ideally, this would be set up with role groups in the directory service to avoid having disparate rights configuration. The local administrator credentials should be secured in a vault and never used unless no other choice is possible.

The list of accounts that have access to the firewall must be updated depending on hiring and departures, as well as when employees' functions change. This list must be reviewed at least on a yearly basis.

In terms of network configuration, we should absolutely dedicate a physical interface of the firewall for administration access in the administration VLAN. We should take care of deactivating network interfaces that are not used, always in the spirit of diminishing the attack surface.
It is important as well that the firewall possesses statics routes for every internal networks not directly connected to the firewall, to avoid the use of DNS and possible spoofing attacks.

Filtering policy

When configuring your filtering policy, we recommend using explicit rules. This means writing down everything you want to do, in a logical order, without assuming the application of implicit rules perhaps built into the firewall. In addition, it makes it easier to understand and maintain for you and future administrators. It is also easier to refine specific parameters for a rule, for example, choose to not log a well-known noisy traffic.

Apply also the principle of least privileges: open only the ports necessary for the smooth running of the business and the workers, and no more. Do not refuse to open every port either, but rather follow the principle of the "good father of the family".

Everything that is not explicitly authorized by the filtering policy should be also explicitly blocked. That’s why your configuration should absolutely end with a final blocking and logging rule.

To take a closer look at the logical order of the rules, which makes them more efficient, easier to read and maintain, we'll divide them into three types:

• The firewall protection:
  • Allow and log flows towards the firewall (typically for administration), and flows emitted by the firewall (typically for updates).
  • Block every network flow with the firewall as a destination. This rule should obviously be logging, and we should make sure that every interface of the firewall is covered by it.
• The business rules:
  • Allow all business network flows as specifically as possible and should be logged.
• The noise rules:
  • If needed, disable logging of well-known noise.
• The final block
  • Block and log everything that is not permitted before. In some configurations, this block could also be placed at the beginning. That will block everything except what will be accepted after, however, in that case, it will log every traffic. But the idea is the same.

For example, here is a succinct view of what it would look like:

Forward Proxies

We want to keep control of outgoing internet connections to detect Command & Control (C2) traffic or covert channels and block access to malware or malicious websites. A proxy serves this purpose.

Position and encryption

The proxy should have enough capabilities to decrypt and analyse traffic. For this purpose, the proxy server acts as a gateway between the user and the destination server, handling all requests and responses on behalf of the user. This position gives the proxy the capability to read the content of every connection and apply the desired filtering.

It must also ensure a secure connection between itself and the other actors involved. It ideally uses TLS 1.3 while taking care to never authorize to downgrade the encryption methods. That means we want to use explicit proxies instead of “bump-in-the-wire” (or transparent) proxies, which no longer work effectively with encrypted traffic.

Moreover, the proxy should have all modern protocol analysis capabilities: HTTPv3, QUIC, DoT, DoH, DoQ, media streaming, etc.

We want to be able to capture network telemetry to identify anomalies (very valuable for exfiltration detection) as well as network captures (PCAP) for future threat hunting. The logging of HTTP header is also interesting to identify data leakage. This is not the scope of this paper, but if you want more information or implementation methods, you can refer to the following article: https://cqr.company/web-vulnerabilities/information-leakage-via-http-headers/.

User authentication

This determines how user devices are validated when accessing the Internet. Proxy Authentication must be enabled to be able to create new policies for users or groups. 

Two methods can be used to authenticate a user, via their device’s IP address or via username and password. The second option is obviously the best, but it will not be possible for each component of your network, for example, servers. We will then create a list of authorized source hosts and destinations based on technical needs (update servers). Indeed, server access to the internet is the easiest to abuse for data exfiltration for attackers. Any access that is not authenticated or allow-listed should be blocked.

Thanks to user authentication, the proxy should be able to detect local or domain administrators, any privileged accounts, or service accounts and block their access to the internet.

Hosts configuration

With an explicit proxy we will typically use a Proxy Auto-Configuration (PAC) file or Web Proxy Auto-Discovery (WPAD) that describes to the client host how it should access resources depending on its URL, hostname, or IP. That file should be stored in a manner that is easily and quickly accessible to the users but not from the outside, and only the appropriate privileged users should be able to modify it.

It is possible thanks to that file to configure certain connections bypassing the proxy (DIRECT) but the risks this entails need to be carefully considered.

Proxy configuration

In terms of policy, the proxy should be configured to:

• Restrict executables, libraries, scripts, installers, or other applications to a pre-approved list only.
• Restrict download capabilities of non-approved file types.
• Block active or un-scannable content like macro-enabled or encrypted files.
• Take advantage of website categorization, usually provided by the vendor, to allow only access to websites depending on the needs of the user’s role. Considering malware sites have a high turnover, it would be wise to block new websites or uncategorized websites.
• Detect and block malware via heuristics, reputation, and signature.

Network Access Control (NAC)

If we want to reduce the risks of a rogue device being physically connected to the network, a Network Access Control (NAC) solution is a good mitigation. The NAC solution will permit to verify the authorization and access levels for every device or user before connecting to the network. The connecting device or user is at first put in a separate VLAN, and if authentication and authorization are validated, is then connected to the network.

The implementation of such solutions is outside of the scope of this paper, but here are some basic recommendations:

• Since MAC authentication can easily be bypassed with MAC spoofing, we would want to use 802.1x authentication as a priority.
• Certain devices like printers don’t usually support the 802.1x protocol, they must be placed in a different network.
• As an attacker could place a hub and use the authentication of a legitimate device to intrude in the network, it is preferable to reduce the timing before devices must re-authenticate.
• All unused network ports should be disabled.
• Exposing information like IP addresses or MAC addresses can ease the actions of an attacker and therefore should be tightly controlled.
• Employees should be taught to ask questions and inform appropriate people if they see new or suspect devices plugged somewhere.
• There are a few things that can be monitored on the NAC solution and that can be indicative of an attack:
  • Uncommon link up and downs
  • Network speed and duplex changes
  • Changes in frame size
  • Changes in TTLs

A NAC can not only authenticate the user but also validate the security configuration of the client host to see if it satisfies the security policies. For example, having an up-to-date antivirus, etc. 

Virtual Private Networks (VPN)

VPNs are used to interconnect separated hosts or networks over the internet in a secure and confidential way.

There are multiple types of VPN, we will focus here on the two most important which are the IPsec and the SSL VPN solutions. The main difference is the protocol level: IPSec is embedded in TCP/IP while SSL/TLS is a layer on top of TCP/IP.

Whatever VPN technology is chosen, it is important to follow the usual security considerations depending on what is available: proper authentication, proper access control, and proper logging. These considerations are out of the scope of this paper and will be covered in other publications.

IPsec

IPsec VPNs are composed of three main protocols: Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP).

• IKE is first used for the authentication of both parts with a key exchange and thus creates what is called a ‘security association’ between two devices. IKE supports both Pre-Shared Keys (PSK) and certificate authentication. For better security, we should use certificates signed by a trusted Certificate Authority.
• AH allows the two ends of the communication to ensure that packets haven’t been tampered with in transit. At the source, the computation result, called Integrity Check Value (ICV), is put into a special header. The destination does the same computation and compares its result with ICV value to authenticate the integrity of the packet. AH do not provide encryption.
• ESP is responsible for the encryption. Thanks to the previously exchanged symmetric keys, it encrypts the content of the message. 

If you are using a VPN concentrator, we recommend enabling Dead Peer Detection (DPD). That is a mechanism that allows the two peers of an IPsec tunnel to detect if the other peer is not reachable anymore and delete the IKE security association. 

To go further, we can have an up-to-date state-of-the-art reference for everything related to the encryption mechanisms in the NIST Special Publication 800-77.

SSL VPN

SSL VPNs work very much in the same way that do other SSL/TLS technologies, such as HTTPS. Concretely, that means the tunnel is established through four steps (the famous four-way handshake), which are the initial handshake, the server authentication, the encryption negotiation then the key exchange. Data is then forwarded in the tunnel that is created for the endpoints or networks for which it has been configured, with the encryption mechanisms and keys that have been negotiated.

Considering this is very standard, it makes the implementation and maintenance of such tunnels quite easy.

However, don't forget to choose a reasonably sized certificate (RSA 2048-bits for a Let's Encrypt certificate is more than sufficient). This wonderful tool from the Mozilla Foundation should help you a lot: https://ssl-config.mozilla.org/ 
It avoids making mistakes when you need an SSL configuration for a service you don't know much about.

Here is the usual minimal recommendation for the usage of encryption algorithms in SSL VPN as of the time of publication:

Source: ANSSI - Agence Nationale de la Sécurité des Systèmes d’Information. (2020, January 1). Guide des mécanismes cryptographiques. ANSSI. https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf 

Traffic monitoring

IDS/IPS

IDS (Intrusion Detection Solution) and IPS (Intrusion Protection Solution) are solutions that can detect and eventually block threats in the network. You will find more detail in one of our future paper.

WAF

WAFs (Web Application Firewalls) is a device placed in front of a web server that will protect the web services against attacks on an applicative level. This technology will be discussed in another paper.

Virtual Local Area Networks (VLAN)

To segment the network, we use the concept of VLAN (Virtual Local Area Network). This technology allows us to create within a router or a Layer-3 switch different separate virtual networks, without having the cost and complexity overhead of having physically separate networks.

The principal risk of using VLANs instead of physical segmentation is VLAN-hopping attacks, in which an attacker could abuse some mechanism to “jump” from a less sensitive VLAN to a more sensitive VLAN, bypassing the security measures that should protect the sensitive VLAN. This type of attack can be mitigated with a minimum of preparation thus this disadvantage is far behind the benefits of VLANs.

We can reduce the risks by following a few recommendations, which we will describe in a following chapter “Network devices configuration”.

We will also describe how VLANs can be exploited to create a whole network in the chapter “Traditional network security”.

Network devices configuration

While network devices are not security devices, and should not be considered as such, they are very central and can easily be exploited by attackers and thus need special attention as to how they are configured from a security point of view.

Therefore, there is a set of configuration hardening that should be implemented for routers and switches:

• Use centralized authentication and rights management. Local administrator accounts should only be used as a last recourse. Users should have the least privileges on every device possible considering their role. For example, analysts would only have read access and engineers read and write access.
• As default administrator accounts logins are usually publicly known, these settings must be changed to more secure ones before the device is connected to any network. Default administrator groups should also be disabled.
• In order to protect against brute force attacks, there should be a limit to the number of authentication attempts possible as well as a login delay in case of authentication failure. Ideally, we should have 3 login attempts or less with a 1 second waiting period between each try.
• All devices must synchronize their clocks via NTP from a centralized time server.
• Unsecure and clear-text protocols should be disabled: Telnet, HTTP, SNMP version 1 and 2… Generally, all unused services should be disabled.
• IP source routing should be disabled because it can be exploited to bypass security devices.
• The default VLAN 1 is often assigned off the shelf to different services including management protocols. Thus, we should disable VLAN 1 and create a new native VLAN for trunk ports as well as a new VLAN for access ports. We should also have a management VLAN completely separated from any other VLANs.
• Dynamic trunking could be exploited to access a VLAN that shouldn’t be accessed from a specific port. For example, an attacker having control on a workstation connected to a dynamic port could reconfigure it to directly access the internal server VLAN. By consequence, this feature should never be used and be disabled. Trunk ports should explicitly be configured to only allow required VLANs.
• Physical access risks are complicated to mitigate, however “port security” is a step in the right direction by limiting the number of MAC addresses that can connect to a network port, it makes the life of an attacker a bit more complicated. It should be activated.
• In the same vein, unused ports should be disabled so that an attacker having physical access can’t abuse those.
• The router or switch should not route traffic directly from one VLAN to another, but rather send it to a firewall that will filter authorized communications.
• Port monitoring can be useful for debugging but can also be abused by an attacker and as such the feature should generally be disabled.
• Proxy ARP should be disabled as it is at risk to be abused for ARP spoofing.

Traditional network security

To build a complete and secure network using the components describe above, we will use the concept of security segmentation. This concept requires that a minimum risk analysis is done on the infrastructure we want to set up.

The basis of that risk analysis goes as follows:

• Some hosts are accessible from the internet, these hosts are therefore more susceptible to be breached, thus shouldn’t hold any data (frontend).
• Some hosts are not reachable from the internet and that are storing the data (backend).
• Some hosts should only be accessible from a subset of power-user’s computers (management).
• Finally, users’ computers that should be considered both a risk and at risk.

From that, we can create the following security zones:

• The DMZ (DeMilitarized Zone) with the frontend servers.
• The Internal Zone with the backend servers.
• The Management Zone with the administration interfaces of all IT components as well as the computers used by administrators. 
• The User Zone.

We then want to separate virtually or physically all these zones. This is an example of such an architecture:

In that case we use a single firewall for all VLANs, and a single switch with a VLAN for every zone. In a more expensive and slightly more complex scenario, this is what we could have:

Here we use two firewalls, that could be from two different vendors to mitigate the risk of a 0-day affecting one vendor. But the risk is that knowledge/skills will be diluted, and instead of having a single well-configured device, the company will have a well-configured device and a less well-configured device. The latter could then become a much easier target, and have the opposite effect to that intended. So choose carefully.

We also use a physically separate DMZ to mitigate the risks of a 0-day on the switch as well as the risk of VLAN-hopping.

These examples show that the number of security zones and devices can vary a lot. This is why it is important to do a risk analysis to build an infrastructure that is coherent.

Zero Trust Network (ZTN)

Zero Trust is a concept used to create a very secure infrastructure in which we go further than the traditional architecture seen previously.

As the name suggests, in this architecture there is no implicit trust based simply on the network location. As such any user or system that tries to access resources will have to authenticate themselves in a strong way, with MultiFactor Authentication (MFA) for example, and access will be granted or not depending on a least privilege access policy.

It goes also further in terms of micro-segmentation, as systems will be more strictly separated from each other, with protective and monitoring controls at every step of the way.

ZTN is out of the scope of this paper, but the NIST Special Publication 800-207 gives a more in-depth definition of what a Zero Trust Network is, and the NIST SP 1800-35 explains in detail how to implement a Zero Trust Architecture.

In this paper we covered a wide scope of basic security technologies and strategies. Even if it’s a good start, we recommend to always keep your knowledge and skills up-to-date. Our next papers will focus on more specific aspects with the intention to help you build your cyber defence.

• ANSSI - Agence Nationale de la Sécurité des Systèmes d’Information. (2013, March 30). Premier Ministre - Agence nationale de la Sécurité des Systèmes D... Recommandations pour la définition d’une politique de filtrage réseau d’un pare-feu. https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_Politique_pare_feu_NoteTech.pdf 

• ANSSI - Agence Nationale de la Sécurité des Systèmes d’Information. (2020, January 1). Guide des mécanismes cryptographiques. ANSSI. https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf

• ANSSI - Agence Nationale de la Sécurité des Systèmes d’Information. (2021, April 2). Recommandations pour une configuration sécurisée d’un pare... RECOMMANDATIONS POUR UNE CONFIGURATION SÉCURISÉE D’UN PARE-FEU STORMSHIELD NETWORK SECURITY. https://www.ssi.gouv.fr/uploads/2017/12/anssi-guide-recommandations_configuration_securisee_pare_feu_stormshield_network_security_version_3.7.17.pdf 

• Australian Government. (2022, July 29). Gateway security guidance package: Gateway technology guides. Gateway Security Guidance Package: Gateway Technology Guides | Cyber.gov.au. http://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/gateway-secuirty-guidance/gateway-technology-guides 

• Bhardwaj, R., Ipwithease, & Rashmi BhardwajMore From This AuthorI am here to share my knowledge and experience in the field of networking with the goal being - "The more you share. (2022, December 22). Proxy vs PAC file: Detailed comparison. IP With Ease. https://ipwithease.com/proxy-vs-pac-file/ 

• Cisco. (2022, August 31). VLAN best practices and security tips for Cisco Business Routers. Cisco. https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/1778-tz-VLAN-Best-Practices-and-Security-Tips-for-Cisco-Business-Routers.html 

• Crawford, W. by    Douglas, Crawford, D., Carroll, L., Lorraine, (R)., Eng. T. H. 4000, Douglas Crawford    replied to Eng. Tarek Herik 4000 (R)., Johnny, johnny, D. C. replied to, Foster, K., & Douglas Crawford    replied to kristy foster. (2020, June 30). VPN encryption types: Openvpn, IKEV2, PPTP, L2TP/IpSec, SSTP. ProPrivacy.com. https://proprivacy.com/vpn/guides/vpn-encryption-the-complete-guide 

• Kozierok, C. M. (2005, September 20). IP Security (IPSec) Protocols. The TCP/IP guide - IP security (IPSec) protocols. http://www.tcpipguide.com/free/t_IPSecurityIPSecProtocols.html 

• Merchant, S. (2021, September 26). TLS 1.3 is moving forward: What you need to know today to get ready. Gigamon Blog. https://blog.gigamon.com/2018/05/10/tls-1-3-is-moving-forward-what-you-need-to-know-today-to-get-ready/ 

• Michali, C. (2023, March 20). Stateful vs. stateless firewall. Check Point Software. http://www.checkpoint.com/cyber-hub/network-security/what-is-firewall/what-is-a-stateful-firewall/stateful_vs_stateless_firewall/#:~:text=Stateful%20and%20stateless%20firewalls%20largely,valid%20based%20on%20predefined%20rules 

• Network Access Control. Network Access Control - The Hacker Recipes. (n.d.). http://www.thehacker.recipes/physical/networking/network-access-control 

• NIST - National Institute of Standards and Technology. (n.d.). Guide to IPsec VPNS. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf 

• NSA - National Security Agency. (2022, June). Network Infrastructure Security Guide - U.S. Department of Defense. National Security Agency. https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF 

• Palic, J. (2022, November 23). Comparing IPsec vs. SSL VPNS. ONLC. http://www.onlc.com/blog/comparing-ipsec-vs-ssl-vpns/#:~:text=The%20main%20difference%20between%20IPsec,or%20application%20on%20the%20network 

• Speaker, M. C. (2023a, May 16). Full proxy. Technology Focused Hub. https://network-insight.net/2015/10/22/full-proxy/ 

• Speaker, M. C. (2023b, May 28). Dead peer detection. Technology Focused Hub. https://network-insight.net/2015/01/13/dead-peer-detection/ 

The CEO Fraud attack happens in two stages: the exploration and the execution. First, cybercriminals spend enough time online, doing some research to learn more about an organisation and its collaborators. Then they try to reach out to those collaborators, via email, chat services or by phone, to get more specific information about the organisation’s directors, processes to execute a payment and clients and suppliers. After gathering all the needed information to make sure the scam will be a success, cybercriminals assume the identity of a high-ranked person within the organisation to make collaborators more confident and less likely to doubt the origin of the message received. Once in the role of the CEO or a director and after putting their victim at ease, the scammers will try to steal money and/or confidential data.

1.    Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

2.    Raise your collaborators’ awareness on signs indicating a CEO fraud

When the demand stated in a message deals with unusual transfers, high amounts of money, unusual reasons to explain the need to receive the money or exceptional circumstances, it is probably a scam.

3.    Raise your collaborators’ awareness on how to secure homeworking

The CEO Fraud is becoming easier as homeworking is the new norm. Cybercriminals take advantage of isolated collaborator as it is easier to convince them to execute a payment. However, homeworking can be secured by implementing several best practices, such as enforcing strong passwords and Multi-Factor Authentication for all remote access. Multi-Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

In addition, the organisation should establish guidelines and rules for homeworking so its collaborators adopt the right behaviours, e.g., locking the workstation when leaving it or not leaving any passwords written and accessible.

Finally, the organisation should put security controls in place, such as encrypting all traffic from/to remote worker, enforcing antivirus and local firewall on devices allowed to connect remotely, updating all devices and software as soon as possible, regularly backing up the critical resources and securing the workstations by controlling what can be accessed remotely.

4.    Establish and share clear procedures on the authentication of people requesting a transfer and on the approval to execute a transfer

No matter who is requesting information, collaborators should be aware of the policies in place regarding data classification, information transfer and sharing and acceptable use of information. In addition, having an approval process for wire transfers lowers the chances of falling for this type of scam as someone along the process will always realise that the request is illegitimate and that nothing should be transferred. Finally, a process to verify the identity of the sender should also be in place by, for example, checking their name or bank account against an existing internal inventory or trying to contact them through another mean. Any changes requested to this existing inventory should be approved hierarchically.

5.    Pay attention to what you post online

Social media and an organisation’s website offer an important customer reach. However, it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes, such as identifying which collaborators work in the finance department and would be more likely to be able to make an urgent transfer to their CEO.

6.    Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

1. Report the incident immediately to your IT responsible.
2. Warn your colleagues that they might be getting a message from someone impersonating your CEO or one of your organisation’s directors but that they should not trust it.
3. Change all the passwords that were given (if any) on all the accounts they are being used.
4. If the scam was about bank details, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.
5. If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

Every organisation communicates with one or multiple third parties (e.g., partners, clients, suppliers, etc.) in order to run operations. Cybercriminals take advantage of that exchange to gain profit: through persuasion, threat or any other form of pressure, they try to convince the victim that they either need to execute an unplanned and urgent transfer or to give away confidential information. Their objective is to convince the victim that an immediate action is needed to close or unlock an ongoing, critical operation. On top of that, they try to persuade the victim not to share this request with anyone else due to its sensitivity. Usually, the cybercriminals impersonate one of the organisation’s third parties, so the victim thinks that the request is legit. However, the bank account is not the one associated with the third-party and if there are no checks of the accuracy of data nor an approval process in place, the victim cannot identify that the request is fake. This scam can also happen through the impersonation of a CEO or director (i.e., CEO fraud) or of technical support (i.e., fake technical support scam).

How to protect against fake wire transfer scams?

1. Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Everyone needs to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

2. Establish and share clear procedures on the authentication of people requesting a transfer and on the approval to execute a transfer

No matter who is requesting information, collaborators should be aware of the policies in place regarding data classification, information transfer and sharing and acceptable use of information. In addition, having an official approval process for wire transfers lowers the chances of falling for this type of scam as someone along the process will always realise that the request is illegitimate and that nothing should be transferred. Finally, a process to verify the identity of the sender should also be in place by, for example, checking their name or bank account against an existing internal inventory or trying to contact them through another mean. Any changes requested to this existing inventory should be approved hierarchically, this means following the security and payment rules to the letter (e.g., having payments above a certain amount signed by several employees). Lastly, never describe the payment procedures in your company to strangers, i.e., keep all these procedures for internal use.

3. Pay attention to what you post online

Social media and an organisation’s website offer a wide customer reach. However, it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes, such as identifying which collaborators work in the finance department and would be more likely to be able to make a transfer.

4. Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is

one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

1. Report the incident immediately to your IT responsible

2. Warn your colleagues that they might be getting a message from someone impersonating a specific client or provider but that they should not trust it.

3. Change all the passwords that were given (if any) on all the accounts they are being used.

4. If the scam was about bank details, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.

5. If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

A spam is an unsolicited message received for advertisement, marketing or malicious purposes. It can be of two types:

• Electronic: sent via email, instant messaging or social media, usually for marketing purposes that didn’t ask for customers’ consent. It can also take malicious forms such as a request for a wire transfer or sending a phishing attempt or a malware.
• Phone: sent via SMS, MMS or through a phone call, usually for marketing purposes. It can also take malicious forms such as sending messages to a chargeable number or a phishing attempt.

1. Watch out for unexpected messages.

Scams can happen through SMS, email or social media. As it is impossible to predict the time of a potential cyber-attack, all unexpected messages should be paid enough attention to. The most known cyber-attack using unexpected messages is phishing. To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:

2. Use a filtering or anti-spam software

Filtering or anti-spam software can help limit the number of spam received. Some antivirus allow you to configure that option.

3. Pay attention when filling in an enrolment form, making orders or participating in contests

Email addresses can figure in the wrong database, used for spamming purposes, without the user’s consent. Before accepting any kind of communication or subscription, check the legitimacy of the website by:

• Checking the address of the website and watch out for the ones that look legitimate but aren’t (for example myorganisation [.]be instead of my[.]organisation [.]be);
• Check the reputation of the website;
• Check how unbelievable and amazing offers and promotions are; and
• Check how the payment is requested (e.g., through a parcel or transport organisation).

4.    Unsubscribe from or delete unused accounts

As soon as an account is not used anymore, it is better to delete it completely to make sure the information it contains cannot be accessed without the owner’s knowledge.

5.    Create different email addresses based on your needs

A good practice to adopt is to use separate accounts for different purposes, e.g., social media, personal, professional, commercial sites, etc.

6.    Adopt the best practices to secure your social media accounts

Social media have become an important asset for organisations to use for communication and information. Despite the benefits those publicly available platforms might bring, they can also become a huge attack surface and be used for spam. Every organisation needs to make sure that all its social media are secured correctly by applying for example, the following best practices:

• Securing the access to the accounts with strong passwords;
• Reviewing the confidentiality parameters and restricting the visibility on personal information;
• Paying attention to what the organisation and others post;
• Controlling third-party applications; or
• Avoiding using a public Wi-Fi and a public computer.

All information on how to secure social media can be found on our dedicated article.

1.    Do not reply to it, do not open any attachment and do not click on the links

The most important thing to do when getting a spam message is to not follow-up on it.

2.    Never share bank information requested via text or email

Keep in mind that no banks will ever provide a direct link to log into a bank account via text or email, and they will never ask for pin or secret codes, whether in writing, or by phone.

3.    Report the spam message and delete it

The spam message should be reported to the IT responsible and to the relevant national authority (suspicious@safeonweb.be (EN); suspect@safeonweb.be (FR); verdacht@safeonweb.be (NL/DE)) and immediately deleted. When a message is already in the Spam folder, it should definitely not be trusted.

1. Report the incident immediately to your IT responsible
2. Warn your collaborators that they might be getting the same spam message and that they should not trust it.
3. Change all the passwords that were given (if any) on all the accounts they are being used.
4. If the scam was about bank details and you notice that money was stolen from your account, file a complaint with the police.
5. Immediately call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

A malware represents all malicious codes and programs built with the intention to cause damage to an information system. There are many types of damage a malware can cause: steal, encrypt or delete data, alter or delete a system functionality and spy on all the activity happening on the infected device. Usually, cybercriminals try to earn profit when installing a malware on a device by making the victim pay to buy a service to fix it or to get back access to their device.

The most common types of malware are the following:

* Virus: replicates itself across programs to access their data or alter their functionalities.

* Ransomware: blocks and encrypts access to resources and require a payment to get it back.

* Trojan horse: disguises itself into something the victim might need and would download (e.g., an application, a software or a game), only to get access to their device resource and eventually steal confidential information or install a virus or a ransomware.

* Spyware: built with the purpose of spying on all the victim’s activities and transmitting them back to the cybercriminals who launched it.

* Adware: displays constantly new ads on the victim’s screen, usually when they’re trying to browse through a webpage.

The most common way used by cybercriminals to infect a device is through internet or chat/communication services. They both aim at making the victim click on a specific link to install the malware.

Malware can be identified through the installation of an antivirus on all devices and the monitoring of the alerts generated by this antivirus. In addition to those alerts, there are also obvious signs that indicate that a device is infected, e.g., unusual errors appear on the screen, the device has become slower, freezes or crashes often, repetitive pop-up messages, the device switches off and restarts on its own, some access to applications or programs are blocked, etc.

1. Install, configure and update an antivirus on all devices

Make sure that the antivirus is installed correctly and activated, and that it regularly updates its program and its signatures. The protection in real time to analyse everything that comes in and goes out should be well configured. In addition, the settings and functioning can be tested to ensure the antivirus answers the needs initially defined. Finally, a thorough scan of the hardware can be performed to ensure that no initially unknown viruses have taken hold between two updates.

2. Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

3. Update your devices and software as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

4. Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

5. Regularly backup your critical resources

Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

6. Only use official websites and platforms to download applications and software

Pirated applications and software are usually infected with malware so only look for installation and download of official ones, through vendors’ official platforms and websites.

7. Limit the actions that can be executed with an admin account

Limit the number of administrator or privileged accounts to the bare minimum. No one should have administrator privileges for day-to-day tasks. Giving the privileges that admin accounts have, it will make it easier for cybercriminals to take over the device or install a ransomware.

8. Control software installation on corporate devices by establishing a list of allowed software

A collaborator looking for a specific software and with little to no knowledge about cybersecurity is less likely to second guess the offers found on the internet. It is thus important to make sure that all downloaded software is approved by the IT Responsible from a security and performance point of view. In addition, the IT Responsible can establish a whitelisting: a list of software that collaborators are allowed to install on their corporate devices.

9. Implement processes for access control management and user provisioning

It is very common for cyber criminals to use an existing account to get access to an organisation’s resources. The access control management should be well established and implemented within an organisation. The basic principles of least privilege and need-to-know must be applied: a user should only get the accesses they require to perform their job, nothing additional. They should always get the minimum required, not extra accesses ‘just in case’.

In addition, a user access provisioning process should be established. This process defines the procedure to remove or change the access granted to an employee when they switch position or leave the organisation. An insider attack can indeed always happen, no matter how loyal former collaborators were at a certain point of time. Their feelings towards the organisation might change if they didn’t leave willingly.

10. Avoid using public Wi-Fi and public computers

Public Wi-Fi or public computers are a handy solution as people can access professional resources, browse websites, or manage their social media almost everywhere. However, as the name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi or computer can be used to monitor the activities of people connected to it and steal their information. Always prefer your organisation professional WI-FI network and professional devices to access professional resources.

11. Watch out where you surf

Avoid browsing through unsure or illicit websites such as platforms offering counterfeit goods or software, or illegal streaming services. Scams are more frequent on those types of websites as it is easier for cybercriminals to penetrate them.

12. Limit the use of removable media

Only use removable media approved by the IT Responsible to make sure it is not infected and it won’t cause any damage to your device.

One common example of fake technical support scam is that cybercriminals set up a scam where the victim gets notified, through phone, email or any other chat services, that their device is about to shut down due to a technical issue. In addition, they offer a solution to the said problem and request the victim to quickly follow up by clicking on a link, calling a given phone number or executing a wire transfer. Via the shared link, the attackers are trying to execute a phishing attack to steal confidential data or install a virus. As for the phone number, they are trying to put the victim at ease, thinking the phone number belongs to official support, in order to give a series of actions to execute that, at the end, will also give away confidential information or install a virus.

1. Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

2. Pay attention to what you post online

Social media and an organisation’s website offer an important customer reach. However, it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes, such as identifying which collaborators work in which department. They would therefore be more likely not to know how technical support might reach out.

3. Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

4. Update your devices and software as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

5. Enforce antivirus and local firewalls on devices

There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network with an antivirus software upfront.

In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.

6. Watch out where you surf

Avoid browsing through unsure or illicit websites such as platforms offering counterfeit goods or software, or illegal streaming services. Scams are more frequent on those types of websites as it is easier for cybercriminals to penetrate them.

7. Only use official websites and platforms to download applications and software

Pirated applications and software are usually infected with malware so only look for installation and download of official ones, through vendors’ official platforms and websites.

8. Limit the actions that can be executed with an admin account

Limit the number of administrator or privileged accounts to the bare minimum. No one should have administrator privileges for day-to-day tasks. Giving the privileges that admin accounts have, it will make it easier for cybercriminals to take over the device or install malware.

9. Regularly backup your critical resources

Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

1. Do not call the number mentioned in the message.
2. Report the incident immediately to your IT responsible.
3. Do not let anyone you don’t know take control of your device.
4. Reboot your device.
5. Clean your browsing history by deleting cache, cookies and reinitialising all parameters. If that isn’t enough, completely remove your profile and create a new one.
6. Uninstall any application or software that seems strange or that you don’t remember installing
7. Scan your device with an antivirus.
8. Warn your colleagues that they might be getting a message from someone impersonating technical support but that they should not trust it.
9. Change all the passwords that were given (if any) on all the accounts they are being used.
10. If the scam was about bank details, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your own bank account, be sure to file a complaint with the police.
11. If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

Account hacking happens when an unauthorized individual gets access to an account and all the information it contains to pursue malicious intentions, like stealing sensitive data or reaching a wider network of people the victim is connected to. This scam can happen to any type of online account: email (personal and professional), social media, administrative sites, online platforms, corporate applications, chat services etc. Account hacking can have dire consequences: access to the victim’s money to steal it and identity theft to act on the victim’s behalf and gain profits.

There are several ways hackers can get into an account:

* Weak passwords;

* Phishing attacks where they convince the victim to share credentials; or

* Password-stealing viruses, that when installed on a device, steal the login credentials it can find.

1. Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

2. Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

3. Update your devices and software as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

4. Enforce antivirus and local firewalls on devices

There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network with an antivirus software upfront.

In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.

5. Watch out where you surf

Avoid browsing through unsure or illicit websites such as platforms offering counterfeit goods or software, or illegal streaming services. Scams are more frequent on those types of websites as it is easier for cybercriminals to penetrate them.

6. Check the address of the website

In order to look like an organisation’s official website, cybercriminals will often provide an address that looks like the legitimate address of that organisation (for example myorganisation [.]be instead of my[.]organisation [.]be). Another option for them is to use a different top-level domain from the legitimate one (such as, .org instead of .com or .be). In addition, they can play with letters and numbers in order to make people think they are on the right website. For example, they might use a capital ‘i’ to replace the letter L or the number zero instead of the letter o.

7. Avoid using public Wi-Fi and public computers

Public Wi-Fi or public computers are a handy solution as people can access professional resources, browse websites, or manage their social media almost everywhere. However, as the name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi or computer can be used to monitor the activities of people connected to it and steal their information. Always prefer your organisation professional WI-FI network and professional devices to access professional resources.

8. Regularly check your account log-ins

If the website allows it, all the log-ins made to an account can be viewed along with the devices used to connect to it. This list should be reviewed regularly to ensure only known devices and locations were used to connect to an account. As soon as an unknown device or location appears in the list, it should be immediately removed and the password should also be modified right away.

9. Delete unused accounts

As soon as an account is not used anymore, it is better to delete it completely to make sure the information it contains cannot be accessed without the owner’s knowledge.

10. Fill in only the strictly necessary information

Some personal information are not needed for specific services. For example, providing a social security number to buy something is not necessary. A website asking for unusual information for the service provided can be an indicator of scam.

11. Always sign out of your accounts

Always sign out of the accounts that are not currently used. This ensures that if someone gets access to the device, they cannot immediately enter all the accounts it contains.

1.    Report the incident immediately to your IT responsible.
2.    Warn your colleagues that they might be getting a message from someone impersonating you but that they should not trust it.
3.    Change all the passwords that were given (if any) on all the accounts they are being used.
4.    If you can’t access the accounts anymore, use the recovery options to gain access again and then change all your passwords.
5.    Scan your device with an antivirus.
6.    If the scam was about a bank account, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.
7.    If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.
8.    Check your posts and orders and if you see any change made or order placed by someone else, save the evidence, delete the publications or cancel the orders and reach out to the concerned services to file a complaint.

A Distributed Denial of Service (DDoS) attack disrupts the usual operations of an organisation’s web host or server by overloading them with the launch of an enormous amount of page requests. A real-life comparison is a huge traffic jam: a car wants to get from point A to point B, but additional cars keep on getting in between it and the final destination, to the point where it remains stuck. The denial of service attack makes the webpage and services provided through it unavailable until it is stopped, which can cause important financial and productivity loss for the organisation as it cannot offer those services anymore.

A good starting point is browsing your own websites as if you were an external user. If the website unavailable, this might indicate that it was compromised and it could be a DDoS attack. An investigation should be launched by the IT Responsible to identify the cause of the website unavailability and determine the type of attack.

In addition, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website hack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.

When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.

1. Activate and configure a Web Application Firewall

The Web Application Firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.

2. Update all software, operating systems and internet browsers

Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.

3. Keep all web server components up-to-date

As for all information and technology systems, updates of website components are also crucial to make sure any known vulnerabilities is remediated, giving hackers no chance to exploit them.

The typical components for a web server include:

* The BIOS/firmware of the hardware the organisations server is running on;

* The operating system of the server;

* The actual web service used (e.g., Apache, nginx, IIS, etc.);

* The content management system (e.g., Drupal, Joomla, WordPress, etc.);

* Optionally, the virtualization layer.

Very few organisations build their website from scratch. They usually use third parties, which come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities. Making the updates is thus crucial to have the least vulnerable version of the components used.

4. Secure the access to and update the content management system

As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.

In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.

5. Use strong passwords and implement Multi Factor Authentication

People tend to use weak passwords as they are easier to remember. However, a password easy to remember is also easy to hack. It is thus important to only allow the use of strong passwords, which combines upper and lower cases, numbers and symbols. In addition, implementing Multi Factor Authentication adds an additional layer to protect the accounts.

6. Ensure your Internet Service Provider has clear procedures to react to and prevent an attack

It is important to determine whether your organisation is directly connected to the Internet, or it is making use of an Internet Service Provider (ISP). If there is a contract with an Internet Service Provider, make sure to check this contract thoroughly and check what their procedures are in the event of an attack. Internet Service Providers are the gate standing between an organisation and the Internet. That is why they are becoming increasingly concerned about DDoS attacks and their complexity. Most of them are heavily investing in how they can prevent them.

If your organisation is managing its own networks, consider creating different security zones in the network (e.g. Basic network segmentation through VLAN’s or other network access control mechanisms) and control/monitor the traffic between these zones. Next to that, make sure that unused services are disabled or filtered out of the network and never leave the password set as default on the Internet router and other systems. Lastly, operating systems, programs and routers should be automatically updated.

7. Limit the number of page requests per user

Limit the number of page requests one user can send, for example to a thousand requests per person per 24 hours. This mitigates the possibility to overload the network.

8. Chose cloud services over locally hosted services

Cloud-based services are much better protected towards DDoS attacks than locally hosted services, especially concerning email services or other online platforms. The extra protection layer that cloud adds is that the services remain widely available.

9. Audit the website to look for most common vulnerabilities

Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying the existing vulnerabilities allows more time to fix them, without any damage, before a cybercriminal uses them and actually causes important damages. Security experts can provide assistance, by doing penetration tests and audits for example, to assess a website security.

1. Report the incident to the organisation’s IT Responsible

As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.

2. Gather all the necessary forensics

A DDoS attack represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.

3. Make a copy of all the compromised devices

If possible, all the devices infected need to be copied on a physical support for forensics purposes.

4. Report the incident to the police and file a complaint

A DDoS attack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.

5. Change all the passwords that were given (if any)

Those passwords should be changed on all the accounts they are being used.

6. Make an inventory of all the sensitive information accessed or stolen

This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.

7. Identify and remediate all the vulnerabilities that were used to get access

By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.

8. Inform the website provider and Internet Service Provider

When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.

9. If needed, contact official external security specialists

Not every organisation has enough resources to remediate efficiently a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.

Cybercriminals spend a consequent amount of time to set up a cyber-attack, making sure it will succeed. As organised as a cyber-attack is, the solution to remediate it must also be managed methodically. The management of such a crisis should happen at the highest level of the organisation, involving the IT Responsible, their team and, if the organisation has one, the security team. The immediate goals are to limit the impact of the attack, allow for a resumption of business operations as soon as possible and establish the additional security measures to put in place in order to avoid a recurrence of the incident in the future.

Cyber security incident management is not a linear process; it’s a cycle that consists of preparation, detection, incident containment, mitigation and recovery. The final phase consists of drawing lessons from the incident in order to improve the process and prepare for future incidents. During this cycle, communication with both internal and external stakeholders is of critical importance.

This article aims at helping organisations undergoing an important cyber-attack, or wanting to be prepared in case one happens, to identify the main actions to take in order to be able to manage the incident.

When confronted with a cyber-attack, specific actions can be taken to stop it and contain the risks:

1. Immediately notify the IT Responsible

The IT Responsible will know best how to deal with the incident and how to resolve it as quickly as possible. If the organisation has no IT Responsible, reach out to someone from leadership and follow their instructions.

2. Isolate the infected resources

By cutting off all connections from the infected resources to the Internet and to the local corporate network, cybercriminals can’t go from one system to the other and spread the attack. Do NOT turn off the computers in question, or you will erase the traces left by the perpetrators of the cyberattack.

3. Appoint a crisis management team

Managing the actions of the various fields (e.g., technical, HR-related, financial, communication-related, legal, etc.) involved is a key element when dealing with a cyber-crisis. The goal of the crisis management team is to supervise the specific actions each field should take during the crisis. Sensitive communications on the progress of the incident should be done on a separate and secure channel.

4. Keep a register of all events and all actions executed

Keep a record of all events and actions to present to the investigating authority and to help the IT Responsible to establish the lessons learned from the incident afterwards.

5. Keep all the evidence from the attack

This task is carried out by computer specialists. They will examine the computer affected by the infection and try to find clues as to the perpetrator, such as changes in the system, configuration files or company data. They will also determine whether the perpetrators have installed any malicious software. Finally, it is important to thoroughly examine all log files on the system.

Keep all messages received, machines affected, connection logs, etc. as evidence. Just like the record of all events and actions, it will be important in the investigation afterwards.

1.    Implement fallback solutions

Establish which other resources can be uses to replace the ones that have been infected in order to ensure the continuity of critical operations. If the organisation has a Business Continuity Plan or a Disaster Recovery Plan, those can be used to identify what should be done to manage the crisis.

2.    Report the incident to the relevant authorities

Reporting can help not only to investigate the incident, but also allow other organisations not to fall victim to the same attack. Reporting may also be a legal requirement in some case.

•    The police
If money is lost or the company is being extorted, we recommend reporting it to the police. You can file a report with the local police where you live. It is important to bring along as much information as possible (e.g. relevant bank statements, screenshots, printings, etc.) when going to the police station.

•    Bank and Cardstop
Contact your bank and call Cardstop on 078 170 170 if you have passed on bank details, money has disappeared from your bank account or if you have transferred money to a scammer. This allows for fraudulent transactions to be blocked. If you want to report the fraud, you can contact your bank by calling a specific number that can be found on https://beschermjezelfonline.be/bank-contacteren-for-help

•    Safeonweb
If you received a suspicious e-mail or message, forward it to suspicious@safeonweb.be and then delete it.

•    Mandatory reporting of NIS incidents
Reports must be made via the NIS reporting platform (https://nis-incident.be/). The platform is accessible via the internet through a secure connection and a unique identification key for each AED and DDV (login/username and password). If the platform is not available, the incident must be reported via the website of the CCB. The platform ensures that the report reaches the CCB, the National Crisis Centre and sectoral government.
Find more information here [https://ccb.belgium.be/en/node/899] and here [https://ccb.belgium.be/en/node/903].

3.    Establish the origin and extent of the attack

Identifying where the attack started and how many resources were infected will help take the right actions to correct any existing security issues and prevent another incident.

4.    Manage the crisis communication

Establish the level of details and transparency to share information with all relevant parties (e.g., collaborators, clients, providers, stakeholders, the media, etc.).
Communicate early and often, keep your internal collaborators, suppliers, service providers and customers informed. Hiding the attack is generally not a good idea as it can damage your brand's reputation. Be as transparent as possible to your collaborators, stakeholders, customers or users, and the press about the attack. Even if you do not have all the answers, it is important to inform all stakeholders.

5.    Take care of your legal obligations

There are legal obligations to notify authorities such as the DPA/GBA/APD in case of a suspected data breach (usually within 72 hours). https://www.autoriteprotectiondonnees.be/citoyen/agir/contact (website available in NL and FR). Involve your Data Protection Officer (DPO). The legal team and/or the DPO can also file a complaint with the local police.

What to do after the crisis?

6.    Progressively recover the operations

Check that the attackers have not also compromised the security and integrity of your backup system.
Fix, update, rebuild and reset your authentication system, implement multi-factor authentication. Do not restore a system based on backups near or after the attack. Act on the above first and then, and only then, begin activities to rebuild your system from the backups. Be careful not to reinfect clean systems during the recovery process. Once the system has been restored, make sure there is nothing malicious left on it before reintegrating it into your network. Rebuild your systems according to a priority order of critical services. Restore servers first, then endpoints. Delete or completely isolate old systems and protocols.

7.    Establish the lessons learned

No organisation wants to relive the same attack over and over again. It is thus important to establish all the lessons learned from the incidents and set up an action plan to define which security measures and investments (e.g., financial, human, contractual, etc.) should be put in place to strengthen the protection of the resources.

8.    Avoid a new attack

It is absolutely essential that the antivirus software is up to date, as well as all the applications installed on the workstation. Install a firewall and an Intrusion Detection System. Set up a secure password management policy and implement Multi Factor Authentication, which requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

The longer, the better. Long passwords are more efficient as they are harder for cybercriminals to crack given the many possibilities their number of characters can give. Passwords should be at least 12 characters, combining lowercase, uppercase, numbers and symbols to increase complexity.
A good technique to make a strong password is to build a ‘password sentence’, e.g.,: “Alice is at the beach in Oostende”. Crop the various names and keep the preferred amount of letters, e.g.,: “Ae is at te bh in Oe”. Make this password even stronger by adding or replacing some letters with numbers and/or symbols. e.g., replacing an ‘e’ with the number 3 or an ‘s’ with the number 5. Pick whatever number and symbols but make sure to remember the final sequence.

Cybercriminals can use phishing techniques or hack a website to steal passwords and access personal information, or sell the leaked credential data on the dark web. With that stolen information, their goal is to cause harm either by stealing money or by using sensitive information to get unwanted and/or illegal services. Once in possession of one single password, they will try to use it on other accounts as well to see if they can access more services and cause even more damage, or they will try to move within the organisation’s network to access more information. This is then very important to contain the risk of multiple accounts compromission by using different passwords for different accounts.

Multi-factor authentication is a solid way to enforce the use of passwords. It represents the use of multiple ways – factors – to prove that you are who you claim to be and that you can access your account.
Those factors can be:
•    Something you know (password or PIN),
•    Something you have (phone or token) or
•    Something you are (fingerprints or face).

Multi-Factor Authentication requires the combination of at least 2 of those factors to allow you to access an account. For example, the use of a password and a code sent via text on your mobile phone. In addition, Multi-Factor Authentication can also be implemented through the use of a verification app. For example, itsme® is a free Belgian app enabling any resident to prove their identity or confirm transactions in a safe, easy and reliable way. Alongside this app, other known authentication apps can also be used: Google Authenticator, Microsoft Authenticator, or Authy.
The most commonly used services offer a form of two-step verification and have a short instruction page. You can find all those services and instructions by visiting https://www.safeonweb.be/en/two-factor-authentication-it-difficult-use.
While not being a silver bullet, this will increase the efforts an attacker needs to compromise you or your organization. More often than not, this would be a sufficient incentive to dissuade any opportunistic attacker.

Password Managers: an easy way to remember all your passwords

Having different and strong passwords for different accounts can help protect information. However, in daily life, people use many different accounts and remembering one password for each of them can be quite difficult. This does not mean that they need to use the same password across all accounts and accept the risk of being hacked. Indeed, one specific solution has been built especially for that purpose: the Password Manager.
Password Managers will help manage all different passwords by storing them safely. Some Password Managers can even generate random passwords and make sure they are strong enough. In order to access the Password Manager, set up one single strong password.
Many Password Managers are available in a free or paid version an your IT Responsible can be consulted for advice on which one to choose, that are in line with the organisation’s policies. As a starting point, here is a list of some password managers:
•    Bitwarden
•    Keeper
•    Dashlane
•    KeePassXC
•    Keepass
•    Lastpass
•    LogMeOnce
•    1Password
As for every technology solution available, Password Managers can also have vulnerabilities that can be exploited. However, vendors do everything they can to keep the product safe. To add a layer of protection, we recommend implementing Multi-Factor Authentication to access the Password Manager.

If there is any indication that a password has been revealed or shared, change all passwords immediately. Remember to change the passwords substantially. Only adding one letter or number won’t have a strong effect, since most hackers keep a list of combinations of hacked accounts.
Additionally, in the event that a professional password has been disclosed or shared, contact your IT Responsible and follow their instructions.