US companies must prepare now for cyber retaliation from Iran. Some big companies, like ISPs and energy companies, already know this, and are no doubt ensuring that the SOC team is front and center, and that all unnecessary on-line activity is being postponed. But I’m also certain that most US companies – large, medium, and small – are doing nothing in response to this obvious and imminent cyber threat. And that is a mistake. Hence, my note.
Now – I’ve spent a lifetime preparing for these types of cyber threats, and it is good news when preparation turns out to have been unnecessary. If you take the time to perform that actions listed below and nothing happens – well, then that’s fine. But if something bad does happen, perhaps from an Iranian actor or surrogate, then you’ll be glad you took the time to prepare. Here are eight specific actions that I recommend you perform now:
Action 1: Back Up Everything. Contact your IT support (or maybe it’s just you) and make certain that everything is properly backed up. Also, review your procedures to ensure that you maintain full back-up at all times in the coming weeks and months. Imagine that your on-line systems go kaput, and decide now what is required to put things back together again. Go through this exercise carefully, and repeat it once per week.
Action 2: Double Check Contact Information. Check the phone numbers, email addresses, and other contact information of everyone you would depend on during a cyber attack. If you use a managed services provider, for example, then contact them now and make sure you have correct contact information for anyone who helps you. I’d suggest that you print your contact list out (laminating is nice) and carry it around in your briefcase.
Action 3: Notify Customers of Your Outage Process. Contact your customers now and explain that you are preparing for any type of cyber incident. Let them know how they should contact you if some interruption or degradation of service occurs. Explain that your team is on full alert and that you will notify them if anything unexpected occurs. (By the way, for our TAG Cyber customers, this blog post is my notification to you!)
Action 4: Identity and Review Manual Procedures. If you depend on any automated business processes (and we all do), then review with your team whether alternate manual procedures exist that don’t require network access, servers, applications, PCs, or other electronic means. I suspect that most business processes will not have good manual options, but it’s worth checking. You might get lucky.
Action 5: Enable 2FA to Your Publicly Accessible Systems. If you haven’t done this already, then please enable two-factor authentication to your on-line services. There is no excuse to wait, and the good news is that it’s totally simple to do (here is Google’s procedure). Having a second level of authentication will give you some nice additional protection should a malicious actor decide to target your systems or accounts.
Action 6: Remind Employees to be Extra Vigilant to Phishing. Send a note to your employees reminding them that they should be extra careful when doing email. Ask them to do whatever is required to remind themselves to be vigilant, and to not be tricked into clicking on a bad link. This is not the time to be sloppy, and by the way – you should invest in a good cyber security awareness program, regardless of size or scope.
Action 7: Review Non-Electronic Communication Plans. Imagine that your mobiles, Internet connections, and other devices cannot communicate. I know this is extremely unlikely, but it’s a good idea to imagine that it has occurred. Now – how would you communicate? If your team works together in an office, then you’d meet in the conference room. But it would be good to establish a worst-case communication protocol. Just in case.
Action 8: Cancel Unnecessary On-Line Activity. If you were planning near-term activity, such as maintenance, that can be postponed, then I’d suggest you do that. This does not mean canceling important and urgent activity, and only you can determine what this means. Rather, it implies that if some on-line activity involving your computing infrastructure can be easily postponed, then now might be a good time to do such postponing.
I know that many of you do not consider your company a target of any nation-state attack. But this is old thinking. If you have systems, accounts, data, or connectivity, then you are an attractive target, perhaps as part of an attack on some other target. Remember: Just because you are a small business or a non-critical infrastructure company does not mean that you are immune to cyber risk. This is an out-of-date view and you should not fall into this trap.
We all know that the Iranians launched a series of retaliatory DDOS attacks in 2012, so we should expect that whatever comes our way is likely to be destructive. I would guess that the DDOS attacks will be combined with other destructive exploits such as advanced persistent threats (APTs) or public defacements. It’s unclear whether these attacks will target industrial control, but I’d recommend that this sector be especially ready.
Please watch the DHS website for guidance (although I wouldn’t hold my breath) and I promise to keep you informed through my LinkedIn posts, tweets, and on the TAG Cyber website. Let’s hope that this threat situation comes and goes, and that nothing significant happens in terms of damage to our computing and networking infrastructure. But like all threats, it pays to be calm and measured, but also to be thoughtfully prepared.
Now, please go get started. Set up a meeting with your team now. Go carefully through the eight actions listed above, and if you have eight direct reports, then assign one action to each person. If you’re part of a team, then call your team leader and volunteer to coordinate the completion of each action. Now is the time to do your preparation, because once you’ve been attacked, it could be too late. Don’t wait.