Risk Advisory: Russian invasion of Ukraine

Friday, 25 February, 2022

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

Firstly, at this time, we believe that UK organisations are more likely to be affected by the sanctions introduced against Russian nationals and companies than state aggression in cyberspace.

While there are steps we recommend for security and technology teams below, immediate consequences are more likely to be associated with disruption to business operations and impact on revenue where organisations deal with customers in the Russian Federation.

Focus on the basics

Ciaran Martin, the former head of the UK National Cyber Security Centre, has tweeted saying “​​were a really sophisticated, targeted attack causing huge disruption to Western critical infrastructure to take place, it would be glaringly obvious it was Russia, with all the escalatory consequences.” We agree with this sentiment, and that it is ultimately impossible to prescribe how events in Ukraine will unfold.

We believe that ‘collateral damage’ from an unsophisticated attack is a more likely outcome for businesses to prepare for.

There is historic precedence for this, too, with a Russia-linked outbreak of the ‘NotPetya’ malware in Ukraine leading to significant disruption to many companies and sectors worldwide, from shipping giant Maersk, to law firm DLA Piper, and advertising giant WPP to tech provider Nuance.

What is the risk?

Such an ‘unsophisticated attack’ will probably manifest as ransomware or ‘wiper’ malware designed to disrupt computer systems.

Source:

  • Appearance of External Criminal actor

Risk events:

  • Malware/ransomware
  • System intrusion/software exploit

Consequences:

  • Operations/business disruption
  • Financial/unplanned costs

Frequency and severity factors

Poor backup and disaster recovery procedures will increase the severity of this type of cyber security incident. Having a clear and tested incident response plan can help quickly identify anomalies and contain the consequences of cyber incidents.

Running older versions of software that contain known vulnerabilities increases the frequency of software exploits. Ensuring that externally facing systems have ‘multi-factor authentication’ enabled helps to prevent compromise from password guessing attacks. Both of these lead to unauthorised intrusion into IT systems.

How can we improve our posture?

In the event of it affecting many organisations, it will probably be indiscriminate, rather than targeted, in nature. Ensuring good basic cyber hygiene is the most effective form of defence against this sort of indiscriminate risk scenario, and many other common threats from cybercriminals, too.

The three questions below will help management teams understand if they are more, or less, exposed. Action should be taken by technology colleagues to address ‘negative’ answers:

  1. Are there any IT systems that we haven’t updated to the latest software versions?
  2. When did we last test that we can recover critical systems from our backups?
  3. Have we implemented multi-factor authentication on external systems (like Office 365, remote desktop and VPN)?

Further guidance is available from the NCSC, who are also calling on UK organisations to ‘bolster their online defences’ by following these steps to take when the cyber threat level is heightened.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.