Attack Surface reduction
In short: reduce the attack surface in order to limit exploitability. A service that doesn’t run cannot be exploited. The same can be said for services that are filtered.
- Assess – know your infrastructure and check the documentation: what are your networks, hosts, services and ports that are accessible from the Internet?
- Verify – reality check: scan the network and take note of all the exposed services.
- Question – explain and justify the necessity to expose each and every service.
- Limit – limit the exposure by disabling or filtering services that are not 100% necessary.
Example: You identified that your public Exchange server listens on port 80/tcp and 443/tcp. You have never intended to use Outlook Web Access -> Filter or disable the service. With this, known unpatched or unknown vulnerabilities can no longer be exploited through that vector.
Keep the infrastructure up-to-date
Know the software and extensions/plugins in use and keep them updated at all times.
Consult the DDoS Mitigation document.
Benefit from and participate in Information Sharing communities, such as MISP
ENISA and CERT-EU joint publication
ENISA and CERT-EU encourage all public and private sector organisations to adopt a minimum set of cybersecurity best practices, as outlined in the Boosting your Organisation’s Cyber Resilience document
Best Practices for Individuals and employees
- Be careful with requests, links or attachments received via email, for instance phishing links.
- Inspect URLs with free tools such as Lookyloo or URL Abuse
- Inspect attachments with free Sandbox tools such as Joe Sandbox or via VirusTotal
- Inspect office document with pandora
- Submit phishing link via SPAMBEE
Also, don’t trust emails blindly, even if they come from a trusted partner or if they are a reply to an existing valid email thread (those could’ve been stolen by previous leaks).
Be attentive for social attacks of any kind, for instance by mail, websites, phones or letter post, asking e.g. for passwords.
Best Practices for the Politicly Persecuted
Make sure to apply Secure Communication strategies carefully.
Notes for aspirant activists
DDoS (distributed denial of service) attacks are often viewed by activists as the easiest way to “do something”. It is important to keep in mind that it can have unanticipated negative side effects, such as hitting the wrong infrastructure (e.g. hospitals) or degrading the network connectivity globally in the country/region/area where you’re trying to render aid.
Using anonymisation networks such as Tor to protect your identity during such an attack will most probably cause an overload on the network, jeopardising political activists in repressive surveillance societies, who use them to communicate among themselves.
Remember, that you only have partial information. Even if it is authentic, taking decisions individually and then acting offensively can backfire and can be of a significant risk for yourself.
Use the existing reporting facilities. In case you encounter criminal activities, you could report it to the nearest police station.
In case you see content related to racism, revisionism, discrimination or content related to terrorism, these topics can be reported to https://stopline.bee-secure.lu.
For support in case of an incident you can contact CIRCL.
Observed data leaks can be reported to https://cnpd.public.lu.
Suspicious financial activities and financial operations can be reported to CRF Cellule de renseignement financier. For more details about the financial sector in Luxembourg, there is a Ukrainian crisis page at CSSF.