Evolving Russian Cyber-wars
Today, President Biden cited “evolving intelligence” hinting that Russian cyber-attacks are on the way and that citizens need to harden their computers.
There’s good reason to take this seriously. Biden has been citing intelligence in the lead up to the Russian invasion that has been proven correct. In addition, even without the warning, we know that whenever there’s a conflict between nation, nationalistic hackers get involved in attacking the opposing side.
On the other hand, this intelligence is different. For one thing, it’s unfalsifiable. We know Biden’s previous predictions were correct because Russia really did invade Ukraine. But how can we tell if this new prediction is true? Ransomware and other cyberattacks from Russia have been common for years. What would constitute a fulfillment of this prediction? The next attack from a Russian ransomware crew will be tied into this, but is it true?
For another thing, it’s very much a political cliché. Warning of a potential Russian invasion of Ukraine is about something happening over there. Warning of potential Russian cyberattacks against Americans brings the conflict home. It makes policies that raise the price of gasoline more acceptable to citizens.
This warning urges people to “harden your cyber defenses immediately”, but these suggestions are tinged with politics. It’s very much in support of a the cybersecurity-industrial complex, recommending people buy lots of cybersecurity products, pay for cybersecurity services, and to give more private information to the government. The advice they give also dovetails with the cybersecurity executive order (EO) earlier this year — as much building political support for that policy as helping you secure your systems.
The warning points to CISA’s basic security advice. It’s not very good advice.
To be fair, it used to deserve a failing grade ‘F’, and now it’s closer to a ‘C-’. It’s no longer complete garbage, it’s getting better, but has a number of failing things.
I’ve tweeted and blogged elsewhere why much of their advice is bad, but here I’m going to point to two useful things: multifactor authentication and offline backups.
Personally, I do “near offline” backups, an old Linux laptop that firewalls incoming connections and does incremental snapshots of my servers to USB drives. It gives me the advantage of online backups but with the isolation of an offline system.
Beyond this, my most important advice for organizations is to redo all your Windows domains. Ransomware is successful because it exploits how you structured your Windows domains 20 years ago. You need to go back and change things, with tiered domains, privileged workstations, so that domain admins no longer log into user’s desktop computers.