The National Cyber Security Centre Finland’s weekly review – 46/2022

Topics covered in this week’s review

• Support for the development of information security can be applied for from 1 December onwards
• The claims presented by scammers impersonating the police are nonsense and the attachment is harmless
• Network administrator – check whether the basics of your network environment are in order

Support for the development of information security can be applied for from 1 December onwards

Support for the development of information security (or the so-called information security voucher) can be granted to businesses that are considered vital for the functioning of Finnish society, meaning so-called companies critical to security of supply. The purpose of the support is to raise the level of information security of these companies and thus improve Finland’s overall resilience against cyber security threats. The appropriation allocated for the information security voucher is EUR 6 million in total.

Applications for the support can be submitted from 1 December 2022 onwards. The support can be granted only for costs generated after the application was submitted and by 31 December 2024.

Companies can use the support for

• procuring equipment, devices and service licenses that support the development of information security
• the development of information security through training
• research, development and/or innovation activities that support the development of information security, and/or
• procuring consultation services that support the development of information security.

Traficom will be holding two Teams webinars for companies on the support and how to apply for it (11 January 2023 and 13 February 2023). More detailed information on the events and registration instructions will be published on our website in December 2022.

The claims presented by scammers impersonating the police are nonsense and the attachment is harmless

Various types of scams involving criminals impersonating both real and made-up law enforcement authorities and blackmailing victims with made-up crimes continue to go around. What these scams have in common are PDF documents sent to potential victims as email attachments. These formal-looking documents will accuse the recipient of serious crimes, but also suggest that the matter can be resolved with money.

While it is possible to hide malicious content in attached documents, the attachments used in the police impersonation scams seen thus far have not been found to contain any malware. The documents are complete fabrications, but opening and reading them pose no danger as such. However, it is perfectly possible that the situation might change in the future, so due caution should continue to be exercised when it comes to opening unfamiliar attachments.

The increasing number of scams indicates that at least some of them generate enough income for the scammers to make it worthwhile to continue spreading them to Finnish addresses. Hopefully active communication and the public highlighting of these scams will improve the awareness of Finnish people and prevent them from falling victim to such scams.

Network administrator – check whether the basics of your network environment are in order

It is important for organisations to identify the assets that require protection in their own network environments. Doing so is also the key to efficient protection. Protecting services, restricting their visibility and decommissioning unnecessary services reduces the methods that attackers can use to penetrate the network. Since criminals are constantly mapping new attack vectors by automated means, it is essential for organisations to maintain awareness of their own network environments to be able to defend against attacks.

Once the attacker has breached an organisation’s internal network, they can start guessing passwords and taking advantage of unpatched vulnerabilities. No organisation should allow their information security to be compromised by remote work arrangements either. Any exceptional arrangements should be removed when returning to normal conditions. However, if the arrangements have not been documented, their thorough and careful dismantling is probably not possible. It is especially important to ensure that unused remote access services are not left open to the internet.

In this context, an open remote access service means having features and services enabled on a computer that make it possible to access the computer elsewhere from the network. These include RDP (Remote Desktop Protocol) and related services and the SMB (Server Message Block) protocol. These kinds of services and access methods are intended primarily for the implementation of internal network services in secure office network environments, for example. When visible to the internet, they make devices vulnerable to data breaches and misuse.

It is not uncommon for organisations to enable remote access to their services in unsafe ways in order to allow them to be used outside of the office network or establish new services and inadvertently leave them open. As such, network administrators should make sure that their organisations’ firewalls are properly configured not only for internal network connections, but external ones as well. When a device needs to be accessed remotely, it should be done securely using a VPN solution, for example. Naturally, the proper functioning of VPN solutions in home environments needs to be ensured as well. If the used VPN solution and firewall are not correctly configured, devices that use the VPN connection may incorrectly assume that they are in the internal network and thus switch to using internal network firewall settings.

Ensuring that everything has been correctly configured is especially important when working with multiple suppliers, i.e. when firewalls, devices, deployment and administration are procured from different suppliers, which may lead to some uncertainty as to the exact division of responsibilities. In these types of situations, it is important for the organisation itself to make sure that the matter has been taken care of at some point in the supply chain and that the network exposure of the organisation’s devices is monitored. Organisations must also ensure a clear division of responsibilities with the supplier(s) when using cloud services.

The controlled decommissioning of services is an integral part of their lifecycle management. Decommissioning encompasses both the shutting down, removal and termination of network environments and the deletion of related configurations. If decommissioning measures are not carried out and completed consistently, you may be left with unused services running in the background that have the potential to become severe information security risks for your organisation.

Lifecycle management applies not only to services provided using traditional methods in the local network environment, but to cloud services and otherwise outsourced services as well. As such, it is a good idea to make sure that the service provider(s) has planned the decommissioning stage properly before establishing a client relationship with them. That being said, you should always take the time and effort to ensure the controlled decommissioning of services no matter the type of service provision (own production, outsourced, cloud procurement).

It is important to understand your own environment and the data stored there and protect them appropriately. In addition to implementing protection measures, network owners should actively map their networks for attack surfaces exposed to the internet and prepare plans for recovering from data breaches. The NCSC-FI recommends that all organisations should have their ordering and decision-making personnel and network administrators review the lifecycle management process of their services and the related lists of actions in different lifecycle stages. In addition to this, service configurations related to e.g. networks, firewalls and domain name services should be regularly reviewed to prevent the creation of blind spots.