DCSA CI MCMO Countermeasures Matrix
Please consider the following questions regarding how you protect your technology, information and personnel from malicious cyber operations.
Q1. Do you perform a regular review of their Domain Name System (DNS) records to look for suspicious zone transfers or internal hosts trying to resolve suspicious domains?
Q2. Do you limit information posted on publically available webpages?
Q3. Do you use wireless access points (WAP)?
Q4. How do you detect scanning activities?
Q5. Do you use and regularly update an Intrusion Detection System?
Q6. Do you use common gateway interface (CGI) for executable programs on web pages?
Q7. Do you have web application that require login?
- Do not allow zone transfers from non-authorized systems.
- Review and analyze DNS for suspicious activity or anomalies.
- Incorporate threat information into security protocols.
- Review and control posted information.
- Periodically review activities originating with foreign IPs Periodically review company information discoverable on publically available search engines (i.e. Google).
- Use a generic SSID.
- Use WPA-2 encryption.
- Use a wireless intrusion detection system and remove PRE-DECISIONAL; not vetted or coordinated unauthorized WAPs.
- Disable incoming ICMP echo requests except where necessary.
- Disable outgoing ICMP Time Exceeded messages.
- Block source IPs with frequent ping seeps.
- Close unused ports and review logs to identify IPs still attempting to access.
- Ensure your network is current on patches/ updating software (Phishing.org)
- Create firewall rules to reassemble IP packets.
- Use a host-based and network IDS.
- Update rules/signatures/patches.
- Remove all default web material.
- Apply all system and server patches.
- Run the web server with minimal privileges.
- Use an IDS on the web server.
- Strengthen the security controls of the websites, applications and email systems of the organization e.g. using technological solutions such as SSL, two-factor authentication, digital certificates, firewalls, anti-virus solutions, enhancing fraud monitoring or reporting mechanisms and so on. (INFOSEC)
- Enforce account lock out for incorrect passwords.
- Review logs for frequent login attempts without activity.
- Consider using two-factor authentication (INFOSEC)
- Report to applicable government entities. (INFOSEC)
- Issue alerts to staff, administrators or service providers of the website of the organization to strengthen security measures and to watch out for any suspicious activities. (INFOSEC)
- Employees affected should immediately change any passwords revealed. If the employee used the same password for multiple resources, ensure they know to change it for each account, and do not use that password in the future. (US-CERT)
- Provide regular and updated training on identifying suspicious network activity.
- Provide a secure method for employees to report.
- Inform users directly (e.g. disseminate information through monthly statements, leaflets, publications or websites) about the preventive measures that your organization has implemented. (INFOSEC)
- Educate users about the best practices that they should follow and observe when using your Internet services. (INFOSEC)
- Have Employees Password-protect computer/ mobile device. (US-CERT)
- Particularly during travel, instruct employees to keep their valuables and mobile devices secure at all times (Narrative: When traveling, keep your device with you. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially wary—these venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms.) (US-CERT)
- Particularly during travel, instruct employees to downplay laptops or mobile devices – (Narrative: There is no need to advertise to thieves that you have a laptop or mobile device. Avoid using your device in public areas, and consider non-traditional bags for carrying your laptop.) (US-CERT)
- Particularly during travel, instruct employees to be aware of their surroundings. (Narrative: - If you do use your laptop or mobile device in a public area, pay attention to people around you. Take precautions to shield yourself from "shoulder surfers"—make sure that no one can see you type your passwords or see any sensitive information on your screen). (US-CERT)
- Consider an alarm or lock on mobile devices or laptops. (US-CERT)
- Instruct employees to be careful about posting cell phone numbers and email addresses – (Narrative: Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam. Cell phone numbers can be collected automatically, too. By limiting the number of people who have access to your information, you limit your risk of becoming a victim.) (US-CERT)
- Instruct employees to be wary of downloadable software (Narrative: There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate. If you do download a file from a web site, consider saving it to your computer and manually scanning it for viruses before opening it.) (US-CERT)
- Implement a policy for password suitability and rotation. (US-CERT)
Click on the individual cells in the matrix for suggested Countermeasures.