New Year’s resolutions of eating healthier, going to the gym, and re-balancing our priorities are commonplace in January for our personal lives. However, what about one of the places where every weekday is spent? Why not build in resolutions for our professional lives, as well? One such resolution could be to enhance your organization’s cyber hygiene.
Firstly, let’s define what I mean by cyber hygiene – the term “cyber hygiene” is accredited to Vint Cerf, allegedly when thinking about brushing his teeth. What comes to mind for me, is the need for preemptive action – twice daily brushing to prevent damage. Secondly, practicing cyber hygiene means when an issue arises, we are able to respond quickly – so if I develop a toothache, I would head to a dentist seeking a remedy to prevent further damage. All in all, it’s a process of knowing your environment (or your teeth) well enough to be able to quickly identify and respond to any threats, mistakes, or vulnerabilities.
1. Asset identification and criticality: Knowing the assets, and their associated criticality is the first step to building a strong environment – including quickly identifying assets that may not have followed the proper processes, see Shadow IT. This step is vital because it allows you to identify the business critical assets first. Once that is complete, then you can focus your resources on effective budget allocation
2. Risk Assessment: After you have confidently identified and classified your assets – which includes people, departments, data, software, and hardware – it is time to assess the current state of your protections. This can be completed via a formal Risk Assessment, which identifies both risks to the organization and the security measures currently in place. This granular view provides a gap analysis and prioritizes identified risks based on the organization’s attack surface.
Many organizations attempt to enhance their security controls – possibly by increasing the number of alerts or innovating their awareness training – but few take the time to truly understand the needs of the organization. For every program, I recommend taking the time to properly assess steps 1 and 2 before continuing onto any potential enhancement steps.
3. Outside inwards: Keep your environment ”clean” by layering protections across all areas of the attack surface. Examples of additional layers include multi-factor authentication on any login portals, denial-by-default firewalls, intrusion prevention systems (IPSs), and access controls lists (ACLs) that have been customized for your environment.
4. Inside out: Not only is it vital to keep malicious actors out of our environment, but we must be prepared to mitigate the potential impact if such a breach happens to occur, including protection against human error. This can be achieved by restricting access based on business need, limiting privileged control, and reducing congestion. Effectively implementing these measures starts by understanding your people, following the principle of least privilege, and addressing network segmentation, all of which are detailed below
Looking at the inside of our cyber hygiene:
5. Understanding your people and the principle of least privilege: In order to provide the access required for performing someone’s duties, you must understand what their role requires. Access should be provisioned based on an individual’s role within the company and limited to only the privileges necessary for performing that role. By limiting these privileges, you are not only mitigating risks, but also reducing the potential attack surface of your environment if a security breach were to ever occur. Limiting access could isolate malicious software or a bad actor and prevent network-wide infiltration. Keep in mind – when administering access based on business need, it must also be assessed for accuracy on a periodic basis. These frequent assessments mitigate the risk of privilege creep, also known as the accumulation of privileges over the course of an individual’s time with the company. Privilege creep can occur throughout an employee’s tenure as that person transfers into different positions or is promoted and fails to have their previous privileges revoked. In order to avoid this, it is imperative that you assess access rights with some degree of periodicity. Practicing these principles, year after year, will greatly help reduce threats and incidents to your organization.
6. Network segmentation: Not all devices need to communicate together. In fact, in some environments there are systems that require a greater level of security and must be segregated. To ensure effective hygienic network connectivity, you should determine which devices, applications, and workflows are being added to the network and pinpoint the services that must continue to communicate to one another. Implementing this type of segmentation involves understanding what the system needs, what data classification level it falls under, and what security measures are necessary. This will allow you to map out the assignment of groups for both local communication and security principles and define necessary access rights. As the evolution of regulatory obligations (PCI and NERC CIP) continues and security frameworks (NIST) become more mature, network segmentation will quickly become more prevalent.
7. Baselining the environment: It’s no secret that an expensive security control – with little understanding on how to use it – can quickly become burdensome. For instance, without a solid baseline of the environment, your operations teams can quickly become overwhelmed with useless alerts, which can lead to fatigue and ultimately result in the alerts being ignored. Unfortunately, this happens more often than you think. However, establishing a proper security baseline will help alleviate some of these issues. It will provide you with a holistic view of what “normal” looks like and allow you to customize alerts for only what should not happen. If your organization is already confident in its understanding of the baseline, another step forward would be to start investigating the alerts that resulted in no issues found. This can be done by reviewing closed tickets and sifting through the closure responses. You may just find that the alert, while useful, simply needs a little fine tuning to be more effective.
8. Metrics and Monitoring – reevaluate your reporting cycle: Now that you know your people, processes, and technology, it’s time to effectively present these facts across the organization. To do this, you must understand what others view as useful. For instance, senior leadership may not want as granular detail or technical findings as an operations team. Over the last year, how have the recipients of your reports viewed your program? Are they still confused about requirements? If so, it may be that the reports aren’t expressing this information clearly. Actively work with your stakeholders to better understand what images, numbers, or write-ups would be more effective. Also, make an effort to determine how frequently these reports should be developed. Senior leadership may only want to discuss the information monthly, but folks in operations may find benefit in a weekly report.
9. Culture and Awareness: Arguably, the most important aspect of cyber hygiene for any organization is the culture and understanding of security. If you don’t teach the “why” in a positive and empowering manner, you aren’t going to change human behavior. Effectively communicating awareness training may seem challenging at first, but if you are able to tailor the training to your targeted audience, it will prove invaluable. Once you understand the audience’s tasks, the nature of the potential threats they are exposed to, and the controls already in place, you will be able to customize the training module so that it suits their needs. Directing the culture to pick up on specific human behaviors that need changing and creating long term engagement can be done by analyzing useful metrics, determining intrinsic or internal motivations, and bringing the risk closer to home. Clear demonstrations on how to protect oneself from potential cyber threats should prove far more useful than reading a policy that states specific actions.
Even after embedding security controls, creating meaningful alerts, and enhancing your awareness program, you must continue to assess the effectiveness of your solutions periodically. This can be done in a variety of ways: phishing campaign, penetration test, red team and/or tabletop exercises. Testing each and every aspect of your program not only empowers you to identify any future needs but also strengthens your team’s ability to respond in the event of failures. Learn how ITEGRITI can help improve your company’s cyber hygiene.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.