[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” publish_date=”” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” video_preview_image=”” border_color=”” border_style=”solid” margin_top=”” margin_bottom=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” admin_toggled=”no” type=”legacy”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”true” border_sizes_top=”0″ border_sizes_bottom=”0″ border_sizes_left=”0″ border_sizes_right=”0″ first=”true” type=”1_1″][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]<\/p>\n
New Year\u2019s resolutions of eating healthier, going to the gym, and re-balancing our priorities are commonplace in January for our personal lives. However, what about one of the places where every weekday is spent? \u00a0Why not build in resolutions for our professional lives, as well? \u00a0One such resolution could be to enhance your organization\u2019s cyber hygiene.<\/p>\n
Firstly, let\u2019s define what I mean by cyber hygiene – the term \u201ccyber hygiene\u201d is accredited to Vint Cerf<\/a>, allegedly when thinking about brushing his teeth. What comes to mind for me, is the need for preemptive action – twice daily brushing to prevent damage. Secondly, practicing cyber hygiene means when an issue arises, we are able to respond quickly \u2013 so if I develop a toothache, I would head to a dentist seeking a remedy to prevent further damage. \u00a0All in all, it\u2019s a process of knowing your environment (or your teeth) well enough to be able to quickly identify and respond to any threats, mistakes, or vulnerabilities.<\/p>\n 1.\u00a0Asset identification and criticality: Knowing the assets, and their associated criticality is the first step to building a strong environment – including quickly identifying assets that may not have followed the proper processes, see Shadow IT<\/a>. \u00a0This step is vital because it allows you to identify the business critical assets first.\u00a0 Once that is complete, then you can focus your resources on effective budget allocation<\/p>\n 2.\u00a0Risk Assessment<\/a>: After you have confidently identified and classified your assets – which includes people, departments, data, software, and hardware – it is time to assess the current state of your protections. This can be completed via a formal Risk Assessment, which identifies both risks to the organization and the security measures currently in place. \u00a0This granular view provides a gap analysis and prioritizes identified risks based on the organization\u2019s attack surface.<\/p>\n [\/fusion_text][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]<\/p>\n Many organizations attempt to enhance their security controls \u2013 possibly by increasing the number of alerts or innovating their awareness training \u2013 but few take the time to truly understand the needs of the organization. For every program, I recommend taking the time to properly assess steps 1 and 2 before continuing onto any potential enhancement steps.<\/p>\n 3. Outside inwards: Keep your environment \u201dclean\u201d by layering protections across all areas of the attack surface. Examples of additional layers include multi-factor authentication on any login portals, denial-by-default firewalls, intrusion prevention systems (IPSs), and access controls lists (ACLs) that have been customized for your environment.<\/p>\n 4. Inside out<\/a>: Not only is it vital to keep malicious actors out of our environment, but we must be prepared to mitigate the potential impact if such a breach happens to occur, including protection against human error<\/span>.\u00a0 This can be achieved by restricting access based on business need, limiting privileged control, and reducing congestion. \u00a0Effectively implementing these measures starts by understanding your people, following the principle of least privilege, and addressing network segmentation, all of which are detailed below<\/p>\n [\/fusion_text][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]<\/p>\n Looking at the inside of our cyber hygiene:<\/p>\n 5.\u00a0 Understanding your people and the principle of least privilege: In order to provide the access required for performing someone\u2019s duties, you must understand what their role requires. Access should be provisioned based on an individual\u2019s role within the company and limited to only the privileges necessary for performing that role.\u00a0 By limiting these privileges, you are not only mitigating risks, but also reducing the potential attack surface of your environment if a security breach were to ever occur.\u00a0 Limiting access could isolate malicious software or a bad actor and prevent network-wide infiltration.\u00a0 Keep in mind – when administering access \u00a0based on business need, it must also be assessed for accuracy on a periodic basis.\u00a0 These frequent assessments mitigate the risk of privilege creep, also known as the accumulation of privileges over the course of an individual\u2019s time with the company.\u00a0 Privilege creep can occur throughout an employee\u2019s tenure as that person transfers into different positions or is promoted and fails to have their previous privileges revoked.\u00a0 In order to avoid this, it is imperative that you assess access rights with some degree of periodicity. \u00a0Practicing these principles, year after year, will greatly help reduce threats and incidents to your organization.<\/p>\n 6. Network segmentation: Not all devices need to communicate together. In fact, in some environments there are systems that require a greater level of security and must be segregated. To ensure effective hygienic network connectivity, you should determine which devices, applications, and workflows are being added to the network and pinpoint the services that must continue to communicate to one another.\u00a0 Implementing this type of segmentation involves understanding what the system needs, what data classification level it falls under, and what security measures are necessary. \u00a0This will allow you to map out the assignment of groups for both local communication and security principles and define necessary access rights. \u00a0As the evolution of regulatory obligations (PCI and NERC CIP) continues and security frameworks (NIST) become more mature, network segmentation will quickly become more prevalent.<\/p>\n 7. Baselining the environment<\/a>: It\u2019s no secret that an expensive security control \u2013 with little understanding on how to use it \u2013 can quickly become burdensome. For instance, without a solid baseline of the environment, your operations teams can quickly become overwhelmed with useless alerts, which can lead to fatigue and ultimately result in the alerts being ignored. \u00a0Unfortunately, this happens more often than you think. \u00a0However, establishing a proper security baseline will help alleviate some of these issues.\u00a0 It will provide you with a holistic view of what \u201cnormal\u201d looks like and allow you to customize alerts for only what should not happen. \u00a0If your organization is already confident in its understanding of the baseline, another step forward would be to start investigating the alerts that resulted in no issues found.\u00a0 This can be done by reviewing closed tickets and sifting through the closure responses. You may just find that the alert, \u00a0while useful, simply needs a little fine tuning to be more effective.<\/p>\n 8.\u00a0 Metrics and Monitoring \u2013 reevaluate your reporting cycle: Now that you know your people, processes, and technology, it\u2019s time to effectively present these facts across the organization. To do this, you must understand what others view as useful. \u00a0For instance, \u00a0senior leadership may not want as granular detail or technical findings as an operations team. \u00a0Over the last year, how have the recipients of your reports viewed your program? \u00a0Are they still confused about requirements? \u00a0If so, it may be that the reports aren\u2019t expressing this information clearly. \u00a0Actively work with your stakeholders to better understand what images, numbers, or write-ups would be more effective. \u00a0Also, make an effort to determine how frequently these reports should be developed.\u00a0 Senior leadership may only want to discuss the information monthly, but folks in operations may find benefit in a weekly report.<\/p>\n 9. Culture and Awareness<\/a>: Arguably, the most important aspect of cyber hygiene for any organization is the culture and understanding of security. If you don\u2019t teach the \u201cwhy\u201d in a positive and empowering manner, you aren\u2019t going to change human behavior. Effectively communicating awareness training may seem challenging at first, but if you are able to tailor the training to your targeted audience, it will prove invaluable.\u00a0 Once you understand the audience\u2019s tasks, the nature of the potential threats they are exposed to, and the controls already in place, you will be able to customize the training module so that it suits their needs. Directing the culture to pick up on specific human behaviors that need changing and creating long term engagement can be done by analyzing useful metrics, determining intrinsic or internal motivations, and bringing the risk closer to home. Clear demonstrations on how to protect oneself from potential cyber threats should prove far more useful than reading a policy that states specific actions.<\/p>\n [\/fusion_text][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]<\/p>\n Even after embedding security controls, creating meaningful alerts, and enhancing your awareness program, you must continue to assess the effectiveness of \u00a0your solutions periodically. \u00a0This can be done in a variety of ways: phishing campaign, penetration test, red team and\/or tabletop exercises. Testing each and every aspect of your program not only empowers you to identify any future needs but also strengthens your team\u2019s ability to respond in the event of failures.\u00a0 Learn how ITEGRITI can help improve your company\u2019s cyber hygiene<\/a>.<\/p>\n Editor\u2019s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.<\/em><\/p>\n [\/fusion_text][\/fusion_builder_column][\/fusion_builder_row][\/fusion_builder_container]<\/p>\n","protected":false},"excerpt":{"rendered":" [fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” publish_date=”” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” video_preview_image=”” border_color=”” border_style=”solid” margin_top=”” margin_bottom=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” admin_toggled=”no” type=”legacy”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” […]<\/p>\n","protected":false},"author":11,"featured_media":1421,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2181],"tags":[1095],"_links":{"self":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/1420"}],"collection":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/comments?post=1420"}],"version-history":[{"count":10,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/1420\/revisions"}],"predecessor-version":[{"id":2003,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/1420\/revisions\/2003"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media\/1421"}],"wp:attachment":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media?parent=1420"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/categories?post=1420"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/tags?post=1420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}