The term “cyber hygiene” pops up frequently in articles, blogs and discussions about cybersecurity. But what does it really mean? Some say it is an ill-defined set of practices for individuals to follow (or ignore). Others say it is a measure of an organization’s overall commitment to security. Still others – and I am among them – think of “cyber hygiene” as simple, readily available technologies and practices for cybersecurity.
In reality, cyber hygiene is an overall approach to security within an organization. It includes people, tools, processes, procedures and reporting. Baselines, compliance, vulnerability management and log collection are four areas that are very important to cyber hygiene. Knowing what assets there are, how they are configured, what’s vulnerable, what’s changing, what’s failing, who's doing what and having a log footprint to back it all up are some determining factors of having good cyber hygiene in place.
That being said, there’s good news and bad news. The good news is that organizations can use frameworks like the Center for Internet Security’s Critical Security Controls
to fulfill these foundations of cyber hygiene. The bad news is that many organizations are currently not implementing these or other standards.
Indeed, in its survey of 306 IT security professionals for its State of Cyber Hygiene report
, Tripwire found that nearly two-thirds of organizations didn’t use hardening benchmarks to establish a secure baseline. This neglect, in turn, negatively affects the quality of companies’ cyber hygiene in several respects:
- More than half (57%) of respondents to Tripwire’s report said it takes hours, weeks, months or longer to detect new devices connecting to the corporate network.
- 40% of organizations admitted that they don’t conduct vulnerability scans weekly or on a more frequent basis, and just half run more comprehensive scans.
- The majority (54%) of survey participants stated that their organization is not collecting logs from all critical systems and amassing them into a central location.
- More than a third of organizations stated that they don’t require default passwords to be changed and don’t use multi-factor authentication at 31% and 41%, respectively.
Unfortunately, these security gaps are evident in just one industry. Many organizations in both the public and private sectors neglect even the most basic cybersecurity practices. They do so for a variety of reasons. A big piece of the puzzle is a human problem in that there are no funds available. In the absence of a suitable budget, security fades out of sight and out of mind… that is, until a breach occurs.
Leading up to that moment of realization, many organizations also lack a fundamental understanding of what a breach even is. A security incident hasn’t happened to them, so many choose to not think through the consequences of a data security event. This breeds a lack of concern with implementing security baselines until they themselves become victims.
Let's look at an example. NIST SP 800-171
provides guidance on how to protect the confidentiality of Controlled Unclassified Information (CUI), including when the data resides in nonfederal information systems and organizations. Even so, many vendors put off NIST SP 800-171 as not important. Many do not know they are required to adhere to it, so its seen as something they will get to. But a breach could happen in the meantime. Such an incident could subsequently affect government entities, as was the case with an event that struck the Defense Department’s travel records through a vendor. In that particular case, the Department of Defense took “steps to have the vendor cease performance under its contracts” after learning of the breach, reported AP News
. That’s a consequence which many organizations can’t afford.
Fortunately, technology can and often does make a difference when it comes to breach detection and response. Take Tripwire, for instance.
One of our customers, Ian Robertson from Trion Worlds, had his day ruined by Tripwire. Tripwire’s alerting system woke him during the middle of the night with a text message warning something wasn’t right. Ian was not a happy camper, but thanks to the alert of the malicious activity that Tripwire detected, Trion Worlds quickly worked to resolve the issue before the company ended up in countless headlines.
Although it ruined Ian’s day, Tripwire’s alert likely saved his year.
This use-case highlights why agencies and organizations need to pursue cutting-edge, proven solutions regardless of the current state of their cyber hygiene. Getting up-to-date tools is important, as other elements of an organization’s information security program might suffer from deficiencies for which those technologies must compensate. For instance, organizations might not have the right security processes that align with their business requirements. This could negatively affect companies’ ability to sustain their secure posture.
Too often, we in the cybersecurity world talk about the need for new approaches, for dynamic new technologies and concepts to fight the never-ending battles in cyberspace. We like to view ourselves as “tough, battle-hardened” warriors, but we forget to make our beds. In other words, once systems and tools are in place, organizations must establish and enhance processes and procedures to make use of new tools and ensure their digital security.
These processes need not to be complicated; more often than not, they’re rooted in security basics. Provided below are four such basics that require regular attention.
Inventory is not static, particularly in a world with mobile devices and cloud installations everywhere.
Does your organization know what’s on the network? Are systems in place not just to acquire and manage a reliable inventory but to keep that inventory up-to-date? Most importantly, can your organization block devices that don’t belong on the network, either because they are not compliant with policy or belong to an adversary?
At Tripwire, we have made inventory one of our foundational cornerstones, providing solutions that discover and inventory all hardware and software components in our client’s environments. Furthermore, we profile each discovered endpoint to ensure we are testing it for vulnerabilities and assessing it for compliance with the proper methods and procedures. Recently, we expanded the process to cloud components such as online and offline containers as well as to industrial control systems or OT technology.
2. Configuration and Patch Management
Does your organization document all policies for configuring devices and systems on your network? Can your security systems detect configuration changes and enforce proper settings? Does it have a patch management system, including a stringent testing, deployment and rollback process? Are unnecessary processes running on servers? Are unused ports open on firewalls? Yes, you’ve heard all this before; but does your organization actually follow these practices?
At Tripwire, we pride ourselves in providing software that harvests endpoint baselines of systems. We then use that baseline to monitor the endpoints for deviations or changes from its baseline in real-time or on a scheduled check basis. Alerts are then sent out, and guidance is provided to correct all situations.
Patch management is a huge issue with every organization. Using processes that have the ability to determine if all patches have been deployed and if all changes on the endpoints map to actual hotfixes or patches is critical.
How do I know the bad guy is not trying to attack me during my maintenance window? I need to ensure all those changes that occur during my maintenance window are in fact patch-related or approved, and I need to see the ones that are not.
3. Log Management
Can your security systems identify anomalous user behavior? Does your agency document you know where data is allowed to go -- and where it is NOT allowed to go? If a user or system behaves strangely, how timely and effective is the response?
At Tripwire, we take user authentications seriously. Not only do we baseline and monitor user attributes, global policy and other Active Directory attributes, but we also baseline local endpoint users and group data. Our log management solution also normalizes and corelates event data and compares it to lists of valid or bad users, alerting as required. We keep track of all session data for all users, making it easy to see the footprint of suspect activity. In addition, we make it very easy to ensure our client's internal policy requirements around everything passwords are in-tact and working.
4. Data Management
Many organizations have an incomplete picture where sensitive data resides on their network and know even less about where that data should flow. Just as securing devices and software starts with a reliable inventory, securing data requires knowledge of its location and acceptable destination.
Does your organization document data locations – which can be dynamic – and does it maintain accurate, up-to-date diagrams of data flow between systems?
This again is a critical component of a true cyber hygiene. It is imperative that baselines are kept for all endpoints within an organization or within an organization cloud infrastructure. A baseline will allow a tool to alert when there are expected or unexpected changes to that baseline. If data in location “A” is modified, deleted or removed or copied/moved to location “B,” wouldn’t you like to be aware of this?
All four of the items discussed above are mundane but essential. Too many organizations fail to give them regular, conscientious attention. Think of them as the foundation of a house; if the foundation is just a little crooked, the higher floors will be skewed, and the building will collapse. Similarly, cyber hygiene may not be glamorous, but it is absolutely indispensable to a solid security program.