Practice Makes Perfect: Making Cyber Hygiene Part of Your Security Program

According to Gartner, by 2020 as much as 60 per cent of enterprise information security budgets will be allocated to rapid detection and response approaches – up from less than 10 percent in 2014. While this is a significant shift in budgetary priorities around security, it is not surprising. Today, organizations’ attack surfaces have become so large and multifaceted that information security and risk management teams struggle to keep track of their organization’s security status.

In this complex security landscape, it is critical to be proactive and vigilant to protect against cyber threats in order to be as secure as possible. Practicing good cyber hygiene is the cornerstone to achieving this, but it also begs the question, what does good cyber hygiene look like, how do you implement it and what can you do today to guard against vulnerabilities of tomorrow?

Let’s understand what “good cyber hygiene” is. In the enterprise, good cyber hygiene would be ensuring that individual data points, devices and your networks are protected against vulnerabilities while also ensuring that all systems are maintained, if not future proofed, by using cyber security best practices – and the latest technologies.

Good cyber hygiene would also mean that security and monitoring is controlled exclusively form a centrally managed point, pushed out to outlying terminals, and not reliant upon individuals to update their systems.

So how do you go about implementing good cyber hygiene? Each organization will have its own unique structure aligned to their needs, but there are some basic things that everyone should be doing.

• Know What’s in Your Network. The first step to good cyber hygiene is being able to identify every inch of your network – you can’t protect what you can’t see. You have to know what type of equipment is on your network and where it is – internal networks, hosted on the Internet or part of a cloud platform. This includes maintaining a continuously updated inventory of the hardware and software that’s authorized to be in your network.

• Remove What Shouldn’t Be in Your Network. Once you know what’s authorized to be on your network, it is equally important to identify and remove those things that don’t belong. This is typically accomplished by running continuous scans, and then comparing the results against the list of authorized hardware and software. Once unauthorized hardware and software is identified, develop automated procedures to remove them.

• Scan and Patch. Once you are able to see all the devices and applications on your network, you should scan them from a central point on a regular basis and have the ability to patch and deactivate as necessary remotely. For larger organizations, the scale of this operation is the challenge, especially with limited maintenance windows and architectural complexities. Flexible and scalable security scanning services are therefore becoming increasingly necessary as web apps and devices proliferate.

• Continuously Look for Vulnerabilities. With the increased frequency and complexity of attacks, it is no longer an option to scan your network on a semi-regular basis. You should try to constantly monitor for threats, and quickly address them within your network. This is likely to be the biggest challenge for security professionals within the next decade – finding the time within the business to scan for threats and adjust on a continuous basis.

• Use Secure Configurations. Before deploying any system or device, it is important to ensure that the system is configured to both achieve its purpose and be resistant attack. For example, one of the most effective configurations for preventing the compromise of an endpoint is to remove administrative privileges from end users. Once configured securely, your next step is to control configuration drift or change.

• Continuously Look for and Control Change. In operations, when something breaks, the first question asked is, “What changed?” This question is equally important from a security perspective. Change is necessary but oftentimes introduces new risks and vulnerabilities into a system. Organizations should develop a system in which systems and applications are continuously monitored for changes. As changes are identified, security needs to ask a series of “what-if” questions to identify and respond quickly to risk. For example, if a host firewall is disabled and there is no supporting change ticket, automatically generate a ticket notifying the incident response team.

• Equip Your Employees and IT Team with the Right Tools. Security professionals can’t be at every meeting or necessarily be involved in every IT project. Nor can security staff sit with every employee as they make hundreds of security-related decisions every work hour – e.g., should I click on this link? Instead, security must equip the organization with the right tools, typically starting with easy to understand policies and procedures. It is also important to train staff on these policies and procedures. Where possible, you should also provide your IT staff with security tools and make them an extension of your team. For example, provide your C developers with a static code analyzer so that they can quickly catch and fix security vulnerabilities, such as buffer overflows, before they get introduced into production.

We are moving to a world where continuous security will become critical to keep up with the evolving threat landscape. Practicing good cyber hygiene will enable organizations to shift from an “event driven” mindset, to being able to respond to threats in an agile manner and minimize the impact on your overall security posture.