When most people think of hygiene, I would venture to say that technology or computer systems are not part of the mental picture. There are interesting parallels, however, between what we think of as “normal” hygiene and cyber hygiene. Proper hygienic behavior for our physical body can mean the difference between experiencing painful and sometimes debilitating illness and being healthy, happy and able to function in society. Likewise, proper cyber hygienic behavior can mean the difference between a breach or loss of critical data and being able to continue to operate as a corporate entity and generate profit. In both cases, the goal of hygiene is to preserve our (physical or cyber) health through the implementation of straightforward and proven techniques.
The National Campaign for Cyber Hygiene
A few years ago, the Center for Internet Security (CIS) and the National Governors Association launched a joint effort called the National Campaign for Cyber Hygiene. Have you heard of it? The goal was to get people to think of cyber security like they do their physical health and recognize and enact some simple, straightforward steps and techniques to work toward a clean bill of cyber health.
The priorities for the National Campaign for Cyber Hygiene are encapsulated in five words:
Empowered by automation, these five steps are meant to represent a continuous cycle of discrete actions designed to significantly reduce the risk of cyberattack. In and of themselves, the five steps don’t carry much meaning. These steps, however, are not meant to stand alone; they are supported by the first five of the CIS Critical Security Controls (CSC), the Australian Signals Directorate’s Top Four Strategies to Mitigate Targeted Intrusions and the DHS Continuous Diagnostic and Mitigation Program.
The Center for Internet Security (CIS) Critical Security Controls (CSC)
Understanding the first five CIS Critical Security Controls will give you a better grasp of the Count, Configure, Control, Patch and Repeat cycle outlined by the National Campaign for Cyber Hygiene. Developed by leading experts in the field of security, the CIS CSCs are a prioritized, consensus based set of twenty security controls designed to significantly reduce the risk of cyberattack. To simplify the process for organizations starting from a basic level of security, the National Campaign for Cyber Hygiene focuses on the first five of the CIS CSCs:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
How Would You Rate Your Organization Against These Five Questions?
In addition to the five-step program (Count, Configure, Control, Patch and Repeat), the National Campaign for Cyber Hygiene introduced five basic questions that every organization should be able to answer. These questions are mapped to the first five CIS CSCs:
- Do you know what is connected to your systems and networks? (CSC 1)
- Do you know what software is running (or trying to run) on your systems and networks? (CSC 2)
- Are you continuously managing your systems using “known good” configurations? (CSC 3)
- Are you continuously looking for and managing “known bad” software? (CSC 4)
- Do you limit and track the people who have the administrative privileges to change, bypass or over-ride your security settings? (CSC 5)
How would you rate your ability to decisively answer these questions? In my experience, many organizations struggle with accurately answering the very first question. For many organizations, the focus was more along the lines of whether everything was “working” and whether (or not) data was being received. These are both critical elements in successful business operations, but let’s look at it from a different angle – the angle of protecting a castle. When building a castle, one of the prominent defensive strategies was to limit the access points to the castle, hence the building of moats or ramparts. If the moat or rampart was effective, attackers would be forced to mount their attack from the single, heavily defended castle entrance. In today’s networked world, though, it is not practical to have only one entry point into an organization’s computing environment, but every connection also represents a potential attack channel. Therefore, understanding the avenues by which attackers can access your system is critical in the defense of your cyber environment.
Accurately answering the second question didn’t fare much better among some of the federal agencies I’ve worked with in the past. Patching is a critical element of good cyber hygiene, but if organizations are deficient in their understanding of what software is running on their systems, then their patching efforts are likely to insufficiently cover the complete landscape of their software applications, leaving them exposed to exploitation due to unpatched and vulnerable software. Limiting user’s ability to install software on their laptop or workstation will significantly limit your organization’s exposure to potentially harmful software.
For additional information regarding question three, see my previous blogpost, Out of the Box-Into a Data Breach. Secure configurations for mobile devices, laptops, workstations and servers need to be actively managed to ensure that the configurations remain intact. Verifying secure configurations is next to impossible without automation, so take the steps necessary to build out your automation capabilities.
In the context of question four, “known bad” software is not a computer virus or worm; those are addressed in CSC #8, Malware Defenses. “Known bad” software is essentially any software that has vulnerabilities, whether it be your office suite or customer relationship management (CRM) software. Depending on the software you use in your organization, this could be a long list. It is important to understand the vulnerabilities introduced by the software you use, but it is more important to actively identify and remediate the vulnerabilities by keeping the software up-to-date.
When compared to the previous four questions, limiting the individuals with administrative privileges is seemingly the easiest to implement and the one control that I’ve seen implemented the most consistently within the organizations and federal agencies I’ve supported over the years. Remember, though, the context is not just administrative privileges for operating systems but includes networks and applications as well.
So, back to the original question. How would you rate your organization’s cyber hygiene? Do you have the Count, Configure, Control, Patch and Repeat cycle down to a science? Have you expanded your efforts to the other fifteen CSCs? If yes, congratulations. If not, there is still time to implement the five steps to cyber hygiene and the supporting CSCs and “come clean” on your cyber efforts.
The CIS Critical Security Controls (CSCs) (https://www.cisecurity.org/critical-controls/Library.cfm)
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.