In today’s interconnected world, phishing emails and malware infections caused by attachments and links to hacked web sites are just some of the digital flotsam that have become common occurrences. However, in the disparate enterprise environments found in many small businesses, cities, and industrial networks these types of attacks can be catastrophic due to the inherent blending of old and new technologies. The repercussions of new malware attacks on these intertwined infrastructures can result in loss of critical services to the business and its customers. To counter these ever-evolving threats, I believe we must focus on doing the basics well. Organizations must lay the equivalent of a digital foundation on which they can then build their networks and provision data and applications to their employees securely. The methodologies that businesses would follow to do the basics are commonly referred to as “cyber hygiene”. There are numerous approaches to implementing cyber hygiene, there also is numerous ideas for what should be considered cyber hygiene. In this article I will discuss five basic steps that I use to protect my organization: Count, Configure, Control, Patch, and Protect.
- The first step to implement cyber hygiene, “Count,” you would think should be pretty simple, however having an accurate inventory can be extremely difficult. It is very hard to protect an organization and understand its technology risk if there is poor visibility into what is connected to its networks. I normally start with collecting information about the standing policies and procedures for how cybersecurity is managed in the business. I then collect information on previous asset inventories for both hardware and software, and any current network documentation. Then with this information, I use tools such as Solarwinds or Netbrain to map and monitor the networks for better views into its inherent data flows. What you will want to do here is put together an accurate map of the organizations enterprise networks, an accurate list of its applications and data types that are in use and an accurate list of what hardware is required by your organization. This collected information will become the technology and application portfolios of the business and will be critical for implementing the following steps.
- The next step we would use for cyber hygiene, “Configure,” is about understanding what settings all of your connected devices have enabled. To do this properly it is standard to use recommended industry security settings as a baseline, then adjust to making them “more secure” depending on the criticality of your business operations and its data. Typically, organizations will have a standard operating system image preconfigured with all required security settings and required applications. What is important in this step is flexibility, you will need to change any default security passwords because they can be easily found on the Internet. You will also need to change default security settings to ones that are not easily discoverable and make sure all configurations and operating system images are backed up and maintained. This step ensures you have a level of maturity with how the organization employs technology in its enterprise environment. I would also suggest you use a solution such as Tenable’s Nessus PSV to continually scan your environment for assets that are misconfigured. This will ensure you are only deploying assets for your organization that meet your predefined requirements.
- The third step in building a cyber hygiene program, “Control,” is about managing who has access to the settings that were implemented in “Configure”. It is also about gaining insight into the employee’s and vendors within the organization that have administrator privileges. These “admin” privileges can make enterprise changes, access critical data and implement system wide policies that would affect the businesses ability to operate effectively. In this step, I would recommend you first conduct an audit to see who has administrative privileges. Once you have created this list, I would then recommend you speak with the users to understand their business reasons for why they require elevated privileges. Once you clean up that list to only essential personnel, you then need to make sure those same individuals who have these administrator accounts only use them for specific business reasons and they conduct all normal work with their standard user accounts. Once you have these admin accounts documented, you will need to periodically audit them to properly manage who has administrative rights to the organizations enterprise assets. Don’t be surprised, that over time the number of personnel with these accounts will grow which is why you must periodically audit them to reduce the risk exposure to your business.
- The fourth step in the cyber hygiene process, “Patch,” is critical and all mature organizations must standardize this process for how updates will be regularly tested and applied to its applications, software, operating systems and hardware. There are many documented cyber breaches to organizations that when triaged can trace the vector of attack to a software patch not being properly installed or not installed at all. What is important for an organization to understand is that in cyber hygiene this step impacts all others, you must have a standardized process in place so patches are installed in a timely manner, correctly the first time. There is numerous articles and books on how to create a patch management program, just remember you need this in place for all of your other steps to function correctly.
- The fifth and final step in creating a cyber hygiene toolbox, “Protect,” is about using basic security applications and controls to set the first layer of protection that a mature cyber-security program can be built upon. It is in “Protect” that a security team will ensure end point protection is installed and updated on all desktops, laptops, servers and mobile devices, if possible. You should also ensure desktop firewalls or their equivalent are turned on and configured, hard drives have full disk encryption installed and there is a password management program in place. This password management program should ensure there is some level of complexity to passwords and if possible use two-factor authentication for an additional level of authentication. Some of the last services you would find managed in this step is verifying all devices are generating some type of log to be collected by a SIEM, such as Splunk, to be analyzed for abnormalities and all critical data is backed up and the backups are periodically tested.
Remember once you build these processes you will need to continually monitor and assess their level of maturity. Networks are dynamic, they continually change over time as updates are installed, configurations are enabled or new technologies are implemented. I have found that using these tools together enables organizations to manage the baseline risk of their installed technology portfolio’s and establish an understanding of what risk is acceptable for business operations. These tools give businesses visibility into how their enterprise environments are built, how data is actually used by their stakeholders and which older technologies may need to be updated or replaced. In the end, these five tools are just that, tools that can be used together to create a basic methodology for protecting an organizations IT assets. Once you have them in place, you will then want to step to the next level and use a mature cyber-security/risk management framework to create an enterprise wide security program to protect your organization.
Some sites that would prove helpful for organizations establishing a security program are as follows:
- 800 Series Special Publications, general interest to the computer security community
- Federal government’s training program for digital media and citizen engagement
- Critical Infrastructure Cyber Community or C³ (pronounced “C Cubed”) Voluntary Program
- Resources available to businesses and aligned to the five NIST Cybersecurity Framework Function Areas (Identify, Protect, Detect, Respond, & Recover)
- Great documents from General Internet Security to Technical Publications (ICS users, Gov’t Users, Home & Business Users)
- Site for best practices on providing security assurance within Cloud Computing
- Focused on enhancing the cyber security readiness and response of public and private sector entities
- Security Benchmarks, MS-ISAC, TPA, IIC
- Cloud Controls Matrix (CCM) – tool for assessing the overall security risk of a cloud provider
About the Author: Gary Hayslip is Deputy Director, Chief Information Security Officer (CISO) for the City of San Diego, California. As CISO he is responsible for developing and executing citywide cyber security strategy and leading teams focused on Enterprise Risk Management, Security Engineering, Application Security, Cyber Security Operations, & Cyber Security Resiliency. His mission includes creating a “risk aware” culture that places high value on securing city information resources and protecting personal information entrusted to the City of San Diego.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.