Cyber Hygiene equals Cyber Resilience
Cyber hygiene is a relatively new term to describe the basic security practices everyone should be doing to ensure their organisation remains safe from common security threats. Yet even these most basic security controls are often neglected or not implemented correctly, unduly leaving the business exposed to risks they could easily counter.
Make cyber hygiene practices routine
A common analogy that explains the critical importance of cyber hygiene practices is to liken it to personal hygiene. Most of us engage in daily hygiene practices that keep us clean and healthy, such as washing our hands and brushing our teeth. Cyber hygiene practices are no different; they are relatively easy to implement and their value in maintaining a healthy infrastructure cannot be overstated. For example, taking verified backups allows you to recover information quickly should you get attacked by ransomware. Patching applications and operating systems ensures you fix commonly known vulnerabilities within your ICT solutions so adversaries cannot exploit them. Installing other basic controls, such as application whitelisting and restricting user and admin privileges, all go a long way to protecting your organisation’s crown jewels.
Adopting a mature approach to cyber hygiene has several clear benefits beyond the visible outcomes of each security control. For example, application whitelisting – a means of controlling unwanted applications running on your computer systems – prevents malware infections by blocking unauthorised software from executing; if malware cannot run, it cannot cause any harm. Beyond that, a less-obvious benefit of application whitelisting is that your workforce can no longer install applications on your systems without approval.
Programs downloaded from the Internet or ones that a colleague or friend provides on removable media must be passed to the administration team to authorise. This new process encourages staff to think twice about whether they need it, and if they need it for their role, they will raise the change request through formal channels. The Australian Cyber Security Centre (ACSC) considers the controls in the Essential Eight Framework to be cyber hygiene measures. The Essential Eight comprises the following security controls:
- Application control (also known as application whitelisting);
- Patching applications;
- Locking down Microsoft Office macro settings;
- User application hardening;
- Restricting administrative privileges;
- Patching operating systems;
- Multi-factor authentication; and
- Daily backups.
Each of these security controls improves your organisation’s security posture by reducing the overall attack surface (the size of the digital target attackers can exploit), making your business significantly more resilient.
Locking down Microsoft Office macro settings stops attackers using Visual Basic for Applications (VBA) malware, often distributed in phishing emails. Users may be required to digitally sign macro code they want to use, thus making them more aware of the threats and instilling in them a stop and think attitude when considering how they use these products.
User awareness is boosted when you introduce multi-factor authentication since it protects users’ accounts being compromised, but also forces them to undertake a process to log in that reminds them security is important.
Daily backups are a great example of a control that’s been around since the first computers were developed over fifty years ago to help recover after a failure. Still, their use as a security control to recover data after malware infections or ransomware attacks cannot be underestimated. If you have a functioning backup capability, taking incremental backups over a few weeks, it’s possible to recover from most conceivable cyberattacks. By restoring to a known good state from a few days before the attack, you can regain control over your systems and put plans in place to ensure you don’t get reinfected.
Best practices for cyber hygiene
To start with, use a reputable antivirus product. The good thing these days is that if your business uses Microsoft products, Microsoft Defender is free and included with the operating system. Going back a few years, critics would have said that Microsoft’s free antivirus product wasn’t up to the same standard as the competition, but they have invested heavily in fixing this position and now have a market-leading capability for which you don’t have to pay.
Secondly, make sure your business uses a network-based security system such as firewalls, IDS/IPS and anti-virus appliances. Using a firewall is a key defensive control and can also provide an access control point for staff remotely accessing your business systems. Combining this with multi-factor authentication and VPN technology, you can build a robust and protected method for users to access servers and information inside the business.
Patching is another essential practice, both for applications and operating systems, so make sure your patching process is holistic and includes all those additional applications users need to do their job. Applications such as Adobe’s Reader and those running on Java have all been vulnerable to attack, so frequently check in with the vendor’s website and see what patches are available that might apply to your business.
Preventative hygiene measures
When you consider cyber hygiene in the context of personal hygiene, there is one more thing to think about to ensure you remain protected when you first focus on implementing these controls. The Essential Eight, for example, can take a while to introduce comprehensively, which is why ACSC has a maturity model that enables organisations to benchmark where they are now, and also track their ongoing performance and development.
Operating in a dynamic environment
One of the issues with security controls is maintaining them in a direct operating environement. For example, while a project to introduce operating system patching will likely ensure all your systems are up to date and as protected as possible, once the project stops compliance may slip. You may not even know your systems are out of date until your next audit, which could be many months away. This security debt quickly builds up, and in a short time, you might be as exposed as you ever were, but now you think you are safe, so you are less likely even to notice. What can you do?
Make security audits routine
By running regular security audits you can measure and keep tabs on security control implementation and effectiveness. It is critical that key stakeholders in your business have a current view of risk exposure, to enable prioritisation of remediation activities and effective business decision making.
Security audits, in particular the data collection and evidence gathering elements, can be undertaken in many different ways – manually by your own security team, questionnaires, site visits, external scanning and intelligence services and internal security audit tools.
Internal security audit tools
Internal security audit tools are the most effective way to collect data and gather evidence. They:
- Allow direct gathering of data from source systems with minimal effort or subjectivity and selection biases. Some solutions offer exportable data gathering that enables managers/auditors to work remotely – no site visits or travel is required.
- Provide comprehensive coverage of systems by programmatically querying systems and controls. By focusing on the controls that matter most, they ensure a risk-based view of the audit outputs.
- Ensure consistency and repeatability in the audit process.
- Deliver the outputs – both high level graphical and detailed – that stakeholders and operational teams need to understand the cyber security posture, and to continue to improve it.
- Enable recreation of audit data easily as part of ongoing improvement and remediation stages.