Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Clean Up Your Act with Better Cyber Hygiene

Basic Cyber Hygiene is Lacking and Now is the Time to Make it Routine

Basic Cyber Hygiene is Lacking and Now is the Time to Make it Routine

A good quality control (QC) consultant is great at focusing on core principles. Want to prioritize your biggest problems? Build a Pareto chart. Want to engage in continuous quality improvement? Follow the “plan, do, check, adjust” formula.

In cybersecurity, numerous surveys have already plotted Pareto charts of our nastiest problems. The number one issue is self-inflicted: poor cyber hygiene. Those same surveys suggest solutions focused on the basics, and the key to success is a hygiene routine built on diligent repetition.

This is easier said than done. As your attack surface grows, your cybersecurity team spends more time dealing with more alerts. Day to day, there isn’t much time to address known architectural flaws or apply needed patches. Thus, more often than not, the hygiene to-do list is pushed out until tomorrow, or next week, or until the aftermath of a breach.

Beware of tried-and-true hacks

This is why so many well-known exploits remain successful. Even after 20 years, brute-force attacks on public-facing systems remain a top entry tactic. Such attacks often target an administrative console for a web application, a remote desktop session, or a listening service such as Secure Shell (SSH). These services exist on nearly every type of device, from the largest computing assets locked in dark rooms to the smallest embedded devices found seemingly everywhere. In particular, internet of things (IoT) endpoints are especially vulnerable because many are left in their default settings.

Make basic hygiene a weekly habit

The solution: every week, devote at least two hours to basic cyber hygiene. Four best practices will help your team build habit from repetition:

Advertisement. Scroll to continue reading.

• Make time for it – Establish a routine for reviewing public exploit websites, identifying common vulnerabilities, and applying recommended patches and architectural fixes. 

• Budget for it – Give yourself a bit more time to patch defects by joining a closed community that provides information about vulnerabilities and exploits. 

• Offer cumulative incentives – Help all employees, especially those who work remotely, make a habit of keeping their endpoint devices up to date: security software, operating systems, applications, VPNs, and so on. 

• Document it – If you have a team, then they will probably divide and conquer the vulnerability investigation task. IT managers need to know which threats were:  researched, are applicable, updated on specific appliances, or still need to be patched. The audit trail eliminates reliance on tribal memory as to what was fixed and demonstrates due diligence. In addition, this record is necessary, not only for the immediate task, but for compliance purposes, in addition to establishing a starting point in advent that there is a security breach.

Build on the basics—continuously

The bad guys are relentless, and they will keep using any and all exploits that have a proven success rate. As with the good QC consultant, our healthiest response is to adopt a mindset of “continuous security improvement” built on a foundation of immutable basics: plan, do, check, and adjust. Ensuring the security of your network, endpoints and activities begins when you clean up your act and make basic cyber hygiene an obsessive habit.

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...