Basic Cyber Hygiene is Lacking and Now is the Time to Make it Routine
A good quality control (QC) consultant is great at focusing on core principles. Want to prioritize your biggest problems? Build a Pareto chart. Want to engage in continuous quality improvement? Follow the “plan, do, check, adjust” formula.
In cybersecurity, numerous surveys have already plotted Pareto charts of our nastiest problems. The number one issue is self-inflicted: poor cyber hygiene. Those same surveys suggest solutions focused on the basics, and the key to success is a hygiene routine built on diligent repetition.
This is easier said than done. As your attack surface grows, your cybersecurity team spends more time dealing with more alerts. Day to day, there isn’t much time to address known architectural flaws or apply needed patches. Thus, more often than not, the hygiene to-do list is pushed out until tomorrow, or next week, or until the aftermath of a breach.
Beware of tried-and-true hacks
This is why so many well-known exploits remain successful. Even after 20 years, brute-force attacks on public-facing systems remain a top entry tactic. Such attacks often target an administrative console for a web application, a remote desktop session, or a listening service such as Secure Shell (SSH). These services exist on nearly every type of device, from the largest computing assets locked in dark rooms to the smallest embedded devices found seemingly everywhere. In particular, internet of things (IoT) endpoints are especially vulnerable because many are left in their default settings.
Make basic hygiene a weekly habit
The solution: every week, devote at least two hours to basic cyber hygiene. Four best practices will help your team build habit from repetition:
• Make time for it – Establish a routine for reviewing public exploit websites, identifying common vulnerabilities, and applying recommended patches and architectural fixes.
• Budget for it – Give yourself a bit more time to patch defects by joining a closed community that provides information about vulnerabilities and exploits.
• Offer cumulative incentives – Help all employees, especially those who work remotely, make a habit of keeping their endpoint devices up to date: security software, operating systems, applications, VPNs, and so on.
• Document it – If you have a team, then they will probably divide and conquer the vulnerability investigation task. IT managers need to know which threats were: researched, are applicable, updated on specific appliances, or still need to be patched. The audit trail eliminates reliance on tribal memory as to what was fixed and demonstrates due diligence. In addition, this record is necessary, not only for the immediate task, but for compliance purposes, in addition to establishing a starting point in advent that there is a security breach.
Build on the basics—continuously
The bad guys are relentless, and they will keep using any and all exploits that have a proven success rate. As with the good QC consultant, our healthiest response is to adopt a mindset of “continuous security improvement” built on a foundation of immutable basics: plan, do, check, and adjust. Ensuring the security of your network, endpoints and activities begins when you clean up your act and make basic cyber hygiene an obsessive habit.