With proper cyber hygiene, you can control IT processes - rather than being controlled by endless (and unhygienic) vulnerabilities.
What is Cyber Hygiene?
As kids, we’re taught the basics of personal hygiene. The tripartite principles of using the right hygienic products (think toothpaste), in the right way (brushing up and down), and with the right consistency (every morning and evening) – create habits that stick with us throughout our lives, guiding us and (hopefully) facilitating a healthy lifestyle.
Cyber hygiene is no different. The practices, processes, and habits that we put into place vis-à-vis our computers, devices, networks and overall digital infrastructure play a huge role in the maintenance of system health and security.
Yes, It’s Really Important
Anyone who’s ever had a cavity and been subject to the phrase “You should have brushed more carefully!” knows what happens when you ignore the practice of hygiene. At best, it’s annoying. At worst, it really hurts.
Cyber hygiene "means changing your passwords, having strong user access and control management in addition to course device management, and patching on time, managing your rogue assets, and of course, using multi factor authentication," according to Robert Herjavec, investor on ABC's Shark Tank & CEO/Founder of cyber-security services firm, Herjavec Group.
According to a 2017 report issued by Fortinet, 90% of companies face attacks from vulnerabilities that have been known for at least 2 years. The ease of using older exploits make them tempting options for malicious hackers who might not have the skill set to exploit newer, less well known vulnerabilities. Stuart Aston, Microsoft’s Chief Security officer in the UK, also points out that less 1% of vulnerabilities are actual ‘zero day’ vulnerabilities, meaning it’s almost certain that the solution for any major incident was already available at the time of the attack.
How many of these attacks could have been prevented with proper cyber hygiene? While your mother might say “all of them” about your cavities, given proper oral hygiene - we’ll conservatively declare that many, many cyber attacks could be prevented if organizations would just stick religiously to the principles of cyber hygiene.
What are these principles, and what could organizations be doing to better abide by them? Here are just a few of the challenges and their solutions:
Challenges in Cyber Hygiene
Challenge #1: Asset Risk Profiling is a Mess
Without proper asset management and risk profiling, it’s difficult to keep IT environments clean and minimize risk. At the same time, data integrity and quality is low as it is not integrated, and is out of context in dozens of systems – CMDB, cloud infra, VM scanners, patch management, configuration management, code management, and more. This makes asset risk assessment challenging if not impossible.
The solution? When assessing risk to your systems, try asking the following three basic questions to better understand the practical risks of assets deployed on your network:
- Is the asset deployed in a risky location? If so, is it internal or external to the network? Is it connected directly to a critical network segment or asset?
- Is there a known vulnerability on this asset that’s exploitable with a public exploit?
- Does the vulnerability allow remote code execution?
Challenge #2: Vulnerability Triage is Becoming Impossible
"...Enterprises find it incredibly difficult to demonstrate active control over their cyber hygiene and thus efficiently remediate cybersecurity risks," noted Karla Jobling, MD, of Beecher Madden in a recent blog post.
This assessment is absolutely correct. The fact is that modern infrastructure, applications, and code has thousands - if not tens of thousands - of vulnerabilities. These are detected by various assessment tools, but current solutions don’t prioritize which vulnerability to remediate first. Further, these solutions suffer from high false positive rates.
Without a solution that can effectively focus vulnerability remediation, time and resource investment errors are inevitable. Lacking effective prioritization, the vulnerabilities your teams choose to remediate may actually be those that pose less risk.
The solution? Don’t look at the things from the vulnerability point of view. Instead, try either of these ways:
- The asset standpoint– Remediate all vulnerabilities on your important assets first, even before remediating critical vulnerabilities on unimportant assets.
- The solution standpoint – Don’t go for a quick win with a single solution that remediates a group of vulnerabilities. The reason? These groups frequently revolve around large updates to major versions of OS upgrades which require more resources at a given point in time but can save a lot time and attention in the long run.
Challenge #3 - More Hands on Deck?
Like so many areas of security, the knee-jerk reaction to vulnerability remediation is often to push for more hands on deck. And it is true that the amount of manual effort required by the vulnerability management and remediation process is enormous. Yet human resources are expensive, and may not be the best solution in terms of cost-benefit.
The solution? Before asking Human Resources to start interviewing, try automating as much manual labor as possible – from intelligence collection to patch deployment and testing, and everything in-between.
The Bottom Line
With proper cyber hygiene, you can control IT processes – rather than being controlled by endless vulnerabilities. With the right tech, used the right way and with consistency, it is possible to effectively – and cost-effectively – scale to meet the enormous challenges presented by vulnerabilities. The fact is that much the groundwork with IT and code development processes in DevOps, Cloud, and infrastructure as code has been already made. With the opportunity to maintain firm IT hygiene policies, our security teams need to take advantage of moving forward with this as a top priority.