October is national cybersecurity awareness month, and with the recent hacks at Door Dash, the discovery of a large-scale iOS hacking campaign, and a database containing 419 million phone numbers associated with Facebook accounts, we’re all likely feeling a little dirty. So, I decided to share my perspectives on cyber hygiene. The dictionary defines hygiene as “conditions or practices conducive to maintaining health and preventing disease, especially through cleanliness.”
In IT terms, “disease” would be breaches or other IT violations and the “practices conducive to maintaining health and preventing disease” would represent the set of controls that can help organizations avoid 80 percent of breaches and minimize business impact during a cybersecurity event when applied throughout your IT environment. Even organizations that have met compliance or regulatory obligations can improve their cyber hygiene, as the above mentioned recent examples can attest.
Breach data shows an overwhelming number of hacks occur due to poor controls in areas such as patch, password and device management, and many result from poor user security awareness and training. I have heard many of my colleagues, read many articles, and listened to speakers describing the difficulties in establishing hygiene-related practices.
This is not an easy challenge, and while we can also seek other paths to improve cybersecurity like expecting vendors to do a better job securing their products, as cybersecurity professionals it is our responsibility, our “sworn oath,” to protect critical infrastructure along with private and protected information. This begins “at home” with good cyber hygiene.
I have been in IT for over 30 years, and this problem is not new. In the 90s, I worked for a large energy company in Houston with assets and operations across 18 states. Our organization did not understand the concept of change management, and as a result, our teams worked countless nights repairing systems that we had broken ourselves.
We did not have good equipment inventories or a comprehensive idea of what was on our boxes. “That’s our Notes server” was good enough. The help desk had admin access, so they could repair anything that came across their desks. And user management was an absolute mess. We had accounts from users who had not worked for the company in decades.
Some were even deceased. I had worked for three name-brand and reputable companies before that one, all of which had similar practices and related issues. This is how IT was done. In too many cases, it still is that way. I have seen recent and similar issues, at various degrees, across all sectors, including energy, healthcare, retail and transportation.
Ultimately, the company in my example decided to replace our CIO with one from a regulated industry that had a strong history of controls and IT best practices. I remember trying to convince him that “his” processes may have worked in his former industry, but it would not work in energy and would kill productivity. He did what any good boss would do – he provided clear expectations and then gave me responsibility and authority to meet those expectations.
In this case, that included responsibility for IT and OT production support, Service Level Agreements (SLAs), service desk, telecommunications, change management, disaster recovery and business continuity, and IT security. And he offered his full support by mentoring our teams and addressing concerns with business leaders who would also be impacted for a time. This was not an easy adjustment, and for a time, it was tough.
Then came the “aha!” moment: we realized our systems were patched, employees had access commensurate with their roles, production systems were not breaking, and our teams worked nights (usually) only during scheduled maintenance windows. I encourage you to follow a similar path towards implementing, or improving, good cyber hygiene practices. My recommendation is to crawl, walk, run.
Don’t try to boil the ocean. Be methodical, deliberate and committed, and address needs specific to your company. The task areas below can help get you to a cleaner, healthier IT security environment.
1. Survey your IT implementation of cyber-hygiene controls throughout your IT environment and not just one specific, best-in-class area.
For example, some organizations focus just on compliance areas to apply controls. However, compliance is often specific to a certain area, a certain subset of devices, or systems. Compliance is not designed to address your general business cybersecurity needs, so perform the survey more holistically. NOTE: If you don’t have a survey tool, a free one is available here. This is confidentially and independently scored and will take about 20 minutes to complete questions in the following domains:
- Asset Inventory: Hardware and Software
- Asset Baselines: Hardening and Change Management
- Vulnerability Management
- Access and Account Management
- Information Management and Protection
- Boundary Defense: Electronic and Physical Security
- Incident Management and Review
- Security Awareness and Training
- Supply Chain Management
2. Question your results. If the survey provides results that surprise you, either worse or better than you expected, take a deeper look by performing a gap analysis.
- For each gap, require that actionable recommendations are included and capture risk ranking and effort in estimated time and cost.
- Where available, use trusted discovery tools to automate the collection of information. This will save lots of time.
- As part of discovery, collect and review policy and procedure documents to make sure they are repeatable and fit your environment. These documents are there to support the success of your team and organization. Generic documents are not going to deliver great results. Also, make sure that you are not building something that does not match your risk profile.
3. Simplify before you solve.
- Prioritize recommendations and develop a plan to address identified issues over the 1-3 years.
- Track progress and report status to leadership team on a regular basis.
- Build organizational support by developing SLAs based on business terms and not IT/cyber speak. This will help develop scheduling and maintenance windows, and it will capture additional security needs. This is also an effective way to establish and communicate support costs.
- Business systems needed Mon-Fri, 8AM to 5PM
- Systems needed Sun-Sat, 7AM to 11PM
- Systems needed 24×7
- Systems that have compliance requirements
- See what existing tools and processes you can leverage to address your needs. Your support teams will appreciate the uniformity. Make purchase decisions based on technology gaps or automation needs.
4. Adopt an IT controls approach to measure, monitor and report the ongoing effectiveness of controls.
- An accompanying audit program will report the current status for all controls based on the latest test results and ensure all controls are tested annually based on risk.
- Create a technology advisory board to discuss technology changes and additions before purchase or investment decisions are made to reduce risks associated with new and developing threats such as ransomware and IoT.
About the Author: Michael Sanchez, CISA, CCSFP is the President of ITEGRITI Corporation (www.itegriti.com) and has served NERC and CIP clients since 2006. He has over 31 years of experience in information technology, compliance and audit and has held senior leadership positions in the energy, oil & gas, healthcare, and transportation industries. In prior positions, Michael served as head of Commercial Cybersecurity and Compliance for a global management consulting firm, In other past roles, he managed IT and OT for a $12-billion energy corporation, assisted in the IT rebuild and redesign for a large power generation company, and served for 12 years as a board member for FBI InfraGard Houston, helping facilitate the sharing of information related to domestic physical and cyber threats. He has experience across a wide variety of regulatory areas including NERC, NERC CIP, FERC, SOX, HIPAA, and FERPA. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
