Posted on by Insider Threatin
This post is also authored by Charles M. Wallen.
Tightening an organization's cybersecurity can be very complex, and just purchasing a piece of new hardware or software isn't enough. Instead, you might begin by looking at the most common baseline cyber practices that other organizations use in their cybersecurity programs--their cyber hygiene. This post will introduce fundamental cyber hygiene practices for organizations and help you understand the cyber-risk problem space.
Like personal hygiene, cyber hygiene should start with the basic actions that are most likely to promote good health. As much as people would like to lay cyber hygiene at the feet of the IT department, cyber hygiene is an organizational challenge. For example, IT might set password policies, but users have to set strong passwords and keep them secret.
To further complicate matters, an organization's threat landscape changes daily, and new variants of attacks on computer systems appear by the hour. The sheer number of security vulnerabilities in hardware, software, and underlying protocols--and the dynamic threat environment--make it nearly impossible for most organizations to keep pace.
Threats aren't only technological, either. Hackers and other bad actors are adept at social engineering to gain access to systems and the information they house. Social engineering attacks can be a sophisticated phishing campaign, a sob story delivered to a customer service representative over the phone, or even an individual onsite claiming to be fixing the HVAC but actually planting a wireless-enabled device. The IT department alone can't mitigate social engineering attacks. It's a responsibility shared by everyone, from the C-suite to the most junior staff members, and you might never get all personnel onboard.
In the face of such a challenge, what's a CISO to do? A CISO should start by focusing on the critical products or services to be protected by a cyber hygiene program, not the attacks themselves.
Risk is a key consideration. Risk can be described as the probability and severity of a decision's outcome as it relates to the ability of the organization to conduct business profitably. Good cyber hygiene involves identifying, prioritizing, and responding to risks to the organization's key services and products. It's impossible to eliminate all risk, so determining the biggest, most likely risks focuses effort and improves efficiency.
Consciously or subconsciously, individuals make most decisions by using risk analysis, and so do organizations. What are the risks of acquiring a new customer? Updating the corporate website to a new software version? Launching a new product? Any decision that can have a measurable impact on the business should be considered through a defined risk analysis process or framework, so organizations must be comfortable with theirs.
Another key area of cyber hygiene is simply knowing what you have. An organization should be able to identify its services, products, and supporting assets. For example, what facilities are involved in the production of a product or service? What staff members are most crucial to its delivery? Once you know what and where all the assets are, the organization should prioritize them through an analysis of risk or business impact.
Focusing on risk and knowing what you have are just two of 11 practice areas of cyber hygiene we've developed at the CERT® Division of the SEI:
If you feel as if you've heard this before, good: that means you're paying attention to guidance from such organizations as the National Institute of Standards and Technology (NIST), the Center for Internet Security, the European Union Agency for Network and Information Security, and the Australian Signals Directorate.
Many organizations have provided versions of cyber hygiene, often with a focus on technology, coding, or some specific risk area. At the CERT® Division of the SEI, our approach to cyber hygiene involves identifying the commonalities among these cyber practices and aligning them with the resilience management practices in the CERT Resilience Management Model (CERT-RMM). Resilience management is the application of the methodologies of the CERT-RMM, which is a capability-focused maturity model. Resilience management can be expressed in terms of establishing organization-appropriate levels of protection and sustainment capabilities.
CERT-RMM and its resilience management methodologies help organizations consider resilience to be a foundational property of all policies, plans, processes, and procedures. CERT-RMM has more than 200 resilience management practices spread across 26 process areas, ranging from Asset Definition and Management, to External Dependencies Management, to Vulnerability Analysis and Resolution. Though all the CERT-RMM practices are important for an organization's viability and sustainability, they are a lot for an organization to absorb. That's why we've introduced the 11 cyber hygiene areas, which comprise 41 practices, that are paramount to every organization's success.
Included in the CERT-RMM practice documentation are practice goals, concepts, implementation guidance, work products, and suggestions on how to build and manage operational resilience. A list of the CERT-RMM practices that support cyber hygiene is available here. You can download the complete list of CERT-RMM practices from the SEI website.
As a federally funded research and development center, the SEI continues to explore innovative approaches to making organizations resilient. We welcome input and collaborations. We would particularly appreciate hearing about your experiences implementing cyber hygiene and its supporting practices.
Cyber hygiene is a business problem, not an IT problem, and no two organizations will implement it the same way. The ever-evolving threat landscape will eventually render ineffective many individual administrative, physical, or technical controls, especially without proper review. That's why the CERT Division's 11 areas of cyber hygiene represent a living, flexible set of practices. So, to the embattled CISOs and other security professionals, we encourage you to start looking for evidence of these hygiene practices in your organization's policies, plans, processes, and procedures. A little hygiene goes a long way toward keeping your organization healthy and providing high-value cyber-risk investments.