October is national cybersecurity awareness month, and with the recent examples of hacks at Equifax and Sonic as well as the realization that 3 billion Yahoo accounts have been breached, we all are likely feeling a little dirty.
So, I decided to share my perspectives on cyber hygiene. The dictionary defines hygiene as “conditions or practices conducive to maintaining health and preventing disease, especially through cleanliness”. In IT terms, “disease” would be breaches or other IT violations and the “practices conducive to maintaining health and preventing disease” would represent the set of controls that can help organizations avoid 80% of breaches when applied throughout your IT environment.
Even organizations that have met compliance or regulatory obligations can improve their cyber hygiene, as the above mentioned recent examples can attest.
Breach data shows an overwhelming number of hacks occur due to poor controls in areas such as patch, password, and device management, and many result from poor user security awareness and training. I have heard many of my colleagues, read many articles, and listened to speakers describing the difficulties in establishing hygiene related practices.
This is not an easy challenge, and while we can also seek other paths to improve cybersecurity like expecting vendors to do a better job securing their products, as cybersecurity professionals it is our responsibility, our “sworn oath”, to protect critical infrastructure along with private and protected information. This begins “at home” with good cyber hygiene.
I have been in IT for nearly 30 years, and this problem is not new.
In the 90s, I worked for a large energy company in Houston with assets and operations across 18 states. Our organization did not understand the concept of change management, and as a result, our teams worked countless nights repairing systems that we had broken ourselves. We did not have good equipment inventories or a comprehensive idea of what was on our boxes. “That’s our Notes server” was good enough. The help desk had admin access, so they could repair anything that came across their desks. And user management was an absolute mess. We had accounts from users who had not worked for the company in decades. Some were even deceased. I had worked for three name-brand and reputable companies before that one, all of which had similar practices and related issues. This is how IT was done. In too many cases, it still is that way. I have seen recent and similar issues, at various degrees, across all sectors including energy, healthcare, retail, and transportation.
Ultimately, the company in my example decided to replace our CIO with one from a regulated industry that had a strong history of controls and IT best practices. I remember trying to convince him that “his” processes may have worked in his former industry, but it would not work in energy and would kill productivity. He did what any good boss would do – he provided clear expectations and then gave me responsibility and authority to meet those expectations. In this case, that included responsibility for IT and OT production support, Service Level Agreements (SLAs), service desk, telecommunications, change management, disaster recovery and business continuity, and IT security. And he offered his full support by mentoring our teams and addressing concerns with business leaders who would also be impacted for a time.
This was not an easy adjustment, and for a time, it was tough. Then came the “Aha” moment: we realized our systems were patched, employees had access commensurate with their roles, production systems were not breaking, and our teams worked nights (usually) only during scheduled maintenance windows.
I encourage you to follow a similar path towards implementing, or improving, good cyber hygiene practices. My recommendation is to crawl, walk, run. Don’t try to boil the ocean. Be methodical, deliberate, and committed, and address needs specific to your company. The task areas below can help get you to a cleaner, healthier IT security environment.
Survey your IT implementation of cyber-hygiene controls throughout your IT environment and not just one specific, best-in-class area.
For example, some organizations focus just on compliance areas to apply controls. However, compliance is often specific to a certain area, a certain sub-set of devices, or systems. Compliance is not designed to address your general business cybersecurity needs, so perform the survey more holistically.
NOTE: If you don’t have a survey tool, a free one is available at (https://www.research.net/r/cyberriskbaseline). This is confidentially and independently scored and will take about 20 minutes to complete questions in the following domains:
- Asset Inventory: Hardware and Software
- Asset Baselines: Hardening and Change Management
- Vulnerability Management
- Access and Account Management
- Information Management and Protection
- Boundary Defense: Electronic and Physical Security
- Incident Management and Review
- Security Awareness and Training
- Supply Chain Management
Question your results. If the survey provides results that surprise you, either worse or better than you expected, take a deeper look by performing a gap analysis.
- For each gap, require that actionable recommendations are included and capture risk ranking and effort in estimated time and cost.
- Where available, use trusted discovery tools to automate the collection of information. This will save lots of time.
- As part of discovery, collect and review policy and procedure documents to make sure they are repeatable and fit your environment. These documents are there to support the success of your team and organization. Generic documents are not going to deliver great results. Also, make sure that you are not building something that does not match your risk profile.
Simplify before you solve.
- Prioritize recommendations and develop a plan to address identified issues over the next year and three years.
- Track progress and report status to leadership team on a regular basis.
- Build organizational support by developing SLAs based on business terms and not IT/cyber speak. This will help develop scheduling and maintenance windows, and it will capture additional security needs. This is also an effective way to establish and communicate support costs.
- Business systems needed Mon-Fri, 8AM to 5PM
- Systems needed Sun-Sat, 7AM to 11PM
- Systems needed 24×7
- Systems that have compliance requirements
- See what existing tools and processes you can leverage to address your needs. Your support teams will appreciate the uniformity. Make purchase decisions based on technology gaps or automation needs.
Adopt an IT controls approach to measure, monitor and report the ongoing effectiveness of controls.
- An accompanying audit program will report the current status for all controls based on the latest test results and ensure all controls are tested annually based on risk.
- Create a technology advisory board to discuss technology changes and additions before purchase or investment decisions are made to reduce risks associated with new and developing threats such as ransomware and IoT.
I hope this is helpful. Please leave your comments below, visit our website, or get in touch to share your thoughts. I look forward to hearing from you.
About the Author: Michael Sanchez, CISA, is the President of ITEGRITI Corporation (www.itegriti.com) and has served NERC and CIP clients since 2006. He has more than 29 years of experience, and he has held senior IT and compliance leadership positions in the energy, oil & gas, healthcare, and transportation industries. In prior positions, Michael served as head of Commercial Cybersecurity and Compliance for a global management consulting firm, managed IT and OT for a $12-billion energy corporation, and assisted in the IT rebuild and redesign for a power company that generated 12,000 megawatts of electricity. He has experience across a wide variety of regulatory areas including NERC, NERC CIP, FERC, SOX, HIPAA, and FERPA. Michael serves as the local chapter SIG coordinator and has been a board member for the last 12 years for InfraGard Houston, a private non-profit organization serving as a public-private partnership between U.S. businesses and the FBI facilitating the sharing of information related to domestic physical and cyber threats.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.