How cyber hygiene can protect against cyberattacks
If you're worried about cyberattacks, you're not alone. As our technology use becomes increasingly pervasive, the number and severity of attacks continues to grow. Thankfully, a well-planned strategy can help to mitigate the problem, and it all starts with basic cybersecurity hygiene.
Chief information security officers (CISOs) understand the growing threat, which makes headlines on a daily basis. The last 12 months alone saw one of the largest attacks on infrastructure in the internet's history, as a botnet created from misconfigured internet devices flooded DNS service provider Dyn with traffic, bringing many of the web's biggest sites to their knees.
Conventional malware also continues to evolve, with the most threatening development in recent memory – ransomware – exploiting users by scrambling their data and demanding payment to decrypt it. Its ability to harm individual citizens as well as large government agencies or commercial firms alike has proven especially insidious.
These developments carry severe real-world implications. In the U.S., several hospitals have been affected by ransomware, causing some to shut down desktop computers. Hollywood Presbyterian Medical Center also saw its electronic medical records disrupted by ransomware, forcing it to retreat to pen and paper and pay $17,000 to retrieve its data. Almost a third of the U.K.'s National Health Service (NHS) trusts have been hit, according to data obtained from the government.
Fifteen years ago, few would have predicted just how rampant these attacks would become. The onslaught of online threats stems largely from a multiplication of malicious actors. There are not only more attack vectors to exploit, but more people and organizations willing to exploit them.
Hacktivist groups, such as Anonymous, attack organizations for political and ideological reasons, embarrassing them by stealing their data and defacing their websites.
State actors employing increasingly sophisticated groups can wage long-term attacks against large companies and lurk for months inside their networks.
Then, there are commercial criminals, motivated by profit, targeting individuals and institutions to blackmail them, steal and sell their customer data or simply fool executives into transferring large amounts of money.
Companies facing cybersecurity challenges can be overwhelmed by the volume of products purporting to solve the problem. All too often, companies look for one solution that can be the single solution. This can lead to technology blindness as CISOs try to navigate endless choices.
Instead of relying on a single solution, the best approach is to put multiple layers of security in place for stronger protection. As a result, CISOs can utilize the best technology in each area of network protection to achieve better resiliency from attack. This defense-in-depth approach is crucial for effective cybersecurity, and it must be driven by a core practice: cyber hygiene.
The Benefits of Cyber Hygiene
Cyber hygiene involves basic cybersecurity practices that are typically inexpensive, but frequently overlooked. Too often, organizations focus on those attackers that receive so much of the media and vendor attention, the so-called advanced persistent threats or “APTs.” While these are certainly real and present concerns, protecting only against an APT is akin to putting a very strong lock on a door while leaving all your windows open. A handful of hygiene measures can stop up to 95 percent of targeted cyber intrusions. Unfortunately, many organizations – including federal agencies – often ignore them. To help combat this, organizations such as the UK National Cyber Security Centre (NCSC) and Australian Signals Directorate (ASD) publish their own recommendations on what cyber hygiene means.
Basic cyber hygiene measures are broken into those that provide protection from attack and those that prevent the impact of an attack if the first controls are bypassed. Some examples include:
- Patching applications and operating systems quickly. Attackers will utilize known vulnerabilities to attempt attacks long before they utilize a "zero day" or unknown system vulnerability to achieve access. This also includes ensuring that all your anti-malware tools are updated on a regular basis.
- Harden user application usage. This includes limiting or closely monitoring the usage of applications such as Flash and Java, which have long been targets for cyberattack.
- Enforcing good password discipline. There are a number of different concepts today for what good discipline means. The UK’s NCSC has taken a position opposite to common convention by encouraging system administrators to not require time-based password resets. Instead, passwords should only be changed when an account is suspected to be compromised.
"Protecting only against an APT is akin to putting a very strong lock on a door while leaving all your windows open." -- Bill Brennan
- Configuring firewalls correctly ensures that a CISO knows what traffic can pass and that they can control everything which they do not wish to traverse their network.
- Restricting administrator privileges only to specific accounts and only for specific purposes. This needs to be factored with usability in mind, as end-users need to be able to effectively perform their work requirements without requiring system administrator access.
- Utilize multifactor authentication or even more advanced risk adaptive authentication technologies for all remote access connections to the network. Additionally, utilize this technology for other tasks such as system administration and any other application that would benefit from enhanced authentication capability.
- Regular review, analysis, and application of gained cyber intelligence from system or network logs allows a CISO to learn even from those attacks they are able to block.
Judiciously applied, multiple layers of technological measures can flesh out a defense-in-depth strategy, complementing these cybersecurity best practices. Consider the following as key weapons in your cybersecurity arsenal:
Security Incident and Event Management (SIEM) software. This identifies and logs suspicious activity on the network and is an important component in a security analytics strategy. Over time, this can help organizations identify threat trends and can also help them understand where best to spend their cybersecurity dollars. In selecting a SIEM solution, be sure to understand your requirements and ensure that you have trained staff who can operate the solution effectively. A SIEM is an extremely valuable tool when utilized the right way, otherwise it can quickly become cumbersome and overwhelming.
Endpoint detection. By logging events on client computers in a central database, security teams can analyze them over time and flag suspicious behavior. This can help to spot not only infected computers, but also early signs of dangerous user behavior. This is becoming a key component in insider threat detection and is the front line in the protection from attacks such as ransomware. It is good practice to select an endpoint protection product that includes behavioral-based analysis of system behavior to detect those attacks for which are no currently-known indicators.
Backups. While not always considered a key part of enterprise security, it becomes a strategic business continuity tool when the worst happens. A CISO should have the ability to re-establish enterprise systems from known good backups if the need should arise. In this area it becomes prudent to not only test the backups but also ensure that vigilant protection is provided to the networks and end points. A backup is no good if it is infected with the same attacks as current operations.
Encryption. Sensitive data should be encrypted, not just at rest but in transit across networks.
Advanced user identification. This technology uses a range of techniques to authenticate users, ranging from electronic signatures in two-factor authentication to biometric recognition. By using 'something you are' in addition to 'something you know' and 'something you have,' biometrics can dramatically raise the bar for attackers by making it far more difficult to gain unauthorized access to systems. Techniques for effective biometric identification have traditionally included voice recognition and fingerprint scanning, but techniques such as iris scans and vascular (vein) identification are also promising.
Justifying Cybersecurity Investments
CISOs deploying these technologies should underpin them with a concrete ROI strategy to justify their investment. They can accomplish this by mapping their technology investments against the cyber kill chain, which characterizes an attacker's journey from network reconnaissance through to fulfilment of their objectives.
Analyzing security events – and which product detected and blocked them at which point in the kill chain – helps CISOs to understand not only how each layer of their defense is contributing to their overall protection, but also how effectively the entire cybersecurity fabric is working. It is also a vital step in maintaining board-level support for cybersecurity activities. In advanced organizations, this analysis not only includes what happened but what could have happened had the first detection not worked. This analysis of events and synthesis of what could have happened had the detection not occurred is critical to organizations when it comes to gaining the most intelligence from each wave of attack.
Once a solid technology and process platform for cybersecurity is created, CISOs must then put it in context for senior management. Cyberattacks are just one risk facing today's companies, alongside physical security, protection from natural disasters and financial risk. To govern effectively, the board needs to understand cybersecurity as a contributing element to overall business resilience.
Aligning cybersecurity with business objectives requires a rare and valuable skill set on the CISO's part. Not only do they need the technical and process experience to build a solid defense-in-depth strategy for information systems, they also need the communication skills to articulate the economic and strategic importance of cybersecurity to the rest of the business.
If an effective cybersecurity program can be implemented, the rewards are great. While there is no such thing as 100 percent security, there are ways to armor-plate an organization and make intrusion prohibitively difficult for the lion's share of attackers. By doing the little things consistently, both in cost and user impact, a CISO can dramatically increase the security posture of an organization.