“Cyber Hygiene”: you know the term, but what does it really mean? Some say it is an ill-defined set of practices for individuals to follow (or ignore). Others say it is a measure of an organization’s overall commitment to security. Still, others think of “cyber hygiene” as simple, readily available technologies and practices for cybersecurity.
In a famous graduation speech at Annapolis in 2014, Admiral William H. McRaven spoke about his training as a Navy SEAL, when he learned the importance of doing simple things consistently and correctly. Here are some key thoughts from that speech.
“Every morning we were required to make our bed to perfection. It seemed a little ridiculous at the time, particularly in light of the fact that were aspiring to be real warriors, tough battle-hardened SEALs, but the wisdom of this simple act has been proven to me many times over.”
“Making your bed will also reinforce the fact that little things in life matter. If you can’t do the little things right, you will never do the big things right.”
“If you want to change the world, start off by making your bed.”
Too often, we in the cybersecurity world talk about the need for new approaches, for dynamic new technologies and concepts to fight the never-ending battles in cyberspace. We like to view ourselves as “tough, battle-hardened” warriors, but we forget to make our beds.
Here are five basics that require regular, even daily, attention. You might notice a not-so-subtle similarity to the CDM program phases.
1. Inventory (aka CDM Phase 1)
Inventory is not static, particularly in a world with mobile devices and cloud installations everywhere. Does your organization know what’s on the network? Are systems in place not just to acquire and manage a reliable inventory, but to keep that inventory up-to-date? Most importantly, can your organization block devices that don’t belong on the network, either because they are not compliant with policy, or belong to an adversary?
2. Configuration and Patch Management
Does your organization document all policies for configuring devices and systems on your network? Can your security systems detect configuration changes, and enforce proper settings? Does it have a patch management system, including a stringent testing, deployment, and rollback process? Are unnecessary processes running on servers? Are unused ports open on firewalls? Yes, you’ve heard all this before; but does your organization actually follow these practices?
3. Identity Management – Especially privileged users (CDM phase 2)
Does your organization know who is on the network? More importantly, do they know what those people are authorized to do, and do those authorizations match work requirements? Does your organization update user directories in response to terminations, transfers, promotions, and changing work requirements?
4. What’s going on? (CDM Phase 3)
Can your security systems identify anomalous user behavior? Does your agency document you know where data is allowed to go — and where it is NOT allowed to go? If a user or system behaves strangely, how timely and effective is the response?
5. What about the data? (CDM Phase 4)
Many organizations have an incomplete picture where sensitive data resides on their network – and know even less about where that data should flow. Just as securing devices and software starts with a reliable inventory, securing data requires knowledge of its location and acceptable destination. Does your organization document data locations – which can be dynamic – and does it maintain accurate, up-to-date diagrams of data flow between systems?
All five of these items are mundane but essential, but too many organizations fail to give them regular, conscientious attention. Think of them as the foundation of a house—if the foundation is just a little crooked, the higher floors will be skewed, and the building will collapse.
Cyber hygiene may not be glamorous, but it is absolutely indispensable to a solid security program. Remember Admiral McRaven and the SEALs, who make their beds every day, and take pride in the task.
Watch this on-demand webinar as Don MacLean, Chief Cybersecurity Technologist of DLT explores this topic with representatives from our premier partners Steve Potter, VP Global Sales of Polyverse, David Henderson, Manager-Systems Engineering Federal of Tripwire, and Paul Parker, Chief Technologist-Federal & National Government of SolarWinds.