Guidelines for Adequate Cyber Hygiene

madunixExecutive IT Director
CERTIFIED EXPERT
Name: Fadi Sodah, Experience: +25 years in Information Technology.
Published:
The organizational security culture is fundamentally based on good Cyber Hygiene. Each organization must establish its own standards for Cyber Hygiene. There are many essential Cyber Hygiene controls that organizations can implement to reduce the likelihood and impact of cyber-attack.
The question is, how much Cyber Hygiene is enough? Every organization needs to define its own hygiene requirements. One thing is sure there is nothing like one size fits all solution. Cyber Hygiene should be a routine procedure in all enterprises with digital processing environments, regardless of size. Small and medium-sized businesses frequently grow without giving much care to data security and often do not have good Cyber Hygiene established in their processes.
 
There are, of course, many essential Cyber Hygiene controls that organizations can implement to reduce the likelihood and impact of cyber-attack, such as using good infrastructure and awareness/education.
 
The organization should consider the following points to implement best practices for proper Cyber Hygiene:
 
Policy:
 
The organization should have a formal information security policy. The driver for an information security policy varies by the organization; it could be for compliance reasons, to meet contractual obligations, or in response to a breach. Regardless of the reasons for its development, ultimately, the policy must be approved by executive management and, in some cases, the board of directors, should the organization be large enough.
 
Enterprise Risk Management:
 
The organization should implement comprehensive Enterprise Risk Management (ERM). The ERM process is a vital part of any organization that strives to achieve its objectives; by distributing the risk management functions across all levels of the organization to increase the awareness of cybersecurity issues and address all levels of risk management.
 
Data Classification:
 
These days, data leaks are all too often and still have the power to ruin an organization's reputation and upend the lives of the directly impacted customers. The organization must put in place security measures to guard against the unauthorized disclosure of their data and potential corruption. The Data Classification Policy is foundational to the overall privacy strategy. Significant sections of this Data Classification Policy include the definition of data classification levels, data owner roles and responsibilities,   security controls, and handling instructions for each level. Defining the data categories will help assign and map the appropriate technical and organizational controls to the data and systems that store the (private) data.
 
Data Leakage:
 
The key is to block restricted content from being misused via Data loss prevention (DLP) systems. DLP can help an organization minimize confidential data leakage from backdoors, side channels, or other holes in security that attackers exploit in an incident. DLP protects data in transit and should be placed at the network perimeter. DLP shall be configured according to the organization's Data Classification Policy.
 
Patch Management:
 
The organization shall patch and update the devices, operating systems, and networks as soon as possible. Vendors regularly update operating systems, applications, device drivers, and firmware to address known vulnerabilities. Attackers may target these vulnerabilities, knowing that some organizations may be slow to remediate them. It is critical to update software and hardware to take advantage of these improvements. 
 
Hardening:
 
The organization shall apply a system hardening process by which operating systems, applications, and devices are made more secure by reducing the attack surface. Hardening is most effective as a preventative measure when designing system security. It can be helpful after an incident to shut down any lingering effects or purge a system of infection. Hardening can also remove and prevent further unauthorized users from accessing compromised systems. The following are some examples of hardening: Deactivate unnecessary components, Disable unused user accounts, Restrict host access, Restrict shell commands per user or per host for least privilege purposes
 
Awareness:
 
Without comprehensive education, user-based attacks, such as social engineering, will be a significant source of Risk for an organization. In addition to teaching users about the inherent risks of using technology, educating them on the policies and procedures required to operate safely within the organization's systems is essential. 
 
Training should also consider the types of access and roles that employees have. Specific training mechanisms can range from subtle reminders through on-screen messaging at login, through paper-based pamphlets on employee desks or common areas, to training for particular elements of enterprise operations (devices, software, building security, etc.).
 
Backup:
 
Organizations will likely continue to fall victim to cyber-attacks because of weak infrastructure and poor awareness for employees. The organization could benefit from having a solid backup policy and procedures for all data and systems regarding large-scale incidents that damage many assets. 
 
According to the "Golden Rule" of backups, the organization should have three copies of its systems, two of which should be kept offsite. Many businesses select cloud storage for that offsite copy, but they must also store one offline to safeguard backups from ransomware assaults. Ideally, one offsite backup will be sufficiently segmented from the organization's primary operations to remain unaffected by a breach or disaster.
 
Business Continuity:
 
Organizations should have a business continuity plan (BCP) and Disaster Recovery Plan (DRP). The BCP is a document containing the vital information an organization needs to keep running in the case of a disaster. The BCP should define the business's core functions, indicate which systems and procedures must be maintained, and explain how to do so. Furthermore, a DRP aims to plan for the timely re-establishment of an IT infrastructure. It aims to enable the operational/functional recovery of services in the event of a disaster. DRP is just a subset of BCP.
 
Business Impact analysis (BIA) is the basis on which the BCP of an organization is defined. The final version of the BCP results from iterations between defining Business Continuity Strategy and choosing and implementing solutions.
 
Vulnerability Assessment and Penetration Testing:
 
Vulnerability assessment and penetration testing are used to evaluate systems in light of an organization's security posture, but they serve different goals.
 
Vulnerability Assessment:
  • Focus on specific known technical vulnerabilities.
  • Largely automated, using scanning tools.
  • Minimal disruption in system operation since the focus is on data collection.
  • Performed frequently and monitored on an ongoing basis.
  • Perform by internal personnel, typically.
  • The cost is minimal and ongoing. 
 
Penetration Testing:
  • Focus on vulnerabilities including specific known technical, multiple known technical, unknown technical, and non-technical (social engineering and physical).
  • Largely manual, supplemented with automated tools, and driven by human intuition.
  • Disruption in system operation is potentially significant since exploits such as DDoS may be conducted.
  • Not performed frequently due to expensive, time-consuming, and potentially disruptive tests.
  • Internal or external, often a combination of both.
  • The cost is higher and on an individual basis.
 
Incident Handling and Response Planning:
 
Before a security incident occurs, the organization should plan and implement an incident-handling capability that includes skills, roles, procedures, processes, and tools to respond to security incidents. The goal should be to design an incident response plan that enables the organization to Detect compromises as quickly and efficiently as possible, Respond to incidents as quickly as possible, and Identify the cause as effectively as possible.
 
The steps below need to be considered with Incident Handling and Response Planning (IHRP). However, these steps may vary from organization to organization, but a general process is as follows:
  • Plan for and identify the incident.
  • Initiate incident handling protocols.
  • Record the incident.
  • Evaluate and analyze the incident.
  • Contain the effects of the incident.
  • Mitigate and eradicate the negative effects of the incident.
  • Escalate issues to the proper team member, if applicable.
  • Recover from the incident.
  • Review and report the details of the incident.
  • Draft a lessons-learned report.
 
Encryption:
 
Encryption can reduce or eliminate the impact of a data breach, should it occur. The organization must take control of sensitive data wherever it resides—whether in transit or stored on a server somewhere, on or off organization premises. Encryption can be implemented at different points:
  • Data in motion (DIM): IPSec can be used via VPN; SSL and TLS can be used across the web.
  • Data at rest (DAR): Disk encryption or encryption managed by a storage system.
  • Data in use (DIU): Information rights management (IRM) and digital rights management (DRM). DRM has been used for the entertainment industry (e.g., CDs, DVDs, software, etc.); IRM is meant more specifically for documents
 
Logging Management:
 
The organization should have Security Information and Event Management Systems (SIEM) to provide real-time or near-real-time analysis of security events generated by networks and applications. SIEM  is a centralized logging management system that gives the organization network and application traffic visibility and supports the notion of continuous monitoring and reporting on the success and failure of enforcing policy engine rules. 
 
SIEM  is essential to detect and monitor intrusion points for security incidents, help the organization prevent cyber threats, and minimize data breaches. To have solid log management, the SIEM needs proper fine-tuning to decrease false positives and reduce time to achieve intelligence from correlation.
 
Zero-Trust:
 
The Zero-Trust concept is based on the: "Never Trust, Always Verify: Treat every user, device, application, and data flow as untrusted."  It focuses on securing authentication and authorization mechanisms on a per-transaction basis.
 
No organization can eliminate cybersecurity risk. However, when complemented with existing: cybersecurity policies; standards; guidelines; identity and access management; and adequately implemented and maintained a continuous monitoring program, it can reduce overall Risk and protect against common threats by deploying technologies such as:
  • Multifactor Authentication (MFA): Implement access management and identity verification to mitigate cyber-attacks. If an organization uses a VPN for remote work, secure it with multifactor authentication to avoid unauthorized access to the corporate network.
  • Least privilege access: Limits user access to applications and data necessary to do their job. Review organizational security policies to conform with the "principle of least privilege." Ensure every employee account only has access to the assets and features the employee needs and nothing more. This will ensure that if an account is compromised, the attacker will not be able to exploit some unwarranted privilege to inflict damage. Privileged Access Management: The ability to secure, control and manage privileged access to critical assets and applications.
  • Micro-segmentation: Divides up a network into individual micro-segments with different access credentials.
  • Continuous monitoring: Monitor, analyze, and audit logs
 
Conclusion:
 
The organizational security culture is fundamentally based on good Cyber Hygiene. Each organization must establish its own standards for Cyber Hygiene. To change the organization's security culture, the staff must be more than just aware; they must participate in learning to build a sound information security program based on comprehensive, integrated, optimized, and not restricted categories of technology solutions.
 
References:
https://www.experts-exchange.com/articles/37631/Transform-From-Trust-to-Zero-Trust.html
https://www.experts-exchange.com/articles/36791/Business-Continuity-Strategy.html
https://www.experts-exchange.com/articles/35333/RISK-ASSESSMENT-METHODOLOGY.html
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.experts-exchange.com/articles/36691/IT-Risk-Management.html
https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html
0
363 Views
madunixExecutive IT Director
CERTIFIED EXPERT
Name: Fadi Sodah, Experience: +25 years in Information Technology.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.