Good hygiene habits are drilled into us from a young age, and for good reason! Neglect to wash your hands, take a shower, use deodorant, or brush your teeth, and you could find yourself friendless, dateless, and quite possibly sick.
While they probably won’t stop you getting a date, bad cyber hygiene habits can be just as harmful to your company’s health. They leave you, your clients, and your customers vulnerable to a host of threats, including hackers, viruses, data theft, and data loss. Ultimately, they can damage your reputation beyond repair and even land you in serious financial and legal trouble.
What is Good Cyber Hygiene?
You’ve presumably mastered the art of personal hygiene by now! But what does good cyber hygiene look like? First, let’s look at exactly why it’s necessary. There are two key reasons: performance and security.
Just like brushing and flossing every day keeps your teeth in optimum condition, good cyber hygiene keeps your IT systems working at peak performance. When your systems are functioning at their best, you’ll save valuable resources and deliver a great customer/client experience to boot. And more importantly, regular maintenance will help you to spot and close security gaps before they can be exploited.
Security threats like hacking, viruses, malware, spyware, and data theft are becoming more sophisticated by the day, and they have the potential to bring your business to its knees. Just as you can ward off illness and stay healthy with good personal hygiene, you can stay ahead of threats and minimize their impact on your business with solid cyber hygiene routines.
Now let’s talk about what these cyber hygiene routines look like in practice…
The 12-Step Program
At CyberSheath, we recommend a thorough 12-step routine for impeccable cyber hygiene. To be truly effective, this routine should be:
• Part of an official company security policy.
• Built into your organizational culture.
• Universally adopted across your business.
Why is this necessary? Well, you’re only as strong as your weakest link. It only takes one careless employee to leave your entire business vulnerable to malfunction or attack. By formalizing your routine, promoting a ‘security first’ culture, and encouraging widespread compliance, you’re sending a clear message that lapses are not an option.
The program begins with a fundamental step…
1. Take an inventory
In order to properly protect your assets, you first need to document them. The most efficient way to do this is to group them into three categories:
• Hardware, such as computers, printers, scanners, smartphones, and tablets.
• Software programs installed on your devices, such as web browsers or messaging systems.
• Remotely hosted applications like cloud-based storage drives or smartphone apps.
Next, create an inventory of your assets under each of these categories and make a record of details like installation date, license expiry date, version number, date last used, and authorized users. This information will help you to identify security vulnerabilities, such as outdated software or unrestricted equipment usage.
2. Implement secure password practices
Password security is one of the easiest ways to practice cyber hygiene, but it’s also one of the most neglected. You’d be amazed just how much sensitive data is ‘protected’ with weak passwords such as… well, ‘password’!
Today’s computers, smartphones, and tablets come with security options ranging from simple text passwords to bio-recognition (think fingerprint and iris scanners), so there’s simply no excuse not to have your devices protected. The same applies to software and online applications, particularly those that are mission-critical or contain highly sensitive data.
The best text passwords are a complex mix of numbers, letters, and symbols, with no link to identifiable information like names, birthdays, or employee numbers. It’s important that they’re memorized, rather than written down, and they should never be shared. In fact, it’s good practice to incorporate a ‘no-sharing’ rule into your company’s formal code of conduct.
A final note on password security: encourage your team to log out of software, apps, and devices when not in use, especially if they’re leaving their desks.
3. Use multi-factor authentication
For particularly sensitive devices, programs, or applications, such as email accounts or mission-critical hardware, multi-factor (AKA two-step) authentication adds an extra layer of security.
After the user has entered their password, they’re typically required to enter another passcode, answer a question, or submit biometric information like a fingerprint in order to gain access. That means that, even if somebody does manage to obtain the user’s password, they still can’t access their accounts.
If you’re using a passcode, it’s good practice not to request the full code. Instead, ask for specific characters from the code at random. This reduces the risk of a malicious party obtaining the full code and gaining unauthorized access to your systems.
4. Keep up with software updates
We’re all guilty of ignoring those software update notifications when we’re in the middle of an important task. However, it’s essential to pay attention to these updates for several reasons.
Not only do updates increase the performance, functionality, and efficiency of your software, they usually include ‘fixes’ for security issues that have been identified after launch. If you fail to keep your software updated, you might find yourself missing out on great new features at best, and exposing yourself to serious security breaches at worst.
Another problem is that software developers often phase out support for previous versions of their software. In the same way that Apple will no longer help you with an iPhone 5, you may find that your developer will no longer be able to fix issues in software that’s five versions behind the most current one. If your essential software packs up and the developer can’t help you, where does that leave your business?
For peace of mind, resist the urge to snooze your software notifications, or even set them to automatic. Note that some malware can disable your automatic updates, so check back periodically just in case.
5. Patch up security holes regularly
Security vulnerabilities are often picked up by software developers between versions. Rather than leave their users exposed until the next update, developers will release ‘patches’ to protect them in the meantime.
Like software updates, patches are often neglected, but they’re one of the biggest security risks for your business. Think about it — if you know there’s a security hole, so do hackers. They then actively look for unpatched software that they can exploit.
Patching can be a tedious process, especially in larger organizations, but it really is worth taking the time to keep your software protected. That applies to the software on connected devices like printers, too.
6. Replace outdated hardware
Just like software, hardware is continually being updated and improved. And like software, falling behind on your hardware updates will leave you vulnerable to poor performance and avoidable security threats.
If you’ve identified outdated hardware in your inventory, update it now to maintain peak performance and full security compliance. If the hardware is no longer being used, disconnect it from your network and properly remove any sensitive data within it.
7. Control installations
Software downloads can be used as a vehicle to implant viruses, malware, and spyware on your systems. For that reason, it’s essential that users are not given free rein to install software on their company devices.
Develop a policy that governs which employees can install which software on which devices. You might decide that only certain groups of users are allowed to install software, or you might allow installations from trusted sources, or you might require that all installations are approved first. Whatever your specific policy looks like, it should be controlled centrally by you or your IT team, and not on an individual basis.
8. Limit users
In order to minimize the potential damage from a hacking or malware attack, it’s important to carefully control the level of access your employees have to devices and programs.
For example, if 200 of your employees can access a system, that’s 200 routes by which a hacker can enter that system. If only 100 of them actually need to use that system, you can cut your risk in half by restricting access to an ‘as-required’ basis.
If all 100 of those users have admin rights, that’s 100 opportunities for a hacker to inflict damage on your system. If you restrict admin rights to the 10 employees that need it, you’ve cut your risk again by 90%. You get the idea!
For each item in your inventory — hardware, software, and applications — evaluate which of your employees needs access, and what privileges they need within the system to in order to do their job. Everybody else should be restricted accordingly.
9. Back up data
Even with the very strictest of security, life still happens. Loss, damage, technical malfunction, sabotage, and theft can never be fully prevented, so make sure you have a reliable system for backing up your data — both yours and that of your clients and customers.
Ideally, you’ll have back-ups of your data in multiple formats and locations. Copies of digital data should be stored on an encrypted, cloud-based server, while copies of physical data and documents should be stored in a secure off-site location.
Build regular data back-ups into your security plan. If possible, automate the process to save time and money, and of course, to eliminate the risk of forgetting.
10. Invest in training and awareness
When it comes to keeping your business safe, knowledge truly is power, so take the time to identify knowledge gaps within your team and provide training as necessary. This will fortify your business from top to bottom, teaching everything from password etiquette and best-practice software usage to threat identification and crisis management.
11. Develop an incident response plan
Despite your best efforts, the worst has happened — you’ve been hacked. What do you do?
If you don’t have an answer to that question, then now’s the time to find one! The best incident response is the one that’s planned, rehearsed, and perfected ahead of time, ready to be rolled out seamlessly if and when disaster strikes.
Work with your IT team on developing responses to all possible threats you might face. Consider what actions will be needed, who will take responsibility for them, and whether they have the skills and knowledge necessary to do so. Make sure everyone understands their role and hold regular drills to keep the procedure fresh in everybody’s minds.
12. Employ a cybersecurity framework
For organizations that deal with particularly sensitive data — think government or defense suppliers, for example — it may be wise to consider adopting a more advanced security framework. Industry-standard protocols like the NIST Framework and the CIS Benchmark offer you standards, guidelines, and best practices to manage cybersecurity risks in critical environments, protecting both your business and your clients from a threat.
And finally, the Golden Rule…
If in Doubt, Leave It to the Experts
When it comes to cybersecurity, you can’t just wing it! If you don’t have the resources or the expertise to properly manage your security in-house, then don’t take the risk — outsource it to professionals. A Managed Security Services Provider (MSSP) like CyberSheath can take all of the work and the worry out of cybersecurity. We already have the infrastructure and the experts in place, so we can quickly set up a bulletproof, fully staffed security system with minimal effort on your part.
CyberSheath’s MSSP is also one of the most cost-effective security options available to businesses like yours. We keep your costs consistent and predictable, which gives you much more control over your budget, and you benefit from the latest in security technology without having to invest in research and development.
To learn more about cyber hygiene and discuss how your business could benefit from the cost-effective, comprehensive protection of an MSSP, contact us now for a no-obligation discussion.
Every day of every week successful attacks have exploited hijacked privileged credentials. Attackers obtain domain level Windows admin credentials by exploiting common vulnerabilities found in most enterprise IT environments. These attack techniques are easy to deploy with the proliferation of toolkits for creating malware. Attackers routinely achieve complete network takeover and execute massive data exfiltration. According to the FireEye M-Trends 2016 report, targeting highly privileged accounts and extracting credentials from memory has become “almost trivial” in Windows environments.
Given the increasing awareness of the role of privileged accounts in these attacks, protecting privileged credentials is becoming a top priority at many organizations today. The Center for Internet Security (CIS) acknowledges this fact by including both Continuous Vulnerability Assessment and Remediation (CIS Control 4) and Controlled Use of Administrative Privileges (CIS Control 5) in the top 5 list of things to do to “Eliminate the vast majority of your organization’s vulnerabilities.”
This thinking has been endorsed by the U.S. Government in the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a recommended implementation approach for the Framework, European Telecommunications Standards Institute (ETSI), National Governors Association (NGA) and the U.K.’s Centre for the Protection of National Infrastructure (CPNI). The data is in and highly knowledgeable practitioners from across every sector and aspect of the business agree that these twenty actions (the CIS controls) stop the vast majority of the attacks. So, if you want to stop the bleeding start addressing Privileged Account Management now.
Addressing this risk doesn’t have to take long and in fact, with a sufficient sense of urgency, material risk reduction can be accomplished in a matter of weeks. Anyone who has been on the operational response side of a significant data breach can attest to the incredible progress that is usually made when, post-breach, Privileged Account Management becomes an executive priority.
This blog offers you an approach to make Privileged Account Management an executive priority before the breach.
Get the Data: How Vulnerable Is Your Organization?
To make the case for comprehensive Privileged Account Management look at common practices that have become common vulnerabilities and get the data specific to your organization. Security professionals know that they need to minimize administrative privileges and only use administrative accounts when they are required in conjunction with auditing of the use of administrative privileged functions and monitoring for anomalous behavior.
Given these generally accepted principles, if your organization is doing any of the following you probably have a significant opportunity to reduce risk:
- Providing end-users with local admin rights on their workstations
- Allowing IT helpdesk staff to use domain admin accounts for troubleshooting workstations and servers
- Giving IT admins access to domain admin accounts
- Building workstations with cloned images resulting in them having the same local administrator password
- Not rotating administrator passwords more frequently than every 30-60 days
- Using AD Group Policy to rotate one administrative password for all machines
- Allowing accounts used by applications to have domain administrator privileges
Most likely your organization is doing one or all of the above and might not even have a complete understanding of how prolific the problem is.
At this point you might be thinking “Thanks for telling me what I already know, I need to know what to do.” Fair point. Start by using automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized.
There are many tools available to do this kind of scanning and CyberSheath recommends CYBERARK DNA™, a no-cost tool that will:
- Discover privileged accounts on-premises, in the cloud, and in DevOps environments
- Assess privileged account security risks
- Identify accounts with local administrator rights
- Identify machines vulnerable to credential theft attacks
CYBERARK DNA™ will tell you how vulnerable your organization’s privileged accounts are and give you the detail behind critical questions like:
- On which systems do privileged accounts exist?
- Which accounts have escalated privileges?
- Which machines contain SSH keys, and what trust relationships exist between systems?
- Which machines on the network are vulnerable to credential theft attacks, including credential harvesting, Pass-the-Hash, Overpass-the-Hash, and Golden Ticket?
- Where are embedded and hard-coded credentials stored within applications?
- Who are my most privileged Amazon Web Services (AWS) IAM users and what AWS credentials exist?
- Are there hidden unprotected credentials in my DevOps tools? (such as in Ansible Playbooks, Roles and Tasks)
- Which privileged accounts are not in compliance with company policy? (i.e. password has not been changed in more than 90 days)
Once you have answers to these questions you will have the data that you need to holistically and proactively reduce the risk associated with Privileged Account Management.
Recent updates from the FDA on securing network-connected medical devices show that there is a growing concern for security surrounding the medical industry. Hospital networks, medical devices, and other critical infrastructure are all at risk. An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst Summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network. What did he find? According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients but also their physical well-being.”
While this may or may not be surprising, I do find it concerning that security appears to be an afterthought for the medical device industry. Protecting patient information, ensuring wearable medical technology is secure and shoring up defenses for medical devices should be paramount. As FierceMobile Healthcare predicted in late-December 2015, the Internet of Things will play an increased role in healthcare in 2016. Security should be incorporated at the start of the process, rather than strapping it on at the end and hoping that the security features do their job. By working security into the process, medical device manufacturers are taking the time to ensure software and applications within these devices are developed using secure standards, as this one proposed by the IEEE.
In the previous example of the Moscow hospital network, backdoors, vulnerable software, and poorly secured configurations – all can be mitigated with regular vulnerability management. Instituting scans, remediation plans, mitigating vulnerabilities, and patching out of date software are all part of a robust vulnerability management program. This type of program makes your organization more proactive, rather than reactive. Planning for routine updates and fixes to your devices will keep your patient and data safe.
It is good business and best practice to secure medical devices, hospital networks, and patient healthcare information. It is also important for medical device manufacturers to understand their vulnerabilities to know where you stand. If your organization hasn’t conducted a security assessment to review your security program, that would be the place to start. With a roadmap in hand, your next step is to begin identifying and remediating the risks. Where are your gaps? Do you have a vulnerability management program? Do you know what medical devices connect to your network regularly? All of these questions will help you develop a stronger security program.
How CyberSheath Can Help You Manage Your Risk
Taking the defense-in-depth approach to securing your network is effective at managing risks. In order to manage these risks, a picture of your network must first be obtained. Whatever your security needs are, CyberSheath can assist you along the way. From conducting an information security assessment to building a security program, let us help you secure your data.
How critical is vulnerability management to your business?
Whatever your view is on vulnerability management (VM), it can’t be denied that it is important to your overall cybersecurity but equally difficult to successfully implement. In today’s world, data is fluid and distributed across complex and decentralized computing environments, resulting in greater exposure to your data being compromised. Nevertheless, with vulnerable assets creating target rich environments for cybercriminals and other attackers, you need to protect your data, and you need vulnerability management. To help you make the right decisions and be smart about your VM program, I have compiled 10 ways you can become a vulnerability management ninja and maximize your security investment.
1. The Who and the How
Designate a team or individual that will oversee the successful cradle to grave execution of all VM related processes. The designated team or individual should develop processes for discovery, reporting, prioritization, and response. The team should be effective communicators and work well with the business.
2. Select the Right Tool …or Reconfigure Your Existing Tool
If you haven’t already, you should read our blog post Too Many Tools. The last thing you want to do is add another useless brick to your cybersecurity wall. Vulnerability Assessment tools are categorized into two broad categories, Host-based, and Network-based. For purposes of brevity I will dive into network-based scanners. Network-based tools run on centralized scanner appliances, often operate anonymously (requiring no logins), and can scan a range of hosts for vulnerabilities. If reconfiguring or implementing a brand new vulnerability management tool, make sure that the tool scans for vulnerabilities on a wide range of applications and devices including Email servers, HTTP servers, FTP servers, and DNS servers.
3. Schedule, Schedule, Schedule!
An effective VM program relies heavily on a scheduled process. Scheduling should be isolated to specific windows in a given month, organized by asset types (e.g. desktop, servers, network devices, etc.). Scanning should also be integrated into the change management process. As changes occur regularly on many networks and systems, each change can potentially introduce new vulnerabilities or issues which could undermine security.
4. Discover and Identify your Assets
In order to secure something, it is important to first know that it exists, what it is and where it is located. Therefore one of the first types of vulnerabilities scans to be scheduled (see #3) should be a discovery scan. A crucial step in securing your data is to use the discovery scan to identify all the various assets on your network. These assets should include every element that makes up the computing environment such as routers, switches, servers, firewalls, printers operating systems, system software, and application software.
5. Determine Your Crown Jewels
Discovered assets should undergo an asset valuation process in order to determine the intrinsic value of an asset and identify the most critical assets to the business (a.k.a. the crown jewels). Asset valuation enables responsible protection prioritization whereas improper asset valuation can drive decision-makers to make the wrong decision. In order for an asset to introduce any potential for loss, it must introduce some level of value or liability.
6. Identify and Prioritize Your Vulnerabilities
When it comes to vulnerability management knowledge is power. Just knowing what vulnerabilities exist for each asset and the criticality of that vulnerability (see #5) is essential in determining how best to secure it. Vulnerabilities may exist on each device and asset due to missing patches, old software, weak passwords, or poor configurations. Identified vulnerabilities should then be rated by their level of difficulty to exploit, relevance to the environment, and the damage that could be caused by exploitation.
8. Effective Communication is Key
The scan results should be compiled and organized into an actionable report and delivered to the appropriate stakeholders. In the report, each vulnerability should have a pragmatic remediation option attached to it. More often than not, the vulnerability assessment tool will actually provide remediation actions and generate a report for delivery. If an identified vulnerability is severe enough then incident response procedures should be invoked to ensure rapid response times and proactive actions for potential incidents.
9. Don’t Forget to Remediate!
The vulnerability assessment tool should provide specific guidance for mitigation, which generally involves installing a patch, upgrading the software, or disabling/uninstalling a service. In organizations where resources are scarce, patch management teams and system administrators are tasked with updating the vulnerable host. This is why good reporting (see #8) provides a solid foundation to a good vulnerability management program. In the event that a viable mitigation strategy is not available for a given vulnerability, effective vulnerability management practitioners will identify alternative ways to manage the exposure, such as changing firewall rules, increasing log monitoring, or updating IDS attack signatures, until the vendor gives a fix.
10. Good Patch Management = Good Vulnerability Management
A central component of VM is patch management. Patch management ensures that software updates are applied to systems and assets on a regular basis. The patch management process should also be integrated with the change management process to ensure that software updates and releases are applied in a controlled manner. In addition, patch management should look beyond Microsoft patches and include third party applications. This is also a good time to bring up verification. Verification is important to ensure that the vulnerability management process was effective, the patches and mitigation strategies were applied properly and that the identified vulnerability has been dealt with. A solid vulnerability management program will see a trend in the reduction of vulnerability counts when collecting metrics.
Successful execution of these 10 practices will put you well on your way to becoming a vulnerability management ninja. But remember that at the core of a VM program – business to security communication and collaboration is everything. Without clear and concise communication, the symbiotic relationship cannot exist, and your investment in VM becomes shelf-ware.