In the aftermath of a data breach, organizations must answer many questions. But what often isn’t asked is how effective or efficient its cyber hygiene program is, and what role it will play in mitigating future threats.
A cyber hygiene program should help with the most basic internal security management—the stuff that every employee should be involved in. But we also know that humans are the weak link in security, so even when there is a program in place, it often fails because employees aren’t stepping up—or they don’t know they should be stepping up because no one is really in charge of ensuring all the basic security tasks are completed. The failure to follow these tasks leads to a data breach or other incident. And it is the security team—whether that team is on-site or a managed security services provider—who shoulders the blame.
I had the opportunity to speak with Jack Danahy, SVP of Security at Alert Logic, about cyber hygiene programs, how to run them and whether it should be a shared responsibility with vendors. Here’s what he had to say.
Sue Poremba: Could you provide an overview of what a cyber hygiene program is?
Jack Danahy: Well-known campaigns and breaches either begin or are accelerated by breakdowns in the most mundane areas of security and system management. Unpatched systems, misconfigured protections, overprivileged accounts and pervasively interconnected internal networks all make the initial intrusion easier and make the lateral spread of an attack almost inevitable. I use the phrase “cyber hygiene” to describe the simple but overlooked security housekeeping that ensures visibility across the organization’s estate, that highlights latent vulnerability in unpatched systems and that encourages periodic review of network topologies and account or role permissions. These are not complex security tasks like threat hunting or forensic root cause analysis; they are simple, administrative functions that can provide value far in excess of more expensive and intrusive later-stage security investments.
Poremba: When properly followed, how does a cyber hygiene program address risk?
Danahy: “Risk” is exactly the right term. Cyber hygiene eliminates the risk of an exploit on an unpatched system because the system is either patched or is specifically protected by some mitigating control until it can be patched. It eliminates the risk of overpermissioned roles and overly permissive access control by enforcing a regular review against internal guidelines. Cyber hygiene eliminates the possibility of internal-asset blind spots by ensuring that all systems are known, inventoried and monitored.
Poremba: Who should run such a program and who should participate?
Danahy: The necessary breadth in the scope of cyber hygiene creates an opportunity for equally broad participation by technical, administrative and business managers. The program should be led by an organization’s security team or leader. This is so that there can be a balanced and objective view of the elements and urgency of the plan, one that is continuously revisited in the context of potential new threats.
The execution of the most cyber hygiene falls squarely on the shoulders of the IT, network and support teams. These functions and their implementation are actually system network management tasks and are foundational to security only because of the tactics that attackers will use to capitalize on them when they are performed incompletely or incorrectly.
The business unit managers and corporate administrators also have a role to play, as the impact of system updates, network segmentation and account provisioning, extend well beyond the IT or security teams.
Poremba: Should the cyber hygiene program of the future be a shared responsibility between organizations and their cyber vendors?
Danahy: Certainly. There is so much solid input from business context that will shape the actual model for cyber hygiene, a partnership with shared responsibility is the only way to be confident of success. When an organization washes its hands of responsibility for cyber hygiene, or a vendor dictates a rigid policy that doesn’t flex with organizational change, security begins to weaken almost immediately. When there is not a shared responsibility for managing and maturing the system, the value of the original effort diminishes pretty quickly.
Poremba: And because many companies and security teams work with multiple security vendors, how exactly would this work? Could it work?
Danahy: It can work and does work. Cyber hygiene describes the confluence of services and tools that provide the information necessary to prioritize risk, the capability to upgrade, isolate or reconfigure systems and the security expertise to recommend programs with enough rigor to maintain that foundational security baseline. Cybersecurity most often fails because organizations are so concerned with big, new, complicated threats that they lose focus on simple, manageable, foundational issues of cyber hygiene.