In the realm of public health, the term “hygiene” refers to conditions and practices that help maintain health and prevent disease spread, according to the World Health Organization. And in the age of COVID-19, this may include washing your hands, wearing a mask, and “social distancing.”
Although these activities can provide protection against the Coronavirus, they do not offer complete immunity, yet they do mitigate risk. The same can be said when it comes to IT security best practices and good “IT hygiene.”
Poor IT hygiene practices such as failing to: patch and update operating systems and applications; secure network endpoints and Remote Desktop Protocol servers; filter out suspicious emails; and no data backup strategy can leave organizations exposed to phishing campaigns and ransomware attacks.
Ransomware alone has emerged as the most visible cybersecurity risk plaguing the country’s networks, locking up both private sector organization and government agency assets, says the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
The ransomware attack against Universal Health Services, one of the largest hospital and health care networks in the US, with more than 400 facilities across the US and UK, is the most recent example of ransomware putting not only the organization, but also patient lives at risk. Attributed to Russian-made malware called Ryuk, the ransomware attack forced Universal Health Services to use all-paper systems.
When it comes to cloud IT hygiene, many make the false assumption that cloud services are secure by default, and there are security safeguards that will catch misconfigurations.
Poor cloud IT hygiene practices resulted in the Capital One breach that compromised the personal data of almost 106 million accounts due to a misconfigured web application firewall (WAF) hosted with Amazon Web Services (AWS).
The WAF misconfiguration enabled a hacker to trick the firewall into relaying requests to the AWS metadata service and expose the cloud server’s credentials. This allowed access to all cloud resources that the server had access to, including the S3 storage buckets containing Capital One client data.
Bad IT hygiene practices today that lead to breaches vary. They include unpatched operating systems and applications, a lack of network endpoint visibility, and poor password management practices. Additionally, organizational mobile devices used for personal business, misconfigured cloud services, not backing up data, unsecured cloud data storage, and little to no employee IT security training also leave organizations vulnerable.
Practicing Good IT Hygiene
Organizations not implementing good IT hygiene measures such as patching operating systems and applications or securing endpoints face becoming victims of costly cyber attacks like Universal Health Services or Capital One.
CISA places IT hygiene at the top of their list of recommendations regarding managing and mitigating malware risks. This list includes:
Practicing good cyber hygiene: patching operating systems and applications; backing up data; updating and whitelisting apps; limiting privileges; and using multifactor authentication
Segmenting networks to limit access across internal systems
Developing containment strategies to limit data exfiltration
Reviewing disaster recovery procedures and validating priorities with executives
Implementing a cyber hygiene strategy starts with performing regular, routine maintenance to minimize the risks of becoming a cyber attack victim. This includes not only traditional IT systems but also OT, or operational technology, that tracks Internet of Things (IoT) devices and Industrial Control Systems (ICS).
Operational technology (OT), as defined by IT analyst firm Gartner, is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes, and events.
”The objectives of security in operational technology are different than in IT: Availability and safety trump confidentiality and integrity, which usually are the primary concerns in IT. Security and risk management leaders should apply basic security hygiene processes to secure their OT,” says Gartner.
Organizations can take the following basic steps using the non-profit Center for Internet Security (CIS) 7.1 controls to ensure good IT hygiene. CIS controls help security practitioners apply basic cyber hygiene, even if their organization has limited resources and expertise and needs to prioritize cybersecurity activities to ensure a cyber baseline standard.
Implementation Group 1 is defined as basic cyber hygiene andcovers 43 specific tasks.
The CIS controls Implementation Group 1 Topics are broken down into procedural and technical focus areas:
Maintaining an asset inventory Password management One offsite backup Network boundary inventory Incident response planning Isolating personal devices
CIS also provides specific guidance for Cloud, IoT, Mobile and ICS as well as a detailed “Cyber Hygiene Guide for Microsoft Windows 10.” Moreover, CIS maps to many security standards and frameworks including NIST CSF (Cyber Security Framework), ISO 27000, HIPAA (Health Insurance Portability and Accountability), and PCI (Payment Card Industry) DSS. A complete online CIS Controls Navigator can be found here.
Poor IT hygiene practices can leave organizations vulnerable to phishing campaigns and ransomware attacks, as well as cloud data breaches. Through good IT hygiene practices, organizations can avoid becoming victims of costly cyber attacks. By using industry-standard frameworks and tools such as CIS security controls, organizations can begin their journey to mitigating risk and securing their critical IT and information assets.