Recap: The Security Hygiene Framework
Security hygiene can be compared to personal hygiene. There are basics that every organization needs to address to protect their data from today’s security threats. Similarly, people engage in a variety of personal hygiene activities to maintain good health and protect against disease, such as brushing their teeth.
When we look at security hygiene for organizations (the basics that every organization must address), the framework is made up of three management principles and seven tools that are essential for achieving good security hygiene.
It starts by defining the security policy in three steps, which focus on the company’s data: 1. determining governance, 2. inventorying and classifying data into zones, 3. outlining the corresponding policy for data protection.
This method requires that companies take a holistic approach to security, rather than be attracted to the newest protection products or next-gen antivirus solution. Products and solutions are critical components, but must be balanced with the overall approach.
As such, an effective security policy should clearly define the seven security hygiene tools based on the value of the data (getting more granular as the importance of that data increases) and be understood and agreed upon by stakeholders within the organization.
This includes defining policy around:
- Configuration and patching
- Tested backups
In this blog post, we’ll take a deeper dive into these seven security hygiene tools and share a starting point for your organization.
The 7 Security Hygiene Tools Explained
#1 Configuration and Patching
In a recent prediction, Gartner foresees that, by 2020, 99% of the vulnerabilities exploited by hackers will have been known to security and IT professionals for over one year. In some cases, this may relate to consistent configuration and patching taking place within an organization’s environment.
It’s becoming increasingly difficult for organizations to do this on their own. Patches and configuration “best practice” updates come out frequently and change often. It’s not enough to rely solely on the vendor to patch their products.
In our experience, we’ve found great success in automating the process by using third-party tools to look at the entire environment. These tools can provide valuable insights that an organization would otherwise be unaware of and make successful patching and configuration of software much easier.
When determining which third-party products are best, this will be dependent on the hardware and software used in the business.
Key takeaway: it’s imperative to use automation and third-party tools to ensure all critical vendor patches and configuration updates are applied.
In a new report, the U.K. National Cyber Security Centre has found that millions of people continue to use easily-hackable passwords for their online accounts despite advice from security experts. For example, 23.2 million people who had their accounts hacked worldwide were still using the password “123456”.
We’ve learned that passwords are obsolete. Computers are much better at passwords than humans. What’s more, hundreds of millions of passwords are exposed on the Internet daily.
Organizations must look at multifactor authentication options and find the one that is best for the data they’re trying to protect. This includes options like hardware keys, applications on phones and the like. It’s important to evaluate what’s best for the business. One area we’ve found to be an ineffective and weak form of authentication is text-messaging. In most cases, this will not be an appropriate option for businesses.
In instances where multifactor authentication cannot be used, password managers can allow individuals to share passwords between people without having to expose those passwords.
Key takeaway: Organizations should implement multi-factor authentication where possible. In cases where it is not an option, a password manager should be used. Multi factor authentication in combination with a password manager offers a high level of protection.
#3 Tested Backups
You have backup, but can you recover the data? A backup policy is one of the best ways to protect data and keep a business running when bad things happen, whether that’s stolen hardware, malware or ransomware, or loss of access to all systems. However, too often, people go to restore data and it doesn’t work as expected. Testing backups are critical.
Testing should take place every 12-18 months. This includes testing:
- Disaster recovery processes
- Backup recovery
- Recovery between data centres
If a change in the process occurs, the process should be re-tested to ensure business continuity.
Depending on the size of the company and the value of the data, the 3-2-1 backup strategy is an effective starting point. This involves having three independent copies on two different media, with one offsite. One copy should be unalterable to prevent ransomware attackers from deleting backups.
The ability to restore mission-critical systems is a huge comfort for companies. As part of the testing process, companies should have multiple people able to do the restoration function for important data and systems.
Key takeaway: Backup recovery and disaster recovery processes should be tested every 12-18 months. If there is a change in process, recovery processes should be re-tested.
There is no shortage of protection tools in the market, but to determine which ones to deploy for data protection, the tools need to align with the security policies, the value of the data and the risk involved.
Questions like the following arise:
- Regarding anti-malware, antivirus, intrusion prevention systems and next-generation firewalls:
- Where should we apply them?
- How many should be applied?
- How should we monitor them?
- Where do we apply monitoring and alerting versus monitoring, alerting and prevention?
- Is blocking traffic necessary for the environment?
The answers to these types of questions are defined by the security policy and understanding of an organization’s data classifications, whether that’s public data, business data or highly secured data. The more valuable the data, the more granular the protection policies become, and the more additional layers of protection will be required.
Key takeaway: The types of protection tools an organization deploys must align with their security policy and data classification zones. The more secure the data needs to be, the more layers of protection will be required, and the more granular the definition will need to be in the security policy.
With multiple security products in place to detect and prevent intrusions, monitoring and managing of the logs and information are required. Organizations can use SIEM (security information event management) to provide real-time analysis of security alerts and have a centralized location to see the health of a business from a security perspective.
However, the right level of logging must be fine-tuned. Being inundated with false positives is time-consuming, requiring IT to track them down to ensure the network remains secure. Ensuring alerts and reports issued are meaningful and actionable is key to keeping staff and management aligned and productive.
The use of artificial intelligence tools is beginning to be helpful to tune and filter these messages from the variety of protection tools the business has implemented. It reduces the noise and allows IT to monitor what matters most. Defining this comes back to the security policy and the data classifications.
Key takeaway: Monitoring tools are required, such as SIEM, to provide real-time analysis of security alerts. Simultaneously, focusing on the right alerts is imperative. Fine-tuning alerts can reduce the noise and keep the focus on monitoring what matters most.
Private data needs to be encrypted to protect from theft.
- Data at rest – on laptops, hard disks, etc.
- Data in flight and transit – between laptops, desktops, and phones to applications, servers, and cloud solutions.
While many devices come with some level of encryption already in place, it’s important to ensure this is turned on or upgraded. In some instances, additional encryption may be required; for example, some companies need to encrypt key data in RAM while using shared Cloud Infrastructure-as-a-Service solutions.
Determining whether an organization needs additional encryption will go back to the security policy and the data classification zones and level of protection required.
Key takeaway: Encryption of all private data is required, which includes data at rest and data that is in flight or transit. Determining what level of encryption is required depends on the security policy and the data classification zone.
According to Pomemon Institute research, 64% of attacks could be traced back to an employee’s negligent behaviour. The intent was not malicious, but often people are unaware or tricked by intruders. In particular, the biggest risk in any organization is people using email.
Training and educating people about what to look for and how to protect themselves can have the biggest payback on security process and risk reduction. An informed workforce can become a security asset.
A few strategies for turning people into a security asset include:
- Testing the company – educate about what makes a questionable email and what makes a good email, then use testing emails to score the company. This is great information to share across the company, and should show improvement over time.
- Socialize the security policy – this is an important activity every company should undertake so everyone understands what’s important to the business and the steps the business is taking to protect the company’s customers.
- Create an open culture – people will inadvertently click something they shouldn’t; rather than hide this information in fear, staff should be encouraged to share this information so IT is aware. Security threats are everyone’s problem and it’s impossible to be perfect.
Key takeaway: Educating and training your workforce can turn them into a security asset rather than a vulnerability.
Achieving Good Security Hygiene: Your Next Steps
Good security hygiene does not need to be impossible to achieve. While each business will have different requirements that define their security policy, data classification and the tools they deploy, every business should look at this Security Hygiene Framework as a guideline for implementing a holistic approach to security.
If you’d like to discuss this framework and how these seven security hygiene tools should be applied to your business, feel free to reach out to me directly. Success often requires an extended team for support.