Getting a grip on basic cyber hygiene
We know that good “hygiene” is conducive to good health and cleanliness. And, if you’re reading this blog it’s safe to say that you’re familiar with the term “cyber” as it relates to computers and information technology (IT). Combine the two, throw in the word “basic,” and voila! You’ve got basic cyber hygiene. But, what exactly does that mean?
Similar to “regular” hygiene – a set of minimum standards that we look to experts (like the CDC) to put out and we follow like wash your hands, cover your mouth, wear face masks, etc., basic cyber hygiene is where a group of experts (community formed by CIS, the Center for Internet Security) set a minimum set of cybersecurity standards with the expectation that everyone can/should follow.
Sounds simple enough, right? Well it is, and it isn’t.
Poor cyber hygiene invites risks
In regard to cyber defense, basic cyber hygiene or a lack thereof, can mean the difference between a thwarted or successful cyber-attack against your organization. In the latter, the results can be catastrophic.
Almost all successful cyber-attacks take advantage of conditions that could reasonably be described as “poor cyber hygiene” – not patching, poor configuration management, keeping outdated solutions in place, etc. Inevitably, poor cyber hygiene invites risks and can put the overall resilience of an organization into jeopardy.
Not surprisingly, today’s security focus is on risk management: identifying risks and vulnerabilities, and eliminating and mitigating those risks where possible, to make sure your organization is adequately protected. The challenge here is that cybersecurity is often an afterthought. To improve a cybersecurity program, there needs to be a specific action plan that the entire cyber ecosystem of users, suppliers, and authorities (government, regulators, legal system, etc.) can understand and execute. That plan should have an emphasis on basic cyber hygiene and be backed up by implementation guidance, tools and services, and success measures.
The CIS Controls do just that!
The CIS Controls: A prioritized path
The CIS Controls are independent and trusted prescriptive, prioritized, and simplified cybersecurity best practices that provide a clear path to improve an organization’s cyber defense program. While most frameworks list all the things organizations should do to improve their security, the CIS Controls tell you what is critical to do, and more importantly, how to do it. They translate cyber threat information into action, giving enterprises an executable plan to defend themselves against the most common and important attacks.
But, what does this have to do with basic cyber hygiene? A lot, actually! The CIS Controls are broken down into three Implementation Groups (IGs), containing Safeguards that provide a prioritized path to gradually improve an organization’s cybersecurity posture. An organization can determine what IG they belong to by looking at the sensitivity of the data they need to protect and the resources they can dedicate towards IT and cybersecurity.
Here’s the kicker – IG1 is the definition of basic cyber hygiene!
An action plan for basic cyber hygiene
IG1 is a foundational set of cyber defense Safeguards that every enterprise (especially those with limited resources or expertise) should apply to guard against the most common attacks, and represents an emerging minimum standard of information security for all enterprises.
An action plan for basic cyber hygiene includes the Safeguards in IG1 and an accompanying campaign, that has the following attributes:
- Covers both organizational and personal behavior
- Actions are specific and easily scalable
- Effect on preventing, detecting, or responding to attacks can be stated
- No detailed domain knowledge or execution of a complex risk management process is necessary to get started
- Safeguards can be supported with a marketplace of tools for implementation and measurement
- Actions provide an “on-ramp” to a more comprehensive security improvement program
IG1 (basic cyber hygiene) is the on-ramp to the Controls. IG2 prescribes what has to be done for more sensitive components of an organization depending upon the services and information they handle, and builds upon IG1. IG3 is the highest level of cyber hygiene, and are steps taken for fully mature organizations to protect the most sensitive parts of their missions.
CIS Controls version 8 is coming spring 2021
At CIS we strive to keep the CIS Controls relevant by updating them based on community feedback, evolving technology, and the ever-changing threat landscape. As we saw more organizations move towards cloud services and remote work, we felt it was time to revisit the CIS Controls and supporting Safeguards (which you knew as Sub-Controls in previous versions) to make sure our recommendations still provide an effective cyber defense. The result is CIS Controls Version 8, which will be released May 18, 2021.
In CIS Controls v8 you will see updated recommendations for:
- Cloud-based computing
- Mobile environments
- Changing attacker tactics
CIS Controls v8 combines and consolidates the Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards. The result is a decrease of Controls and Safeguards to 18 Controls (from 20) composed of 153 Safeguards (from 171).
Each Safeguard asks for “one thing,” wherever possible, in a way that is clear and requires minimal interpretation. Additionally, each Safeguard is focused on measurable actions, and defines the measurement as part of the process. We know that it’s important for enterprises to keep track of CIS Controls implementation.