Cybersecurity Practice(s), Not Perfect(ion)
A version of this content first appeared in the TripWire’s “The State of Security“ blog.
The term “best practice” often comes up in tandem with “cyber hygiene.” At the Center for Internet Security (CIS), we’ve taken our best shot at a specific definition for basic cyber hygiene, based on CIS Controls Implementation Group 1. But I thought I would share some ideas on the notion of cyber “best practice.”
I first gave this serious thought during my time at the National Security Agency (NSA), especially as I had the honor of managing the organizations that performed all of the security testing for the Information Assurance Mission, covering everything from technology (algorithm, architecture, software analysis, and product testing) through operational testing of fielded systems (Red Teams, Blue Teams, etc.), and for customers all across the U.S. Department of Defense (DOD) and national security systems for the U.S. government.
Sometime in the early-to-mid 2000s, I was talking to an Army general officer about some of our work, including our support for standardizing the security configurations of DOD desktops and servers (which eventually led to the federal desktop configuration) and the release of NSA security guidance to the public (which started in June 2001 via www.nsa.gov).
He listened politely, but then said something like, "That's all well and good, but that just sounds like commercial best practice to me.”
I replied, “Two points I'd like to make to you, sir. One – if the DOD could only reach the lofty heights of commercial best practice, we'd actually be much better off than we are today. And two, they call it "best practice" for a reason – because it’s not very common; it stands out."
He was operating under the assumption that since the DOD was involved in important, risky, and dangerous work we must be defending our systems with something much grander and more effective than mere "commercial best practice." But, I had data. The work of my folks on Red and Blue Teams gave us very good insight into the true state of cyber defenses across the DOD at that time – and it wasn’t a pretty picture. And, our work to develop security guidance showed that relatively small and well-placed steps could cause the bad guys a significant amount of risk, cost, and exposure – not perfect defense, but much more effective and manageable defense.
I don’t think I convinced the General of anything, but after I retired and took over what we now call the CIS Controls, the anecdote stayed with me. It eventually turned into the tagline "Making Best Practice Common Practice."
It was true then, and it is still sadly true today; the vast majority of problems that plague us are actually known problems with known solutions. That is, most security incidents could have been prevented by actions, technologies, and policies that are already known or exist in the marketplace. In fact, if you could look far enough, you can almost certainly find someone who has found a way to defend their system against almost any attack seen today. The problem is that you can’t find that example to learn from on your own. Or, that example is too specialized, too costly, or too inconsistent with your current policy or requirements for you to apply on your own.
As a community, can we find things that work – “best practices” – and then find a way to make them “common practice” – things that are known, accessible, supported, and really practiced by everyone? How can we validate that an approach or practice is in fact the best? How can we take things that appear to work in one setting and generalize, modify, and support them to work in others? How can we help others rapidly learn from the best examples and get to implementation more quickly? How can we identify and remove barriers to adoption? And finally, how can we mobilize the entire ecosystem (technologists, defenders, policy-makers, auditors, solutions providers, etc.) around the same important priorities?
This is the challenge that CIS has taken on.
There’s an old saying that “practice makes perfect.” For cyber defense, will best practices make perfect defenses? Of course not! But given the state of defenses today, we can dramatically improve our individual and collective defenses through open collaboration to find things that work, and make them available to all enterprises. In doing that, we can create the kind of visible, managed, adaptable, and well-defended foundation that will enable us to deal with all manner of adversary.
About the Author
Tony Sager is a Senior Vice President and Chief Evangelist for CIS®. He leads the development of the CIS Controls®, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.