In discussions about cyber defense, we often hear the term “cyber hygiene.” The general notion is that a lack of good cyber hygiene is at the heart of most cyber-attacks.
The phrase plays off of commonly accepted ideas in personal hygiene or public health. That is, a number of relatively simple, well-defined personal actions (like brushing your teeth, washing your hands, getting vaccinated, “social distancing”) can provide significant value – but not a complete cure – for many health problems. Value can be received both by the individual, and also by the population as a whole. Each of these steps is simple enough to describe, but their real value is that they translate highly specialized science and knowledge (e.g., the transmission vectors of disease) into specific personal action.
The same general notion applies in cyber defense. Almost all successful attacks take advantage of conditions that could reasonably be described as “poor hygiene,” including the failure to patch known vulnerabilities, poor configuration management, and poor management of administrative privilege. This does not mean that system operators and users are lazy, or don’t care. At the Center for Internet Security (CIS), we attribute these failures primarily to the complexity of modern systems management, as well as a noisy and confusing environment of technology, marketplace claims, and oversight/regulation (“The Fog of More”). Defenders are just overwhelmed. Therefore, any large-scale security improvement program needs a way to bring focus and attention to the most effective and fundamental things to be done.
Most of the literature of cyber hygiene fails to define the term, or simply illustrates the idea with a few examples. But, this leaves cyber hygiene as a “notion” or a general exhortation to do better (“cheerleading”). To get large-scale security improvement, we need to prioritize and focus the attention of the entire cyber ecosystem of users, adopters, suppliers (vendors), as well as authorities (like governments, regulators, the legal system) around a specific action plan – one that is backed up by implementation guidance, measurements of success, and a marketplace of tools and services.
Our recent introduction of Implementation Groups in Version 7.1 of the CIS Controls provides a basis for this approach. Implementation Group 1 (IG1) is a specific set of Sub-Controls (also known as safeguards) chosen from the overall CIS Controls IG1 is a foundational set of actions for every enterprise, especially those with limited resources or expertise. The safeguards in IG1 can be the basis for an action plan for basic cyber hygiene, with an accompanying campaign, that has all the ideal attributes:
By using IG1 as the definition of basic cyber hygiene, we make security improvement accessible to all enterprises in a way that is backed by the same analysis that underpins the Controls, and the same marketplace of tools, services, and training. And when appropriate, this approach is a natural on-ramp to the overall CIS Controls.
In a future blog, we will talk about our journey in mapping the CIS Controls to MITRE ATT&CK framework patterns, tactics, and techniques; the analysis results are interesting.
Tony Sager is a Senior Vice President and Chief Evangelist for CIS® (The Center for Internet Security, Inc.). He leads the development of the CIS Controls™, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions of use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’ independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.
In addition to his duties for CIS, he is an active volunteer in numerous community service activities: the Board of Directors for the Cybercrime Support Network; and a member of the National Academy of Sciences Cyber Resilience Forum; Advisory Boards for several local schools and colleges; and service on numerous national-level study groups and advisory panels.
Sager retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional. He started his career there in the Communications Security (COMSEC) Intern Program, and worked as a mathematical cryptographer and a software vulnerability analyst. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA’s role in the development of open standards for security. Sager’s awards and commendations at NSA include the Presidential Rank Award at the Meritorious Level, twice, and the NSA Exceptional Civilian Service Award. The groups he led at NSA were also widely recognized for technical and mission excellence with awards from numerous industry sources, including the SANS Institute, SC Magazine, and Government Executive Magazine.
Mr. Sager holds a B.A. in Mathematics from Western Maryland College and an M.S. in Computer Science from The Johns Hopkins University.