What is Cyber Hygiene?
The Center for Internet Security (CIS) and the Council on Cyber Security (CCS) defines cyber hygiene as a means to appropriately protect and maintain IT systems and devices and implement cybersecurity best practices
Cyber attacks can be difficult to detect and, unfortunately, there is no surefire way to block everything. However, good cybersecurity practices can contain most infections starting with those programs typically compromised to carry out attacks.
BizCare minimizes infection, by mitigating exposure to command-and-control systems. More specifically, by proactively implementing these technology and security best practices, cybersecurity threats can be effectively contained and managed automatically:
- Keep patches up to date
- Disable unnecessary services and program features
- Decommission nonessential applications and cloud services
- Monitor, manage and maintain endpoint security
- Restrict admin privileges
- Monitor, manage and maintain voice and data network traffic
- Optionally monitor, manage and maintain security training for end-users
10 GOOD CYBER HYGIENE PRACTICES
While these are not all-encompassing, they do provide a solid foundation, using layered security practices, together with customized solutions that meet (or exceed) your organization’s specific needs.
1: Restrict unnecessary scripting languages
One of the key factors that malware relies on to carry out its attacks on hosts is management frameworks and tools that are native to the system’s operating system. In many of these types of attacks, PowerShell and Windows Management Instrumentation (WMI) frameworks are utilized to secretly execute commands on the host while the infection resides in resident memory.
If your organization doesn’t use these applications, one of the best protections is to disable them altogether. This will harden the system against using PowerShell to manipulate the host or WMI to enumerate system variables, which in turn can be used to attack the host. But if the hole is closed, attackers won’t be able to rely on this vector.
2: Disable macros and digitally sign trusted macros
Oh macros, what a delicate web you weave. On one hand, the macro functionality offers a little programming muscle to an assortment of productivity files. On the other hand, running an unsecured app is never a good idea. Disabling macros is the best, most surefire way to prevent unsecured code from running on your systems if the macros are not utilized.
However, if macros are a requirement in your organization, merely enabling macros will simply not do enough to keep your systems secure. By digitally signing macros authorized for use by the organization and enabling only macros that are digitally signed, users will be able to run macros that have been vetted by the company, while protecting devices against all other types of macros by effectively disabling them.
3: Monitor security appliance logs for unauthorized traffic
As part of general best practices in maintaining your network and optimizing its security posture, monitoring the logs from various devices, such as firewalls to intrusion prevention systems (IPS), should be done in a centralized and consistent manner to best detect unauthorized traffic exiting the network.
Ideally, baselines should be recorded for network activity based on multiple snapshots taken of points in time, such as the network under duress during heavy workloads, during off-peak times when it is not in use, and at multiple times throughout the workday, to not only gain a better understanding of the operating flow of the network but also to apply heuristics analysis that aids in detecting abnormal network activity compared to the baselines. This will help you determine which devices are transmitting inordinate amounts of data (or communicating with unknown/unauthorized devices remotely), which is a telltale sign of infection.
4: Implement endpoint security with active monitoring
While endpoint security, such as antivirus, has been largely ineffective in detecting malware infections, there are endpoint solutions that have a heuristics component that operates through behavioral analysis on a client-by-client basis.
By analyzing system behaviors against known baselines, deviations or significant changes in a system’s usual behavioral patterns will result in a prompt. Administrators can use this to reflect the changes as being on par with a change in system usage or to remediate a potentially infected device before it spreads.
In addition, certain types of malware, like ransomware, have a specific set of behavioral characteristics that are common to all infections: encrypting end-user data at alarming rates. By keying into these identifying patterns, heuristics-based endpoints can and do halt many of these forms of behavior-based threats until end users manually authorize the process to continue, effectively stopping the threat before it delivers its full payload.
5: Perform patch management across all devices
Again—and not surprisingly—one of the most important best practices in protecting systems from becoming compromised seems like a no-brainer. Yet despite the key role that patch management plays in securing an environment (and preventing breaches), many organizations are still behind the curve on keeping up with updates.
As recently as the WannaCry worm, fixes from Microsoft were released upwards of three months prior to the outbreak that affected organizations across the globe—and still, some were nearly devastated by the encrypted payloads that could’ve been prevented had the patches been deployed months prior.
Malware is not beholden to any particular vector of infection. It can be introduced as a malicious service or program from a rogue application, downloaded from an infected website, or even distributed as part of a zero-day vulnerability.
Though the latter is the most common delivery method for malware to compromise a system and escalate privileges to infect a host, a tested and timely delivery of patches could effectively protect against any of the myriads of malware delivery methods associated with malware infections.
6: Restrict account access using the principle of least privilege
When a user authenticates on a computer, they can work based on the privileges that have been assigned to their account by the administrator. The more rights they are given, the greater control they have in making changes to the operating system, which could affect other users on that same computer. Malware typically will execute at the same level as the user’s account. If they’re admins, malware infections will have admin access to the device allowing it to run unrestricted.
Conversely, if the user’s account lacks administrative privilege over the host, malware could still theoretically execute—however, it will do so within the context of that user’s limited access. As a result, it will not have access to the system files or any restricted directories that malware has come to rely upon to fully take over a host.
7: Whitelist authorized applications
Taking a note from the previous article’s recommendation to disable unnecessary services, disabling applications (or not installing them in the first place) is a good way to protect against attacks that specifically target a type of application or a file type that the app uses, such as Adobe Flash, which is known to be a vector for an assortment of attacks. But what can be done about applications that are native to the system and can’t be removed?
In scenarios where an application or framework, like PowerShell, can’t be uninstalled because it’s part of the Windows OS, enabling application whitelisting can allow administrators to control which apps are available to users. Whitelists act as a sort of guest list for the operating system, which enables admins to define which apps are okay for end users. Only the applications on that list will be accessible by users; all others will be restricted. This can be implemented through third-party software applications or managed centrally through Microsoft’s Group Policy Management Console for granular control over users and groups and the apps available to them. After all, if a non-admin user can’t even launch PowerShell, attacks running in that context will fail to execute commands targeting PowerShell.
8: Implement email gateway security filtering
Despite the popularity of text messaging and social media, thanks to smartphone market growth, email is still number one for collaborating on all levels in the enterprise. And in the last decade, it has also been the number one source for malware delivery.
Even though administrators around the globe have worked to limit the delivery of unsolicited email, infected attachments, spam, and phishing campaigns are still delivered to millions of users each day.
One of the ways to stop these types of mail from entering your enterprise’s network is through the use of spam filters that work to cut down on some of the bogus incoming mail. A second, more powerful solution is a dedicated email gateway filtering appliance, elaborated further here: SECURE.IT: 10 Steps to Good Email Cybersecurity Hygiene
These stand-alone devices sit on your private network between the firewall and email server and inspect each incoming message destined for your email server. Using signature, behavioral, and heuristics-based scanners, the appliance works to effectively drop rogue messages that are found to be a match in any of the multiple databases used to query for threats.
9: Optionally train users to deal with modern security threats
Training, believe it or not, is one of the most effective prevention tools that actually help make IT’s job a little easier. This isn’t a technical solution, but a practical strategy. End users who are aware of threats and understand how to respond and interact during suspected attacks can contribute significantly to your security efforts.
Consider a trained end-user versus one who is unaware of existing threats. The latter will typically perform behaviors that leave systems open to compromise, such as clicking links in emails from untrusted sources or leaving their computers unlocked while they’re away. In contrast, a user who has been trained will know how to identify potential threats and understand their role in properly documenting and reporting these issues to IT in a timely manner. After all, Cybersecurity is everyone’s responsibility.
10: Monitor for unauthorized access to services, shares, and process threads
By default, most computing devices include some sort of logging activity. Many times, the type of logging that occurs can be set, including frequency, detail, and just as important, retention periods. Computers are certainly no exception, and let’s face it,
Windows logs just about everything. So how will pouring through hundreds or even thousands of pages of log files help prevent malware infections?
Prevention isn’t the key, but minimizing the impact of infection is. Malware infections have been known to include the creation of new services for threat persistence, file shares to store downloaded scripts, shells, and/or payloads on infected systems for ease of spreading the infection. And, of course, they can hide in plain sight by keeping commands executed on infected hosts in resident memory or nested among process threads.
In fact, actively monitoring servers and clients for anomalous behaviors could yield indicators of compromise (IOC) on local or remote systems early enough to enable IT to remediate any issues before additional devices become compromised or payloads become much more devastating to the organization and their data.