In 2016, 76% of all websites actively scanned by Symantec contained known vulnerabilities. While down from 2015 (78%), this number is shockingly high (https://www.symantec.com/security-center/threat-report). Good cyber hygiene is an active stance. Recent hacks like Wannacry leverage the vulnerabilities of legacy systems and poor personal cybersecurity practices. Although most organizations have a deliberate and thoughtful approach to identifying and mitigating risk, practicing good cyber hygiene needs to be a component of a holistic approach to cybersecurity. Engility’s Cyber ENnovation Center lead Floyd McKinney discusses how some of his customers enhance their defenses.
As the news fills with cyber-attacks and data breaches, there are really two communities vulnerable: individual users and the business community. Many individual users view cybersecurity as someone else’s responsibility…they purchase and download a security software and expect automatic updates or they believe security is only within the purview of their Internet Service Provider; therefore they figure they’re protected. Similarly, many in the business community believe once their IT department installs an Intrusion Detection System or security information and event management software, they’re protected from the various cyber threats presented by today’s sophisticated threat actors.
The truth is these actions must be part of a broad approach to cybersecurity, which includes good cyber hygiene practices. For example, using the dental hygiene parallel, your municipality may put fluoride in the public water to help reduce dental decay, and our parents likely taught us good brushing and flossing skills when we were younger; but at the end of the day it’s up to each of us to practice good dental hygiene, e.g., mouth rinsing, daily brushing and flossing and regular wellness visits to the dentist.
The Elements of Good HygieneMost companies and Government agencies have in place a well-thought-out patch management and configuration management approach, but good cyber hygiene-related activities include, but are not limited to, segmenting networks, enforcing compartmentalized (“need to know”) user permissions, enforcing strong password rules and bi- or multi-authorization procedures, ensuring firewalls are properly installed, updating both “white lists” and “black lists,” ensuring all antivirus and spamware protection software is properly installed, removing all unauthorized software and ensuring all firmware and software patches are current.
For individual users, millions are still using outdated systems. It’s those older systems that create vulnerabilities to the larger eco system. Most users are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part, or the need to establish and maintain their online safety. Cyber hygiene for the individual user is the online analogy of personal dental hygiene, and it encapsulates the daily routines, occasional checks and general behaviors required to maintain a user's online “health” (security). This would typically include (but is not limited to): using a firewall, updating virus definitions, running security scans, selecting and maintaining passwords (and other entry systems), updating software, backing-up data and securing personal data.
Ironically, events like Wannacry and the Equifax breach help the general state of cybersecurity. It’s like seeing your neighbor’s basement flood and deciding to purchase that insurance you’ve been putting off.
Brush, Floss and Back Up Your SystemFor our cyber customers, it’s more complicated. It’s about managing cybersecurity with a multi-layered approach that encompasses people, processes and technology. Engility’s Cyber ENnovation Center (EC) helps customers address security requirements—from developing secure systems to providing vulnerability assessments on existing systems. Government and most businesses are thinking about defense in depth. They’re looking to isolate critical infrastructure from sophisticated cyber threats, which are constantly changing. For our customers, proactive cybersecurity measures include good cyber hygiene practices; improved cyber resiliency, which brings the areas of cybersecurity, business continuity and (organizational) flexibility and elasticity together; risk management and an understanding of how their individual networks (including weapons systems) are connected and how they might allow a vulnerability that may lead to a larger threat.
Engility and other Government contractors within the defense industrial base have a responsibility to follow suit with our customers, doing the things we need to do with respect to strong security practices, education and awareness. There is no risk-free environment, so we need to work through these events. Ultimately, achieving our cybersecurity means moving from merely an IT policy mindset to one that promotes an integrated, comprehensive cybersecurity strategy powered by policy, people, processes and governance and technology. This is where we can do our part to think through our risk landscape and manage that. Everyone must be an active participant in securing personal data and our cyber ecosystem. Increase your security IQ so you can make better decisions and reduce risky behavior. This expanded scope helps to eliminate the cyber gap between cybersecurity professionals, business and individual users requiring all sides of the house to proactively align and present a united front against threat and incursion.