Why do we care about cyber hygiene? For starters, security pros want to ensure operating effectiveness of basic controls and put in a system of checks and balances between processes. Companies also want to offer a foundation for more advanced technical security mechanisms, their effectiveness becomes limited otherwise. They also want to detect blind spots in security management and monitoring, ensuring their scope covers all necessary factors.
But hackers usually follow the path of least resistance. While the 2019 Verizon Data Breach Investigations report found that 52 percent of breaches featured hacking and 33 percent were social attacks, 21 percent were errors caused by casual events and 15 percent were misuse by authorized users.
In his presentation at InfoSec World 2020, "How to Implement the ‘Triangle’ of Network Security Management," Ryan Rodrigue, principal at Wolf and Company, laid out the three aspects of the triangle - asset, patch and vulnerability management.
Rodrigue believes asset management informs patch management and that informs vulnerability management. With asset management, companies need to know everything in their environment, not just servers and workstations. Are security pros sure everything in their environment is complete and accurate? This includes all router and switches, firewalls, printers, scanners and SANs.
For patch management, this includes all hardware, software, firmware, appliances, and IoT devices. Companies typically neglect a lot of areas, including third-party software, desktop applications (user-installed), and non-server/non-workstation hardware. Security teams should ask how they update routers and switches? What about copiers, firewalls, digital cameras and IP-connected equipment? What about traveling laptops, and machines that are offline for long periods of time?
On vulnerability management, Rodrigue said it’s a separate and distinct process from patch reporting. Annual third-party scans are not sufficient, companies need regular, ongoing, in-house vulnerability testing. He said to conduct full monthly scans at minimum. They can be staggered, continuous and risk-based.
Once companies focus in on all these areas, they need to formalize the process. It should include the following: reporting and oversight, remediation tracking, exception management (including mitigating controls, risk acceptance, and segregation of duties. Above all, it should become a true process, not just a task.