Cyber Hygiene: Why the Fundamentals Matter
October 2019 • Presentation
Matthew J. Butkovic, Matthew Trevors, Randall F. Trzeciak
In this webcast, as a part of National Cybersecurity Awareness Month, our experts will provide an overview of the concept of cyber hygiene, which addresses simple sets of actions that users can take to help reduce cybersecurity risks.
Software Engineering Institute
In this webcast, as a part of National Cybersecurity Awareness Month, our experts will provide an overview of the concept of cyber hygiene, which bears an analogy to the concept of hygiene in the medical profession. Like the practice of washing hands to prevent infections, cyber hygiene addresses simple sets of actions that users can take to help reduce cybersecurity risks. Matt Butkovic, Randy Trzeciak, and Matt Trevors will discuss what some of those practices are, such as implementing password security protocols and determining which other practices an organization should implement. Finally, they discuss the special case of phishing—which is a form of attack that can bypass technical safeguards and exploit people’s weaknesses—and how changes in behavior, understanding, and technology might address this issue.
Good cyber hygiene is important because an organization's threat landscape changes daily, and new variants of attacks on computer systems appear by the hour. The sheer number of security vulnerabilities in hardware, software, and underlying protocols—and in the dynamic threat environment—make it nearly impossible for most organizations to keep pace.
Threats aren't only technological, either. Hackers and other bad actors are adept at social engineering to gain access to systems and the information they house. Social engineering attacks can be a sophisticated phishing campaign, a sob story delivered to a customer service representative over the phone, or even an individual on-site claiming to be fixing the HVAC but actually planting a wireless-enabled device. The IT department alone can't mitigate social engineering attacks. It's a responsibility shared by everyone, from the C-suite to the most junior staff members, and you might never get all personnel on board.
At the CERT® Division of the SEI, our approach to cyber hygiene involves identifying the commonalities among these cyber practices and aligning them with the resilience management practices in the CERT Resilience Management Model (CERT-RMM). Resilience management is the application of the methodologies of the CERT-RMM, which is a capability-focused maturity model. Resilience management can be expressed in terms of establishing organization-appropriate levels of protection and sustainment capabilities.