When I ask CISOs or IT Security Directors what their staff could use the most help with, the most common answer that I get is “Basic Hygiene.”
Basic hygiene? You know the little things that have to be taken care of on a daily basis to prevent yuck from building up. In the case of InfoSec, yuck means risk, vulnerability, and of course Technical Debt. It’s the job of IT leaders to set and audit security policies while it’s the responsibility of technologists not to just follow these policies but also follow the spirit of these policies. If top of mind for the CISO is poor hygiene, then what can we all do to get better at the metaphorical brushing and flossing? What exactly does good security hygiene look like and where are we all skimping on the floss?
Most IT organizations have good discipline around the basics for user facing policy. Strong password requirements, password rotation policies, limiting privilege escalation, valid SSL certificates, and reasonable access controls. Most of us have those dialed in. In general our users are behaving well, we pass our compliance audits, and those external penetration tests bounce off with minimal remediation tasks taken away. We’re putting on a bright smile but something still smells off, so where and what exactly is it?
The challenge comes with maintaining those same disciplines around ourselves. How many services share the same root password? How many of us use those root passwords for daily activities? How often are we changing those root passwords? And how often do we use good SSL discipline on things that are only IT facing? How often do we ignore that SSL certificate warning before we access a management portal and input those escalated credentials? If we’re being honest, how would we ever know if a malicious user were to capture those credentials? If they are used regularly and the passwords rarely if ever change, how do we audit their use and the scope of how long an attacker may have had use of them?
When you think about it, securing these services, portals, and passwords is far more important than regulating user behavior. We are after all stewards of the crown jewels with the potential to access, export, ransom, or destroy everything in the kingdom. There’s a lot of irony in ignoring an SSL certificate error because we know better and we know that site is safe. How does that complacency translate into other areas where we are the user? How much more likely are we to ignore a certificate error because of simple false positive fatigue?
How much more likely are we to reuse a password or a service account? We need to access 100 systems every day, who can remember all those passwords? And even if we use a password vault, who has time to rotate them and update all of their dependencies regularly?
Believe me, I understand. It is a lot of work to perform all of this hygiene and I know why so many of us aren’t doing it. So what do we do about it? It’s not like admitting this suddenly gives us the time to perform all of these activities and change all of our behaviors. They are after all mostly born out of practicality not negligence.
I can tell you that there is no one good answer for everyone, but I can also tell you that there are some major 80/20 compromises that will improve things drastically. In many cases, not only can some of these compromises result in a significantly better security posture but can also save you valuable time that you could put to better use.
Check out my landing page for Practical Security: An 80/20 Approach to Fast-tracking Security Hygiene
Please feel free to follow me, contact me, or find me on social media and thanks for stopping by!