SECURITY HYGIENE DONE CORRECTLY

Posted on by Henrik Parkkinen

Why did plague doctors wear those strange beaked masks?

In the 17th century, people believed these outfits could purify poisonous air.

They were wrong.



“[…] physicians believed that the plague spread through poisoned air that could create an imbalance in a person’s humors, or bodily fluids. Sweet and pungent perfumes were thought to be able to fumigate plague-stricken areas and protect the smeller; nosegays, incense, and other perfumes were common in the era.

Plague doctors filled their masks with theriac, a compound of more than 55 herbs and other components like viper flesh powder, cinnamon, myrrh, and honey. De Lorme thought the beak shape of the mask would give the air sufficient time to be suffused by the protective herbs before it hit plague doctors’ nostrils and lungs.

In fact, plague is caused by Yersinia pestis, bacteria that can be transmitted from animals to humans and through flea bites, contact with contaminated fluid or tissue, and inhalation of infectious droplets from sneezing or coughing people with pneumonic plague.”



www[.]nationalgeographic[.]com

PROLOGUE

Every year security reports are published by many large companies, institutes, organizations, and enterprises. Every year I read a bunch of them and have done so for quite a while, and I will keep doing. And I recommend you, reading this article to do the same. Go through a couple security reports published each year. There is nothing to lose, just intel and knowledge to gain.

In many of these reports, you will find similarities in the analysis of the threat landscape, most targeted industries, most common attack types, most common risks, and so forth.

And one of the things that have stood out for years and still does, that many security reports highlight (directly or indirectly) each year is the subject Security Hygiene. And this is the topic for today and what I will write about in this article. And I will explain to you how to do Security Hygiene correctly.

You will in this article find the solution for how to do Security Hygiene correctly. You will learn the secret to what is needed to accomplish a strong Security Hygiene that stands the test of time.

Sound interesting?


THE PLAGUE & THE PLAGUE DOCTOR

To reduce the risk for being infected by the plague, keeping a good hygiene was one of the preventative measures.

The plague doctors, were in many cases regular peoples with limited to no knowledge in medicine. Some of the plague doctors were also new doctors stating their careers.

According to the internetz, plague doctors rarely cured patients.

Security Hygiene

Security Hygiene in this article refers to practices applied by organizations to keep their shit safe, secure, and protected. To make sure the digital identities, employees, information systems, assets, data, intellectual properties, and so forth are safe, secure, and protected.

Compare Security Hygiene to hygiene for humans, i.e. staying fresh and healthy. Simple things like washing your hands, regular exercising, and getting those 6-8 hours of sleep in each night. And things like getting some sunlight, fresh air, and eating healthy food. You get it at this point.

The list of typical security hygiene-related things is for example:

  • Patch and vulnerability management
  • Configuration and change management
  • Anti-malware
  • Email security
  • Device security
  • Security awareness
  • Web browser security
  • Identity and access management

Throughout the years and since I started my career, more than two decades ago, all these things were not considered security hygiene. Nothing strange there. Security does not operate in a vacuum. The threat landscape is not frozen down for periods of time. It is the total opposite. It staidly changes and gets more advanced and aggressive. It evolves.

Walking back on memory lane, Identity and Access Management (IAM) was not for ~20 years back something that fit into the category of security hygiene. I was fortunate too in the early days of my career when I got started to work for one of the largest IT companies in the Nordics. At this place, IAM was already a very mature security capability. Sadly this company is no longer existing.

To my disappointment when I choose to take on new adventures in helping other organizations it came very obvious to me that IAM was not something that could be taken for granted. IAM was not something back in those days and times that fit into every organization’s security hygiene. And this is still the case and something observed in many security reports.

Read through those security reports and you will see what I mean. Still, today in 2023 organizations suffer from not being able to manage their identities and accesses adequately and securely which results in breaches, data being leaked, insider threats, and so forth. Risks related to IAM are still, and has for many years been, considered one of the most common security risks. Now in 2023 the technology, skills, processes, and methodologies for managing IAM are very mature but many organizations still struggle with the area.

Yes, there is a skill gap in the security field but all these security risks in these reports can not be blamed on the skill gap and put out as the reason for why they, still today, appear in the upper portion of the yearly security reports. The skill gap and poor succession planning are a security risk on their own, as I see it.

If you are interested in reading more about risk and get better understanding of what a security risk is, check this article out What is Risk? Modeled & Explained.

Identity and access management, IAM

One of the main reasons, and according to my personal opinions, for why risks related to IAM are still seen as such a common risk is due to that projects related to IAM is in many cases approached as an IT project. They become primarily technology-centric. And, to some extent, when technical things and the processes in these projects are implemented, the project is considered completed. But is not how IAM or security works.

The technological solutions are there to make the job behind the curtains and to abstract the processes (for example on-boarding, off-boarding, entitlement management, access reviews etcetera) when it comes to IAM.

But managing identities and accesses is something closely related to the organization. It is the organization that owns the identities and accesses. It is not the IT, security department or a project that owns the identities and accesses consumed and used across the organization.

The IT, security department and implementation project should though make sure the organization’s requirements are fulfilled and align the IAM landscape to the security processes, guidelines, and procedures. To make IAM a success in any organization, it requires participation from the IT, security, and business organization. It is with the help of all the relevant stakeholders that will make sure adequate capabilities (processes, skills, methodologies, security principles, procedures, and so forth) will be established and in alignment with the needs of the organization.

Yes, I speak a lot about “the organization”. The reason for it is that the identities and accesses are consumed by the employees in the organization and that is where the ownership resides. That is where the risks reside. Technological solutions are one part of the equation but they will not make all the risks evaporate that are related to IAM.

If security is kept being seen as an isolated discipline and something that is only technologically driven, the effects and security reports will continue to reflect my exemplification described above. Security is not only about technology. It is not something that is owned by IT or shall be seen as a responsibility that just resides in the security department. Security is not a vertical within the organization that lives its own life. Security is and shall be a supporting function in an organization.

One of the core instruments used by a security team for how they can support an organization from a security perspective is through systematic risk management. If you want to know more about the subject, I recommend you to take a look at this article What is Risk Management?

THE CHALLENGE

The first and foremost obvious step to solve security hygiene is of course to implement security controls (technical, administrative, physical), in the organization to close the gaps and reduce the weaknesses. I.e. to reduce the risk. But it can not stop here, having things implemented is only one part of the magic.

The “implementation” is one part of the overall lifecycle. This is not the end game. The “implementation” is somewhat the middle game. The starting point is to identify the potential gaps in security controls and from that craft the requirements before implementation is taking place.

It might come out obvious but it is worth saying these words. Security has not reached the state of a technological singularity to the date when this article was written. We are approaching this horizon to some extent I would say. The pace for technological advancement will only get faster and faster. The evolution is exponential. This is not something that I have come up with on my own. This is what history tells us and how technology transforms. And this is also what smarter people than myself have predicted for decades.

Gordon Moore & Ray Kurzweil

I recommend you to read a little bit about Gordon Moore and Moore's law.

If you found what I wrote interesting, also read publications made by Ray Kurzweil.

In short, what I mean by this is that security and technology are not at the point of being self-recursive or self-healing. Some parts are more AI-supported but this does not apply to the majority of things. Not either those considered as security hygiene. Increasing the technology stack with further functionality or solutions will not make all the bad things go away. This can in the worst case lead to the opposite. Another solution that needs to be maintained and operated. And if the organization is already suffering from not having an adequate amount of resources in terms of people, adding more technology will not be a helpful, smart or sustainable solution.

For example, just implementing a SIEM solution today will not give your organization much of a value realization or benefits. You will get loads of alarms and signals though. But if you do not have resources (people, processes, and technologies) in place supporting how to act on the alarms and signals, is like putting money on fire. Just another blinking appliance installed. And more stress was added to the team by handing them and another security console to operate.

THE SOLUTION

To make sure security hygiene is maintained and kept in alignment with an organization’s demands and requirements, it needs to be continuously improved. When things are being established and implemented is when the actual work starts. This is where the magic happens. The establishment and implementation closed the identified security gap but it does not in any way mean it is closed to infinity.

The threat and attack landscape continuously evolves and for this reason, security, independent of whether it is about hygiene or not, needs to follow the same principles. Security shall undergo continuous improvement.

I have unfortunately many times seen that these security controls, especially related to security hygiene, do not undergo continuous improvement. They tend to be treated as a check-in-the-box exercise. Something like the mentality of “Installation completed = Now we are secure”.

And these forms of security implementations and improvements do not provide any sustainable effects. And this is another reason why we still see risks related to security hygiene appear high up in the security reports. They are treated as implementation projects without an operational lifecycle.

The effects of increasing an organization’s security control stack, from a people, process, or technology perspective without investing any resources in continuous improvement will only provide temporary effects and value realization.

The Continuous improvement process, PDCA (Plan, Do, Check, Act)

PDCA (Plan, Do, Check, Act) is one process of many that do the job when it comes to continuous improvement. ITIL, COBIT, and other well-known frameworks have their own adaptions. The fundamentals are though the same.

Choose a process and methodology that fits the needs of your organization. PDCA is one, but shall not be seen as the "one and only solution". And make sure to integrate continuous improvement as a discipline into your operational security.

Also, keep in mind that the things listed and categorized as security hygiene today are and will not be the same as in for example 5 years. The list will most likely evolve and contain more sophisticated security controls. It may though be somewhat comparable to how they looked today but it will for sure evolve.

Personally, I think that 24/7×365 Detection and Response Management capabilities, i.e. SOC/DART/MDR*, shall today be categorized as a fundamental security control. It should be something that is seen as security hygiene, as I see it. This is not the case in reality. Many organizations still lack this form of capability. And the capability, i.e. SOC/DART/MDR, is not spoken about as something related to security hygiene.

But my prediction is that this will change. If you are not able to detect anomalies, deviations, abnormal patterns, and stuff like that in your organization how will you be able to respond to them? Without getting that form of insight you are more or less, to some extent, blind to what is happening. And being blind and shooting with a shotgun when chasing bad guys is not an effective way how to do defensive security stuff.

Security needs to be managed with the help of a proactive approach and methodology. The name of the game is continuous improvement. This is the correct way of doing security, hygiene-related or not.

SOC/DART/MDR

SOC stands for Security Operations Center, DART stands for Detection and Response Team, and MDR stands for Managed Detection and Response.

For the sake of simplicity, in this article, the acronyms are used interchangeably but there are some differences.

The one thing that they have in common is that they are all categorized as Detection and Response Management capabilities.


EPILOGUE

The security threat and attack landscape operates 24/7×365 where a continuous advancement takes place. For this reason, we as defending organizations need to do the same. We need to be proactive, adapt, and continuously improve.

Make sure to do those things that better balance up the scales for you as a defending organization against the threats targeted towards you. Both from the outside and inside of your organization. The adversaries will not put their attacks on pause just because of or due to your organization has weaknesses in its security posture. The opposite statement is more likely to be true. If a bad guy identifies a weakness in your defenses, the likelihood for bad things to happen will increase.

So, what has plague doctors to do with security hygiene? I think they look somewhat cool, to be honest. And besides that, that they look cool, these doctors back in days thought that stuffing their masks with different herbs and things that smell good protected them from getting infected by the plague. That was what was believed to be a good protective way at that time. As time passed we as humans now know better. Medicine and doctors have adopted new methods and do not longer hold on to old beliefs. Science and empirical knowledge have helped us to mature in the field of medicine.

Take the red or blue security hygiene pill

To some part, the security industry, like every other industry, has its own plague doctors. These are the persons who hold on to the dangerous beliefs of “we have always done it this way here”. These are those persons who tell you that this or that magic potion, i.e. single security control, will heal your organization. These are those security professionals who say to you that they have the exact formula for defeating the bad guys out there.

There are no magical unicorn solutions out there that solve all the vulnerabilities or mitigate all the risks for your organization. There are though better and less good ways how to do security.

The better way to do security, hygiene or not, and gain sustainable effects within your organization is to ensure improvements are made in a continuum. This includes sanctioning investments, time, and resources to make sure the humans, processes, and technologies within your organization are undergoing continuous security improvement. And I strongly recommend you to integrate the work around continuous improvement of security into your operational work. Yes, it should be a tactical and strategic task as well. But most effects will be gained if it is a day-to-day task and mindset.

Security hygiene needs to encompass all these three elements of security: humans, processes, and technologies. It is not enough to just educate the employees if there are large security control gaps existing or the other way around. And it is not enough to just do these things once.

Staying on top of the security game is very similar to any team sport. You and your team (security professional, employees, leadership, and business within your organization) need to undergo continuous improvement. As a team, improve together in a continuum. This is what security is about.

Becoming “secure” is not a destination, it is a continuous journey that needs to keep going in a continuum. Doing security is a team sport.

“Team on me, Team on three.
One, two, three.
Team!”

Henrik Parkkinen