Topics from Cybersecurity Bootcamp #1 – Cyber Hygiene

bootcamp_signThis past week I was privileged to attend Stanford’s inaugural cybersecurity boot camp, where two dozen congressional staffers joined academic and industry experts to discuss ways to protect he government, the public and industry from cyber threats.

For me, it was encouraging to see congressional staff members deeply engaged in security and threat discussions on a range of cybersecurity topics and it was a good reminder of how broad a topic it really is.  With that in mind, I thought it would be interesting to extract a few of the topics from the boot camp and discuss them more deeply here on the security blog.

Dr. Jane Holl Lute on Cyber Hygiene

The opening session for the boot camp was led by Dr. Jane Holl Lute, a former deputy secretary of Homeland Security, current president of the Council on CyberSecurity (CCS), and a consulting professor at Stanford's Center for International Security and Cooperation.

Dr. Lute told the bootcamp participants that the Internet is about the power to connect, not to protect, and stressed the importance of cyber hygiene in mitigating threats. 

She emphasized the idea that industry and government can do better – that we know a lot, but we're just not doing it. When asked questions about the path forward, Dr. Lute repeatedly evangelized the need for companies to carry out basic cyber hygiene and promoted the core priorities launched in a Cyber Hygiene Campaign earlier this year by the CCS and the Center for Internet Security (CIS), working with the National Governors Association Governors Homeland Security Advisors Council.

Council on Cybersecurity’s Critical Security Controls

Dr. Lute, in her work with the Council on Cybersecurity, has worked on defining, publishing and updating guidance in the area of security controls since 2009.  The latest publication is “The Critical Security Controls for Effective Cyber Defense v5”, available for download The publication is key to the first phase of their Cyber Hygiene Campaign, which prioritizes the top five actions that address the most critical areas - which the campaign asserts can prevent 80 percent of all known attacks.

NOTE: I've searched for a reference or study that establishes the 80 percent claim and haven't found anything related to the CCS security controls. I speculate that the number and associated claim may be derived from the correlation with the Australian DSD4 controls - see below for more details on this.

The prioritized controls identified by the campaign are:

  1. Inventory authorized and unauthorized devices
  2. Inventory authorized and unauthorized software
  3. Develop and manage secure configurations for all devices
  4. Conduct continuous (automated) vulnerability assessment and remediation
  5. Actively manage and control the use of administrative privileges

In my personal opinion, these are easy to articulate, but relatively high level in terms of putting into operation.  Because of that, I call out the “First Five Quick Wins” recommended in the Critical Security Controls document. The document recommends these five sub-controls as having the most immediate impact in mitigating attacks:

  • application whitelisting (CSC 2)
  • use of standard, secure system configurations (found in CSC 3)
  • patch application software within 48 hours (found in CSC 4)
  • patch system software within 48 hours (found in CSC 4)
  • reduce number of users with administrative privilege (CSC 3 and CSC 12)

Coincidentally, these align closely with the top 4 mitigation strategies for which the Australian Signals Directorate won the 2011 U.S. National Cybersecurity Innovation Award.

Australian Signals Directorate Strategies to Mitigate Targeted Cyber Intrusions

In February 2010, the Australian Defence Signals Directorate (DSD) published a list of 35 strategies to mitigate against targeted cyber intrusions they had analyzed in 2009.  They found (archived copy of 2010 report) that at least 70% of intrusions that the DSD responded to in 2009 could have been prevented if organizations had implemented their first four controls. In July 2011, the DSD published an updated report (archived copy of 2011 report) that found that the top four strategies would have prevented at least 85% of the intrusions the DSD responded to during 2010.

The latest report (February 2014) now generally asserts that the effectiveness of the top four strategies remains high and would have, if implemented as a package, mitigated at least 85% of cyber intrusions which the Australian Signals Directorate (ASD) responds to. The top four strategies are:

  1. application whitelisting of permitted/trusted programs
  2. patch applications. patch/mitigate “extreme risk” vulnerabilities within two days. use the latest versions.
  3. patch operating system vulnerabilities. patch/mitigate “extreme risk” vulnerabilities within two days. use the latest suitable operating system.
  4. restrict administrative privileges to operating systems and applications based upon user duties.  users should use a separate unprivileged account for email and browsing.

Final Thoughts and Considerations

Whether we are talking about the Council on Cybersecurity security controls or the DSD mitigation strategies, there is clearly some industry alignment on the best practices for threat mitigation that organizations should be prioritizing. I agree and endorse these “cyber-hygiene” basic steps.

But … what about individual users?

The security controls and mitigation strategies are all targeted at organizations.  Government departments or private sector enterprises can and should implement them and yes, that does have a cumulative beneficial effect on the ecosystem, but it doesn’t really provide actionable guidance for individual users.

Would similar cyber hygiene steps help with home users? Everyone loves to talk about the threat from zero-days, but when my colleagues and I analyzed real world exploits in our 2011 Security Intelligence Report, we found that less than 1 percent of exploits in the first half of 2011 were against zero-day vulnerabilities — software vulnerabilities that are successfully exploited before the vendor has published a security update or “patch.” In contrast, 99 percent of all attacks during the same period distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities. Basically, we found that the most common threats can be mitigated through good security practices by individuals too.

So, in closing, let me translate the “DSD top 4” into some cyber hygiene guidance that individual users can apply:

  1. Only install applications from reputable sources, such as the official device Stores or boxed product from known, reputable vendors.  Avoid “alternative app stores” and untrusted download sites and especially avoid “cracked” software, as they are frequently compromised with malware.
  2. Accept application updates when available, especially from official app stores. Do not accept offered updates from web sites, instead initiate updates yourself using official updaters or at the vendor web site.
  3. Turn on operating system auto-updates and accept them when notified. Make sure you shut down and reboot on any day when you are notified of an update to ensure they are applied.
  4. Use a standard user account for all day-to-day computing.  Have a separate dedicated admin account for performing administrative tasks and only use it for that.

Just like the DSD has 35 mitigation strategies and not just the top 4, there are other things that individuals can do beyond these four (e.g. antivirus software), but these would be a great start for individual cyber-hygiene.

Best regards, Jeff (@securityjones)

Cross-posted from the original on the Microsoft Security Blog.