So, I just missed a week of work because of the flu (it wasn’t COVID, I got tested). The flu SUCKS. It’s awful. Fever, aches, chills, uncomfortability, irritability…and sitting around doing ABSOLUTELY NOTHING. That last one might actually be the worst part. It *sounds* fun at first, but after a day or two, it gets pretty annoying. All last week, I couldn’t get off the couch. While I like to watch movies and play video games, etc., I would still prefer to be doing something a little more useful with my time.
Anyway, the flu sucks. What’s a good way to avoid the flu and other illnesses like it? Wash your hands. Cover your face when you cough. Wear a mask in public, if that’s your thing. Don’t hug your kids when they’re coughing and touching everything, especially after a school dance where it spreads like wildfire. In other words, simply practice proper hygiene! Proper hygiene is important, and can help keep you healthy!
The point is, good hygiene is one of those weird things that everyone THINKS they know how to do properly, but so many people don’t. The same goes for proper cyber hygiene on your networks too.
What is cyber hygiene?
Hygiene is defined as the science that deals with the preservation of health, or a beneficial or recommended practice or set of practices. Obviously, I’m talking about the latter definition, however, the first one can apply as well. Cyber hygiene is a fairly easy set of steps that organizations can take to protect themselves during attacks. Note that I didn’t say that it would PREVENT attacks. The idea isn’t that a company will keep attacks from happening, but that attacks are just another part of the usual flow of business - just like getting coffee and donuts for the office in the morning. However, these attacks don’t have to be as painful as staring down that last donut in the breakroom at 2pm that’s grown cold and stale.
Now, I’ve been preaching on the CIS Top 18 Security Controls for a long time now, and the reason is because they JUST WORK. If an organization is following the controls, then they’re probably practicing some form of cyber hygiene already. Today, I’m going to list some of the controls that will help prevent guys like me from gaining access to your network, or at least limit what I can access IF I access your networks. Just implementing a few of these can greatly decrease your overall attack surface and help you gain more control of your network.
Attacks are gonna happen.
But first, before we talk about what controls you can implement, let’s take a look at what can happen when these controls aren’t implemented (or not implemented correctly). Here’s just some of the attacks that can be successful when not practicing good cyber hygiene.
Ransomware - I don’t really think I need to explain this one. Ransomware is bad. It attacks file shares and encrypts everything it can, asking for money to decrypt the files to gain use of them again. Simple enough. I’ve personally been involved in two different ransomware attacks as an IT Manager in a previous life, and let me tell you - if you haven’t had an attack like that yet, they’re not fun. Good backups are KEY if this attack happens to you. And if you don’t have good backups, well, God help you.
Phishing Attacks - email phishing attacks are fun (for the bad guys, or fake bad guys like us), especially when they work. There’s a few different types of phishing attacks, but I’m going to focus on the ones that deliver malware and the ones that gain credentials (usernames and passwords) from users. As an attacker, we LOVE it when we get credentials from a phishing attack. It opens up SO MANY DIFFERENT avenues for us, including access to VPNs, Citrix servers, email accounts, among others.
IoT Attacks - this one is a little different, because it’s primarily attacks on infrastructure that honestly shouldn’t exist on an external network (or an internal network that’s not segmented off). However, a quick Shodan.io search for IP cameras will show just how many organizations have IoT devices on their network, and they don’t realize it. Often these devices have weak/default passwords, or NO passwords, and even weaker internal coding. I’ve seen IoT devices get attacked and used as a pivot point into the internal network, which then leads to even bigger issues.
Cloud Attacks - In the grand scheme of networks, cloud is still relatively new, however, often it’s more secure than many internal networks. So, why is it listed here? Well, cloud misconfigurations are possible, and when exploited, can be BAD. These kinds of attacks include insecure APIs, cloud storage misconfigurations, open AWS S3 buckets, stolen keys, etc. We’ll go a little deeper into cloud attacks and exploits in a future Quick Bites. :)
Account Hijacking and Password Spraying — This is one of my absolute favorite attacks. Password spraying is an attack where you take a single password (or a very small list of them) and a LARGE group of known* user accounts, and try every account with one password at a time. It’s the opposite of a password brute force attack, where you take a known account and throw 17,000,000 passwords at it to try to figure out if one works. Password spraying is FUN. It’s incredibly effective when an organization uses some weak passwords for new users…and those users don’t change the password. Or, they change it, but they just added or changed one character. What passwords, you ask? How about these:
- …you get the idea
Any of these attacks can lead to data breaches, data destruction, brand disreputation, even bankruptcy and death of the business. Now that we have an understanding of what can happen, let’s look at how to mitigate quite a few of these attacks.
Now, I mentioned the CIS Top 18 Security Controls earlier. Not all of the following are a part of these controls, but I feel like they line up fairly well with or alongside the Top 18. I also want to point out that none of these controls are mutually exclusive, as oftentimes they bleed over into each other because of how they’re designed, depending on the system and how your organization is set up.
Password Management - Specifically, I’m talking about usernames and passwords here. Typically, this is the first defense against many attacks. Controls for the length, complexity, and age of passwords are great. However, has anyone taken into consideration some criteria that SHOULDN’T be used for passwords in your organization? One of the password attacks that we often use center around the organization’s name. As an example, if your organization’s name is ACME Corp, how many users’ passwords have some form of the name in their password? I’d bet it’s more than a few. One of the passwords I use for a spray typically has the company name (or the company nickname) in it, with the year, and potentially a symbol at the end of it. And it works fairly often.
Email Defenses – Spam filtering is important. Period. Know what else is important? Filtering out emails that claim to come from inside your organization. Hey, I get it, sometimes, that’s just not feasible. One of the things that I’ve seen a lot lately is organizations which put headers in the top of an external email, warning the user that the email is external. Many of them state “Hey, don’t open anything from this email without being absolutely sure that it’s valid and legit. Don’t be stupid!” I hear you saying, “what if a phishing email comes from inside the organization?”...you might wanna check on that. That’s bad.
Malware Defense – Malware includes viruses, trojans, ransomware, and any other bad software which wreaks havoc. There’s many ways to get malware, and many ways to AVOID getting malware. Antivirus has evolved now into new solutions like endpoint detection and response (EDR), managed EDR (MDR), and extended managed EDR (XDR). There are several excellent solutions out there, find one that suits your needs.
Asset Inventory – Software and Hardware – Listen, I’m not gonna harp on this one. You either know everything that exists on your network, or you don’t. (And I’m guessing that you don’t. Look into that.)
Access Controls – This picks up where Password Management leaves off. Access controls are looking more at Identity and Access Management (IAM). According to CIS Control 6 - Access Control Management, this includes
processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. 
Basically, while password management is more about, well, passwords, this one is more focused on the accounts themselves. How and when to set up accounts, and of course, how to manage and kill the accounts when necessary.
Sidenote - Honestly, as an attacker, I love accounts that are set up and never used, because they’re often not monitored either. Let that one sink in for a bit.
Data Recovery (Backups and Disaster Recovery) – I kinda figure if you’re reading this, you know how important backups are. If you don’t, then let me explain. Backups are VITAL for an organization’s success. Not only are these crucial to have in the event of an attack, specifically a ransomware attack, but let’s say your business exists in some fairly volatile area.
As an example, I live in Oklahoma, right in the big middle of Tornado Alley. Tornado Alley is called such because of the sheer number of twisters that hit around here yearly. If my business didn’t have good backups and I got hit by one of these, it’s game over. Do not pass Go, don’t collect $200. My entire business and everything with it would be gone. Over. Done.
The Secure Ideas office is in Jacksonville, FL, and if you’ve been paying any attention to the news of hurricanes in Florida (or anywhere down in that region) lately, you’ll know that there’s several places that have been flooded, which is catastrophic.
Having a good disaster recovery and business continuity (DR/BC) plan, which includes backups, is the best plan to recover from a catastrophic event. It’s also SUPER important to TEST your DR plan to make sure it’s going to work. So, create your DR plan (if you don’t have one), set up your backups, and make sure that can be restored on a regular basis. It’s simply good hygiene.
And so what have we learned?
Well, what have we learned today? Honestly, I’m not talking about anything that we haven’t talked about for years now regarding good security for your network. I believe Paul Asadoorian said it best years ago on Security Weekly (and I’m paraphrasing here, sorry Paul :)) - “Good network security is just good system administration. It’s that simple.”
With that being said, good system administration is simply following best practices …which is good cyber hygiene.
And remember to WASH YOUR HANDS.
* These may not be known usernames, but if you can gather enough data about the username scheme for an organization, you can figure out how to compile a large list of usernames that might work.