In discussions about cyber defense, we often hear the term “cyber hygiene.” The general notion is that a lack of good cyber hygiene is at the heart of most cyber-attacks.

The phrase plays off of commonly accepted ideas in personal hygiene or public health.  That is, a number of relatively simple, well-defined personal actions (like brushing your teeth, washing your hands, getting vaccinated, “social distancing”) can provide significant value – but not a complete cure – for many health problems. Value can be received both by the individual, and also by the population as a whole. Each of these steps is simple enough to describe, but their real value is that they translate highly specialized science and knowledge (e.g., the transmission vectors of disease) into specific personal action.

The same general notion applies in cyber defense. Almost all successful attacks take advantage of conditions that could reasonably be described as “poor hygiene,” including the failure to patch known vulnerabilities, poor configuration management, and poor management of administrative privilege. This does not mean that system operators and users are lazy, or don’t care. At the Center for Internet Security (CIS), we attribute these failures primarily to the complexity of modern systems management, as well as a noisy and confusing environment of technology, marketplace claims, and oversight/regulation (“The Fog of More”). Defenders are just overwhelmed. Therefore, any large-scale security improvement program needs a way to bring focus and attention to the most effective and fundamental things to be done.

Most of the literature of cyber hygiene fails to define the term, or simply illustrates the idea with a few examples. But, this leaves cyber hygiene as a “notion” or a general exhortation to do better (“cheerleading”). To get large-scale security improvement, we need to prioritize and focus the attention of the entire cyber ecosystem of users, adopters, suppliers (vendors), as well as authorities (like governments, regulators, the legal system) around a specific action plan – one that is backed up by implementation guidance, measurements of success, and a marketplace of tools and services.

Our recent introduction of Implementation Groups in Version 7.1 of the CIS Controls provides a basis for this approach. Implementation Group 1 (IG1) is a specific set of Sub-Controls (also known as safeguards) chosen from the overall CIS Controls IG1 is a foundational set of actions for every enterprise, especially those with limited resources or expertise. The safeguards in IG1 can be the basis for an action plan for basic cyber hygiene, with an accompanying campaign, that has all the ideal attributes:

  • covers both organizational and personal behavior
  • the actions are specific and easily scalable
  • the effect on preventing, detecting, or responding to attacks can be stated
  • no detailed domain knowledge or execution of a complex risk management process is necessary to get started
  • these safeguards can be supported with a marketplace of tools for implementation and measurement
  • the actions provide an “on-ramp” to a more comprehensive security improvement program

By using IG1 as the definition of basic cyber hygiene, we make security improvement accessible to all enterprises in a way that is backed by the same analysis that underpins the Controls, and the same marketplace of tools, services, and training. And when appropriate, this approach is a natural on-ramp to the overall CIS Controls.

Article Provided By: Center for Internet Security

If you would like TSVMap to assist your business with assessing your essential systems and applying the TSVMap methodology to ERP SystemsMRP SystemsCyber SecurityIT StructureWeb ApplicationsBusiness Operations, and Automation, please contact us at 864-991-5656 or