This past week I was privileged to attend Stanford’s inaugural cybersecurity boot camp, where two dozen congressional staffers joined academic and industry experts to discuss ways to protect he government, the public and industry from cyber threats.
For me, it was encouraging to see congressional staff members deeply engaged in security and threat discussions on a range of cybersecurity topics and it was a good reminder of how broad a topic it really is. With that in mind, I thought it would be interesting to extract a few of the topics from the boot camp and discuss them more deeply here on the security blog.
The opening session for the boot camp was led by Dr. Jane Holl Lute, a former deputy secretary of Homeland Security, current president of the Council on CyberSecurity (CCS), and a consulting professor at Stanford's Center for International Security and Cooperation.
Dr. Lute told the bootcamp participants that the Internet is about the power to connect, not to protect, and stressed the importance of cyber hygiene in mitigating threats.
She emphasized the idea that industry and government can do better – that we know a lot, but we're just not doing it. When asked questions about the path forward, Dr. Lute repeatedly evangelized the need for companies to carry out basic cyber hygiene and promoted the core priorities launched in a Cyber Hygiene Campaign earlier this year by the CCS and the Center for Internet Security (CIS), working with the National Governors Association Governors Homeland Security Advisors Council.
Dr. Lute, in her work with the Council on Cybersecurity, has worked on defining, publishing and updating guidance in the area of security controls since 2009. The latest publication is “The Critical Security Controls for Effective Cyber Defense v5”, available for download http://www.counciloncybersecurity.org/critical-controls/. The publication is key to the first phase of their Cyber Hygiene Campaign, which prioritizes the top five actions that address the most critical areas - which the campaign asserts can prevent 80 percent of all known attacks.
The prioritized controls identified by the campaign are:
In my personal opinion, these are easy to articulate, but relatively high level in terms of putting into operation. Because of that, I call out the “First Five Quick Wins” recommended in the Critical Security Controls document. The document recommends these five sub-controls as having the most immediate impact in mitigating attacks:
Coincidentally, these align closely with the top 4 mitigation strategies for which the Australian Signals Directorate won the 2011 U.S. National Cybersecurity Innovation Award.
In February 2010, the Australian Defence Signals Directorate (DSD) published a list of 35 strategies to mitigate against targeted cyber intrusions they had analyzed in 2009. They found (archived copy of 2010 report) that at least 70% of intrusions that the DSD responded to in 2009 could have been prevented if organizations had implemented their first four controls. In July 2011, the DSD published an updated report (archived copy of 2011 report) that found that the top four strategies would have prevented at least 85% of the intrusions the DSD responded to during 2010.
The latest report (February 2014) now generally asserts that the effectiveness of the top four strategies remains high and would have, if implemented as a package, mitigated at least 85% of cyber intrusions which the Australian Signals Directorate (ASD) responds to. The top four strategies are:
Whether we are talking about the Council on Cybersecurity security controls or the DSD mitigation strategies, there is clearly some industry alignment on the best practices for threat mitigation that organizations should be prioritizing. I agree and endorse these “cyber-hygiene” basic steps.
But … what about individual users?
The security controls and mitigation strategies are all targeted at organizations. Government departments or private sector enterprises can and should implement them and yes, that does have a cumulative beneficial effect on the ecosystem, but it doesn’t really provide actionable guidance for individual users.
Would similar cyber hygiene steps help with home users? Everyone loves to talk about the threat from zero-days, but when my colleagues and I analyzed real world exploits in our 2011 Security Intelligence Report, we found that less than 1 percent of exploits in the first half of 2011 were against zero-day vulnerabilities — software vulnerabilities that are successfully exploited before the vendor has published a security update or “patch.” In contrast, 99 percent of all attacks during the same period distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities. Basically, we found that the most common threats can be mitigated through good security practices by individuals too.
So, in closing, let me translate the “DSD top 4” into some cyber hygiene guidance that individual users can apply:
Just like the DSD has 35 mitigation strategies and not just the top 4, there are other things that individuals can do beyond these four (e.g. antivirus software), but these would be a great start for individual cyber-hygiene.
Best regards, Jeff (@securityjones)