Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Cyber Hygiene: 5 Advanced Tactics to Maximize Your Risk Reduction

Cyber Hygiene: 5 Advanced Tactics to Maximize Your Risk Reduction

In part two of our series on cyber hygiene, we look at why businesses may need to go beyond the basics of vulnerability scanning and antivirus protection to ensure comprehensive security for their networks. 

All businesses can significantly boost their information security by implementing fundamental elements of cybersecurity – vulnerability scanning, patch application, antivirus and anti-malware tools, firewalls and companywide security policies featuring well-established best practices. These should all be standard procedures for your company, given the risks businesses face today (which are considerable, as we saw in part one of this series). 

That said, those measures shouldn't be your organization's be-all, end-all, at least not across the board. In part two of our deep dive into cyber hygiene, we'll take a look at the more substantial (and, in some cases, more complex) factors you should consider when looking to devise a truly effective infosec strategy for your business. 

Establishing threat-severity assessment

Determining the severity of a threat is key when figuring out how quickly you need to address a given vulnerability. "As fast as possible" may seem like a reasonable rule but quickly becomes unsustainable with the volume of vulnerabilities disclosed on a regular basis. Microsoft regularly releases patches for over 100 vulnerabilities every month. In the last year alone, over 18,350 new vulnerabilities were reported across the broader threat landscape.

The most basic rubric for assessing cyberthreats is the Common Vulnerability Scoring System (CVSS), which is overseen by the Forum of Incident Response and Security Teams (FIRST).1 While worth looking at as a baseline, it has certain flaws that make it untenable as a single vulnerability assessment system – most notably its strict focus on technical impact rather than realistic threat level.2 More than 13% of the 60,000 vulnerabilities catalogued by CVSS have scores of 9.0 (High) or 10.0 (Critical), which makes it difficult for organizations to properly prioritize threats. 

Businesses can maximize their risk reduction by adopting dynamic threat metrics based on real-time attacker activity. For example, Tenable’s Vulnerability Priority Rating (VPR) incorporates a variety of threat intelligence signals – such as exploit kit availability and dark web chatter – to make an informed projection regarding the vulnerabilities attackers are most likely to exploit next. This way, you account for vulnerabilities that become more or less dangerous over time. And once you know which exposures to prioritize, you can use an Asset Criticality Rating (ACR) to further refine your remediation efforts and identify the most business-critical hosts to fix first. 

Relying on thorough attack vector analysis

Because you have so many other things to think about while running a business, it may be tempting to stick to the basics as you remediate certain vulnerabilities. In a handful of cases, that will be all you need to do – apply a patch or implement another appropriate solution and move on. But if you take the time to look at the threat very closely in the midst of the identification and interdiction process, before you apply the patch or implement any other necessary fix, you may significantly reduce your likelihood of being hit by a similar vulnerability in the future.

Processes like threat modeling and penetration testing are valuable because they allow you to examine exactly how a particular vulnerability, if exploited, would harm your network – in explicit detail. A penetration test may be especially useful because it essentially functions as a live, second-by-second demonstration of how a vulnerability is leveraged by a cyberattacker. This type of granular detail can help your organization determine what its cybersecurity strategy should look like going forward.3 Meanwhile, addressing the danger of certain cyberthreats, such as ransomware, requires not only patching vulnerabilities but also preparing a series of backups and contingency plans for your data.4

Act now to close your Cyber Exposure gap

Gain full visibility into the modern attack surface

Learn about Tenable's cybersecurity solutions >

Setting up secure configurations

The behavior of hosts and applications is determined through configurations. As you might imagine, these initial presets come from manufacturers and developers, and are often engineered for ease of use rather than optimal security.5

Examining the configurations of hardware and software on your network and rectifying any security-related shortcomings can go a long way toward boosting the state of your business's overall cybersecurity. Benchmarks from the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) can serve as strong standards for ideal configuration: These guidelines are available for dozens of operating systems and applications, and while comprehensive, they're not solely for expert use (though you may need to work with a consultant on implementation if you don't have an IT team on payroll). 

Auditing for optimal compliance

This segment of cybersecurity focuses not on finding, modeling or eliminating vulnerabilities, but rather on ensuring your systems are compliant with various government and industry standards. The most obvious example of this issue's importance, especially for small- and medium-sized businesses (SMBs) would be the PCI DSS guidelines: Nearly every business accepts credit and debit card payments, and if yours isn't protecting payment data appropriately, you're not only exposing customers to identity theft but also setting yourself up for noncompliance penalties.6

The same risk applies, in varying degrees, to other notable regulations, including HIPAA, the GDPR (for businesses with European business dealings) and the California Consumer Privacy Act (if you have customers or business partners in the Golden State). Conducting thorough compliance auditing from time to time ensures that sensitive customer information is protected and provides a solid foundation for maintaining regulatory compliance and reducing your chances of encountering cyberthreats. 

Managing diverse assets

Crafting a more nuanced cybersecurity strategy must also extend to assets you may not think much about day to day but are still extremely important to operations. If you use any cloud storage, your provider will likely cover some bases as far as security goes,7 but this isn't guaranteed, so you'll need to check the terms of your service-level agreement and know exactly what security responsibilities you're expected to cover. As a rule of thumb, your cloud provider handles security “of the cloud” (protecting the infrastructure that runs all of the services offered by the provider) while you are responsible for security “in the cloud” (configuration and management tasks along with application updates and patches among other items). Similar logic applies if you use virtual private networks (VPNs) for certain data transmissions, or rely on a mobile device management (MDM) platform to oversee company-issued smartphones. You must determine how much of the security for these tools you need to set up on your own and how much (if any) is integrated into either system.

Last but not least, you should consider examining your key applications and creating an “allowlist” – a policy that ensures only apps on that list of approved tools can run on your system.8 While this may take some time to establish, as it must cover applications at the controller and server levels, within databases and on individual computers and other devices, the degree of protection it allows for is well worth it.

At the end of the day, you should consider proper cyber hygiene to be one of your business best practices - alongside other everyday practices such as proper accounting, exemplary customer service and maintaining high employee morale.

1. FIRST homepage
2. Carnegie Mellon University, "Toward Improving CVSS," December 2018
3. TechTarget, "Penetration Testing"
4. Securities and Exchange Commission, "Cybersecurity: Ransomware Alert," July 10, 2020
5. Center for Internet Security, "Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers."
6. PCI, "Why Security Matters"
7. Amazon Web Services, "Shared Responsibility Model"
8. Cybersecurity and Infrastructure Security Agency, "Cyber Essentials"

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.