In my experience as cybersecurity engineer, a chief product owner for security, a threat modeling subject matter expert, and an IBM Master Inventor, “good” security hygiene is the foundation of an enterprise’s security ecosystem and can be understood in terms of three dimensions.
1 – WHAT is security hygiene [i]?
In a nutshell, it’s the basic, fundamental, and baseline security policies, practices, and procedures that help protect data, information technology assets, and personnel from common types of threats and attacks. In addition to protection, security hygiene includes prevention, detection, risk assessment, mitigation, and remediation.
2 – WHY is good security hygiene important?
It represents tried-and-true foundational tenets that can be applied to all aspects of the enterprise, including: IBM Z, distributed systems, mobile, cloud, information technology (IT) operations, artificial intelligence (AI), data center, etc. Additionally, good security hygiene is SMART, i.e., specific, measurable, achievable, realistic, and timely.
3 – HOW is good security hygiene realized?
It’s realized through the definition, application, and enforcement of security and privacy principles, practices, and concepts that fall into one or more of the following (which is illustrative, not exhaustive):
- Apply a Zero Trust model or approach, where technically feasible
- Apply the Principle of Least Privilege and Separation of Duties with respect to different user roles or job responsibilities, with a keen regard to who/what has access to z/OS authorized program facility (APF) authorized libraries
- Assess potential threats and risks to the enterprise through threat modeling, risk assessments, and penetration testing
- Defense-in-depth is paramount, because hygiene is about the big picture – and all of the pixels that go into it
- Define, enforce, and periodically review cybersecurity and data privacy/privacy policies and procedures, because they help establish common, standardized, and consistent operational frameworks, playbooks, and governance of operational elements, clear lines of responsibilities with stakeholders, consumers, and providers, and provide auditable dimensions for compliance and conformance requirements
- Establish a secure service process that leverages insights from the IBM Z and LinuxONE Security Portal for applying SECINT PTF patches based on CVSS vectors and business risk decisions (refer to https://community.ibm.com/community/user/security/blogs/peter-spera/2023/10/16/your-portal-to-zybersuccess)
- Dynamically scan z/OS SVCs and PCs (refer to https://www.ibm.com/docs/en/zos/3.1.0?topic=zos-authorized-code-scanner)
- Educate personnel on how they might be targeted, attacked, and compromised, and to reinforce that they are part of the entire security ecosystem (personnel includes users, administrators, programmers, testers, management, et al.)
- Encrypt data-at-rest and data-in-flight pervasively, and for the latter, leverage z/OS Encryption Readiness Technology (zERT) SMF log data to review the protocol and cipher strengths of those communications
- Enforce the policies and rules for life cycle management related to users, keys, and containers
- Establish a good operational line-of-sight via logs overall (e.g., application, system, event, audit) and z/OS SMF data, and leverage tools like SIEM (security information event management) and log analyzers to detect, alert, and act on log and event data
- Establish routine business justification or recertification of people, applications/programs, or jobs that: (1) run with elevated, high, or the highest level of privileges or authorizations, or (2) have access to sensitive or business critical data (via batch, non-batch, and z/OS UNIX System Services contexts)
- Establish secure-by-default and secure deployment baseline criteria that’s appropriate for an organization’s operational context
- Identify and permit only the Internet Protocols that are required for workflows and data flows
- Learn about attack patterns and attack types using reputable resources and trusted vendors, and stay informed about security attack trends, information, and practices using reputable resources, such as IBM X-Force Exchange and the NIST Cybersecurity program
- Maintain an accurate inventory of software, hardware, devices, access points, etc. This inventory is input to monitoring and operational line-of-sight awareness (including those related to SIEMs and security operations centers (SOCs)), patching, incident handling, risk assessments, threat modeling, etc.
- Routine testing of recoverability plans, from operational back-up/restore to disaster recovery
- Stay informed about product and open source updates, and be diligent about patch management by staying current with vendor recommended service maintenance, especially as it pertains to security fixes
- Use multi-factor authentication (MFA)
- Use z/OS Health Checks to help check security, availability, and overall configuration suggestions
- Educate evolve, iterate, adapt, and never “set it and forget it” when it comes to security, data, and privacy currency, posture, or readiness. New risks and threats emerge all the time, while “classic” security issues (from coding errors to misconfigurations) remain viable attack vectors
Finally, it’s important to keep in mind that “good” security hygiene isn’t a one-size-fits-all proposition, so enterprises must define, apply, tune, and manage security across the enterprise IT ecosystem, in support of its business and technical objectives.
[i] “The most basic, but still the most useful, steps — what we call security hygiene. ... Cybersecurity hygiene includes the basic best practices that help protect you against many different types of attacks and attackers.” (https://securityintelligence.com/posts/refocusing-cybersecurity-best-practices-on-security-hygiene/)
“Cyber hygiene refers to baseline cyber practices that organizations use in their cybersecurity programs, as well as the steps organizations and users of computers and other devices take to maintain system health and improve online security.” (https://www.ibm.com/downloads/cas/GWKBPO7E)