In general, many cyber attacks can be attributed to a lack of good cyber hygiene. Simple enough, but there is an important idea in here. Study after study and test after test gives us the same depressing result. Almost all successful attacks take advantage of conditions that could reasonably be described as "poor hygiene," including failure to patch known vulnerabilities, poor configuration management, and inefficient management of administrative privileges.
At the Center for Internet Security® (CIS®), we attribute these failures primarily to the complexity of modern systems management as well as a noisy and confusing environment of technology, marketplace claims, and oversight/regulation ("The Fog of More"). Defenders are overwhelmed. Therefore, any large-scale security improvement program needs a way to bring focus and attention to the most effective and fundamental things that need to be done.
We do this at CIS by moving "cyber hygiene" from a notion or tagline into a campaign of specific actions supported by a complementary market ecosystem of content, tools, training, and services. We codified our definition of "essential cyber hygiene" as consisting of the Safeguards found in Implementation Group 1 (IG1) of the CIS Critical Security Controls® (CIS Controls®). By defining IG1, we can then specify tools that can be put in place to implement the actions, measurements to track progress or maturity, and reporting that can be used to manage an enterprise improvement program. In today's environment of shared technology, linked by complex business relationships and hidden dependencies, this approach provides a specific way to negotiate "trust" and an "expectation" of security. (Are you a safe partner to bring into my supply chain? Can I count on this merchant to safely hold my financial information?) This approach is better than paper surveys or inconsistent interpretation of abstract security requirements.
IG1 is not just another list of good things to do; it is an essential set of steps that helps all enterprises deal with the most common types of attacks we see in real life. Our CIS Community Defense Model v2.0 provides the technical underpinning for that declaration.
The Center for Internet Security and its divisions, the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), are offering this guide as a resource to assist with the implementation of essential cyber hygiene in alignment with the Nationwide Cybersecurity Review (NCSR) and National Institute of Standards and Technology® Cybersecurity Framework (NIST® CSF) by providing the tools, resources, and templates that are needed.