Methodology

Basic rules for good IT hygiene

The protection of an information system must be constantly adapted to keep pace with changing usage patterns and cyber threats. With this in mind, good IT hygiene is essential. But what exactly is IT hygiene? We take a look at this central notion in cybersecurity, with a selection of rules listed by the National Cybersecurity Agency of France (ANSSI).
8 min
IT Hygiene for cybersecurity

Raising awareness and training in cybersecurity

At the very least, all members of an organization need to be made aware of the primary risks and threats, as well as current legislation. Information system users also need to be informed of the behavior and security rules they need to observe in their day-to-day activities to help protect the organization’s information system and data.  Awareness is an essential link in the chain of protection against cyber risk! Charters are often drawn up for this specific purpose.

IT and security teams have to understand the challenges of maintaining security conditions, network partitioning, authentication and access controls, and more.

In the case of outsourcing an information system or part of its data, an organization must carefully study the terms and conditions of the offer and ensure that service providers and third parties comply with the requirements set – this is mandatory for sectors defined as essential under NIS2. These requirements can be formalized in a Security Assurance Plan (SAP).


Knowing the information system

Sensitive data and endpoints must be identified to provide the appropriate level of protection: what data, how and where are they stored and backed up, whether sensitive endpoints are connected to one or more networks, which ones and how… In short, it is essential to have an up-to-date map of the information system to control the various points of entry (exposed services, partner interconnections, etc.). Equally important is knowing the location of identified sensitive data. In the event of a security incident, this mapping saves precious time in understanding the information system (point of entry, data accessed, etc.) and greatly simplifies the containment and remediation phases.

In addition, an accounts inventory needs to be maintained to account for various movements throughout the organization (arrivals, departures, and so forth), with particular attention paid to privileged accounts, the prime target of attackers.

Best practice  

For external users or guests connecting to the Internet, we recommend setting up a dedicated network, such as a Wi-Fi network with SSID, or even requiring authentication of workstations on the network.


Authentication and control access to the information system

Anyone who has access to the information system must be identified and have rights adapted to the resources to which they need access. Generic or anonymous user accounts should be avoided wherever possible, and users should be regularly reviewed.

Knowing who has access to sensitive information and endpoints, and with what rights, is critical.

To secure access to the information system, password management is key (pun intended). Think password complexity, different passwords for different accounts, regular password rotation, use of a password manager, and so on.

Additionally, the organization can reinforce its security through enforced policies, for example: blocking an account after a certain number of failed login attempts, requiring certain criteria to ensure password complexity, double authentication, the obligation to define a personalized password when taking over a tool initially set up with a default password…


Securing workstations and servers

Raising awareness and following best practices are necessary, but not sufficient on their own, which is why systematic security measures are essential. These include controlling installed applications, encrypting user data, activating a local firewall, limiting the use of external devices, installing appropriate detection tools (antivirus, EPP, EDR, etc.) and encrypting data exchanged with external parties.

Best practice  

All data transiting via email or cloud-hosted directories is exposed to the risk of being intercepted by an attacker. Encryption is therefore crucial, especially for sensitive data.


Securing the network

Network segmentation and compartmentalization between zones are essential hygiene measures to limit the risk of propagation in the event of an attack. Indeed, if the attackers manage to break into the information system, segmentation will limit their ability to move around. Each zone can be protected by IP filtering using a firewall, and particular attention must be paid to Wi-Fi networks and exposed services to limit the risk of intrusion through these channels.

If data flows need to be opened between an organization and a service provider, they should be limited to what is strictly necessary. IP filtering should be implemented, and a private network or site-to-site tunnel should be set up.

In addition to the awareness-raising measures mentioned earlier, businesses should set up an Internet gateway (Proxy), using secure protocols (TLS, SSH, etc.) and protecting email.

In addition to conventional IT security measures, the various access points must be protected by physical security measures (secure access to network rooms, hardware, secure network sockets, etc.).

NotPetya, which caused unforgettable damage in 2017, followed the following process: vulnerability exploitation, identity theft to increase privileges and move laterally through the network like a computer worm.

A well-segmented network could have helped limit the spread of this malware!


Securing endpoints used for administration tasks

Every user of the information system, whatever their function, has a user account, and rights must be restricted to what is strictly necessary.

For administration tasks, the people concerned must use dedicated workstations, and these workstations must never have access to the Internet. They must also be specifically partitioned.

 

Managing remote working practices

In remote situations, IT equipment is exposed to the risk of loss or theft and can become an entry point to the information system.

Workstations must be encrypted, and network connections must be secured via a VPN, for example.

User awareness also has a role to play in encouraging responsible behavior: secure sessions with strong passwords, privacy screens, no company branding on the device (which must never be left unattended), and no connection to public sockets.

 

Keeping the information system up to date

Keeping IT solutions (operating systems, applications, etc.) up to date is the best way to protect against the consequences of vulnerabilities they may contain. To do this, keep an inventory of the components of the information system and their characteristics: monitoring support dates, version management, interconnections, and more

This inventory enables the detection and remediation of vulnerabilities, and to ensure that all software, applications, and tools are up to date for the entire IT fleet. Like information system mapping, it helps detect Shadow IT, which may represent a security risk for the organization.

Obsolete components can also be isolated from the IT infrastructure to prevent them from becoming weak links whose vulnerabilities attackers could exploit.

Obsolescence management can also be subject to contractual clauses with external service providers, in order to guarantee the security of the organization’s data that these third parties may be called upon to manage.

Staying informed of the latest vulnerabilities and associated risks is mission-critical. Once vulnerabilities are identified, you need to be able to execute updates as swiftly as possible to minimize your risk.

But… it’s important to remember that an update doesn’t solve everything. While it can protect against a vulnerability, the vulnerability in question may already have been exploited by attackers. An investigation can ascertain this and enable your teams to take necessary corrective measures.

 

Monitoring, auditing & reacting

Knowledge of the information system and its components is crucial to the application of appropriate security measures, and so is the collection of information related to information system activity.

Logging events and storing them (the length of storage may be defined by legal obligations, depending on the sector) enables the source of the problem to be traced in the event of an incident. These may be packets blocked by a firewall, authentications on systems or applications, errors reported by certain services…

On workstations and servers, an EDR can use telemetry to help analysts investigate the origin of a security incident. To this end, telemetry is vital, because the ability to investigate and analyze an incident determines the organization’s resilience!

Also, recovery from an attack is closely linked to the implementation of a critical component backup policy. The aim is to identify the data critical to the organization’s operation and its storage mode, to define the frequency of backups and the means of access, as well as test restoration procedures.

Finally, to ensure optimum levels of protection on an ongoing basis, regular audits are carried out to validate that security levels are being maintained, and to correct any weaknesses. These audits should be led by one or more team members in charge of IT security issues, who should be identified as the point of contact for all teams. Whether CISO or CIO, their role is both to raise awareness of strong security practices and to centralize information feedback, such as alerts from cybersecurity tools or from information system users.

In the event of a cyber incident or crisis, technical and business teams must be ready to react and work hand in hand, following a tried-and-tested action plan.

“IT security is just like baking: it’s the right mix and the right instructions that make all the difference. 

Overfocusing on awareness and hardening to the detriment of detection, or believing that compliance with good security practices is unnecessary just because you have the best EDR on the market, is a guaranteed kitchen nightmare!  

In reality, IT security is a mille-feuille, and it’s this multi-layered approach that fosters an organization’s resilience in the face of cybersecurity risks.” 

Emeric Boit, Lead CTI – HarfangLab 


This article summarizes the measures proposed by ANSSI in its Guide d’hygiène informatique 
 

Time to go further. What best practices can
build resilience in the aftermath of a crisis?   

Cyber resilience in 7 key points
More articles
Déploiement EDR - Travail d'équipe
Methodology

Deploying or changing EDR: a team effort

Who to involve in a project to deploy or change EDR, before and during the implementation of a cyber project.

3 min
kpi-deploiement-edr
Methodology

Key metrics to evaluate EDR performance

Want to assess the performance of an EDR, but what to measure is not totally clear to you? Here are…

4 min
Osint renseignement menace cyber
Methodology

OSINT as a vector for cyber threat intelligence, from indicator collection to attribution

This article was originally written in French and has been automatically translated into English.   Cyber threat intelligence is the…

7 min
Phishing
Methodology

Phishing: sharing best practices to protect Information Systems

From small businesses to large corporations, from town halls to state institutions, no organization is immune to cyberattacks. Let’s take…

3 min