Are You Practicing Good Cyber Hygiene?

By Craig Petronella

It’s no coincidence that the maturity levels in the new Cybersecurity Maturity Model Certification (CMMC) are being referred to as levels of “cyber hygiene.”

The World Health Organization (WHO) has been advising us that the most efficient way to protect against the coronavirus (COVID-19) is to wash our hands regularly for at least 20 seconds and stay out of public places. Similarly, it’s basic hygiene practices that are the most effective prophylactic when protecting against ransomware.

Think of your body as your computer and ransomware, like the coronavirus, is trying to infect you.  How do you defend against it?

Today’s Cybercriminals are getting more and more sophisticated. Alta Pro invites you to join in on a conversation with attorneys Kevin O’Hagan and Jamey Davidson, recognized thought leaders in Data Breach and Cyber Liability. The FREE one-hour CLE webinar “10 Things Lawyers Should Know About Cyber Liability” will be presented Tuesday, March 31 (12 PM Central/1 PM Eastern). This webinar is approved for one hour of free CLE credit as a benefit of your Alta Pro RPG membership. Seats are limited, so reserve yours today.

Basic Hygiene
The best way to avoid getting infected with ransomware is NOT to rely on your antiviral software, just like you shouldn’t rely on a face mask to keep you from getting the coronavirus. The best way to avoid both ransomware and the coronavirus are to practice basic hygiene regularly.

To practice basic cyber hygiene, you’ll want to use the CMMC maturity level 1 for inspiration:

Access Control (AC)

• AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• AC.1.003: Verify and control/limit connections to and use of external information systems.
• AC.1.004: Control information posted or processed on publicly accessible information systems.

Identification and Authentication (IA)

• IA.1.076: Identify information system users, processes acting on behalf of users, or devices.
• IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Media Protection (MP)

• MP.1.118: Sanitize or destroy information system media containing sensitive data or info before disposal or release for reuse.

Physical Protection (PE)

• PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• PE.1.132: Escort visitors and monitor visitor activity.
• PE.1.133: Maintain audit logs of physical access.
• PE.1.134: Control and manage physical access devices.

Systems and Communications Protection (SC)

• SC.1.175: Monitor, control and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• SC.1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Systems and Information Integrity (SI)

• SI.1.210:Identify, report, and correct information system flaws in a timely manner.
• SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems.
• SI.1.212: Update malicious code protection mechanisms when new releases are available.
• SI.1.213: Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

Avoidance

They say that proximity is the number one reason people fall in love. After all, if you never meet your potential mate, how are you supposed to fall in love with them? The same is true for avoiding viruses. If you don’t come into contact with the coronavirus or ransomware, how can they infect you?

Avoiding the coronavirus is pretty simple (maybe not easy, but simple!) – don’t go out in public. Additionally, you can avoid any suspicious people who come to visit; if you have a package, make sure you don’t answer the door but have them drop it off and don’t let any strangers inside.

The same concept with avoiding ransomware; if you stay off the internet, you’re unlikely to get infected, but that’s not exactly easy to do. So, you need to be careful who you come into contact with. If you don’t know the person who sent you the email? Don’t open it! And certainly DO NOT open any attachments or give your username and password.  You can’t control what gets sent to you but you can certainly control what you open.

Conclusion
Ransomware may not have the mortality rate of the coronavirus, but you most certainly want to avoid it like the plague. The best way to do both is to practice avoidance + basic hygiene.

Sign up for the FREE webinar “10 Things Every Lawyer Should Know About Cybersecurity in 2020.” The program is presented on March 31. It carries one free hour of lawyer CLE credit. Sign up here.