Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Cybersecurity Hygiene Requirement Meets Its Toothbrush

By Amitai Ratzon
Most Countries without Cybersecurity Strategy
April 16, 2020

CEOs cite cybersecurity as the biggest threat to the world economy and as a result, the global spend in cybersecurity is expected to surpass $1 trillion by 2021. An enterprise cyber attack can turn into a catastrophe in a matter of hours, potentially damaging any business at any point in time. As we see from the past few years, the greatest have already fallen.

When you think about it, it’s no different from a domestic burglary - a criminal picks the lock on the door and enters the house, avoiding the alarms while searching for the safe. They crack it open, get the jewels and make it out without being caught. In our context, a cyber burglar.

When it comes to malicious hackers, the biggest difference is the number of conductor hallways, vents, shafts, and doors one can use. If you take into account the settings of anti-viruses, firewalls, application firewalls and Windows group policies, etc., it amounts to thousands of parameters. Multiply this complexity when it comes to cloud and heterogeneous environments and it becomes clear that the chances of neglecting a vulnerable security control are very high.

 

Did We Leave the Door Open?

There is a new rule of equality - everyone is being hacked. If a door is left open, it will be entered. Public websites and applications are exploited as they are released. That’s simply how the internet works in 2020.

The same goes for internal controls. One must assume that at least one point of the organization has been compromised. An attacker will make an attempt on every misconfigured control to progress laterally towards the critical data or services and it only takes one to succeed.

 

Validation is Calling

The IT network is a living organ constantly undergoing changes - adding and removing users, changing segmentation, new systems, cloud migration -it’s endless. Show me a patch-perfect iron-clad network today and in two-month, I can assure you, its controls will decay in efficacy.

Some people refer to it as instrumentation, others as control validation, but the simplest term is security hygiene. And if it’s hygiene we’re after, misconfigurations is the dirt and it’s often the result of human error.

Our networks are in need of continuous, on-demand testing to ensure controls are kept in tune at all times. As I mentioned earlier, it takes only one misconfiguration for an attacker to progress the attack.

 

The “Cyber Toothbrush” Rush

An ideal solution should take the form of a ‘crawler’ roaming the network, checking that all controls are enforced and changes have not created weaknesses. For example, Windows Circular Nested Active Directory (AD) Groups, where privileges are misconfigured to enable a regular user to achieve higher privileges than intended, is a hacker’s slam dunk. Are you confident there are none in your network? Only a continuous solution will allow you to answer that question.

Such a solution to this problem is long overdue and many technologies are on the rise to address it. When reviewing them, it’s important to use a few qualifying questions to ensure their operational burden doesn’t cast a shadow over their benefits.

 

3 Key Requirements for an Ideal Solution

  1. Fully Automated: Many security validation solutions provide a ‘playbook’ approach to risk validation, repeatedly testing for one known attack vector. Despite various claims of ease of use, these require design, maintenance and constant updates. The ideal tool should have a one-click-to-validate approach.
  2. Agentless: Part of the pain in information security is managing software agents with the promise of an ultra-lightweight one that you won’t mind. All agent-based systems require installation, documentation and upgrades, providing a weakness by its own right. The ideal tool should work without agent deployment.
  3. MITRE ATT&CK™: It is key that any cybersecurity validation system is compliant with the evolving matrix of adversary techniques to assure you are covered and validated against them. It’s essential to validate and cover the known and existing threats out there, understand what has been validated against, and evolve with the industry over time.

 

The Toothbrush Test

The most cost-efficient solution these days is validating your security controls. Whether you have a budget item for this or need to ‘borrow’ from other validation budget items, it’s the most efficient way to make sure you’re at the top of your game with quick and contextualized remediation measures. The ultimate question to ask yourself is, “can I run this solution every day?” The answer should be yes, and the practice should follow suit.

KEYWORDS: cyber security data breach risk management threat assessment

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Amitai ratzon

Amitai Ratzon is CEO of Pcysys. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0818-cyber-feat-slide1_900

    GAO: DOD Needs to Take Decisive Actions to Improve Cybersecurity Hygiene

    See More
  • cyber-hygiene-freepik1170x658.jpg

    Implementing strong cybersecurity hygiene standards

    See More
  • apple

    Apple's new requirement puts additional focus on consumer and data privacy

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing