Cyber Hygiene Best Practices

Cyber Hygiene is a set of best practices users should follow to improve the safety and security of their devices.

For detailed information on minimum security standards for Servers, Endpoint, and Multi-Function Devices based on UH Institutional Data Category type (Public, Restricted, Sensitive, and Regulated), please visit the following page: https://www.hawaii.edu/infosec/minimum-standards/

When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.

Download Form Fillable Version

Best Practice Description References
1 Anti-Malware Software and Host Based Firewalls

Install Anti-Malware software and ensure its signatures are regularly updated. Anti-Malware software is a key protective measure to detect, quarantine, and remove various types of malware.

McAfee anti-virus software is licensed by the University of Hawaiʻi (UH), Information Technology Services (ITS) site license for use by active UH faculty, staff, and students: https://www.hawaii.edu/askus/1254

In addition to installing Anti-Malware software, most modern Operating Systems include built-in firewalls, which are commonly referred to as Host Based Firewalls. Host Based Firewalls run on your device and provide an additional layer of protection from network cyber attacks.

  • US-CERT Security Tip (ST18-004) Protecting Against Malicious Code: https://us-cert.cisa.gov/ncas/tips/ST18-271
  • US-CERT Security Tip (ST04-004) Understanding Firewalls for Home and Small Office Use: https://us-cert.cisa.gov/ncas/tips/ST04-004
  • ITS MSS 4.4 – Implement and Manage a Firewall on Servers (CIS Control 4.4)
  • ITS MSS 4.5 – Implement and Manage a Firewall on End-User Devices (CIS Control 4.5)
  • ITS MSS 10.2 – Configure Automatic Anti-Malware Signature Updates (CIS Control 10.2)
2 Regularly Update Software Regularly performing software updates is one of the most effective steps one can take to improve their overall cybersecurity posture. Software updates can be for operating systems, firmware, patches, and security fixes. Most software today will automatically check for new updates.
  • US-CERT Security Tip (ST04-006) Understanding Patches and Software Updates: https://us-cert.cisa.gov/ncas/tips/ST04-006
  • ITS MSS 7.3 – Perform Automated Operating System Patch Management (CIS Control 7.3)
  • ITS MSS 7.4 – Perform Automated Application Patch Management (CIS Control 7.4)
  • ITS MSS 9.1 – Ensure Use of Only Fully Supported Browsers and Email Clients (CIS Control 9.1)
3 Multi-Factor Authentication

Users are strongly encouraged to use Multi-Factor Authentication (MFA) whenever possible. The use of MFA is an additional layer of protection on top of your existing username and password. With MFA, you will need a second factor, such as your smartphone, to successfully log in. This makes accessing your account by attackers more difficult as they will need both your password and second factor to be successful.

ITS supports the use of MFA. Please visit the following sites for further information on MFA and how to set it up:

  • UH Login: http://www.hawaii.edu/its/uhlogin/
  • Getting setup for Multi-Factor Authentication (MFA): https://www.hawaii.edu/askus/1758
  • ITS MSS 6.3 – Require MFA for Externally-Exposed Applications (CIS Control 6.3)
  • ITS MSS 6.4 – Require MFA for Remote Network Access (CIS Control 6.4)
  • ITS MSS 6.5 – Require MFA for Administrative Access (CIS Control 6.5)
4 Set Strong Passwords

Compromised or Exposed Passwords: If your password has ever been compromised or exposed in a data breach, this password should NEVER be re-used anywhere else.

Strong passwords are key to protecting unauthorized access. Best practices include:

With the use of Multi-Factor Authentication:

  • Passwords must be 8-32 characters long; and
  • Passwords contain one uppercase character, one lowercase character, one number, and one special character.

Without Multi-Factor Authentication:

  • Passwords must be 14-32 characters long;
  • Passwords contain one uppercase character, one lowercase character, one number, and one special character;
  • Passwords should expire every 365 days or less. For passwords compromised or exposed, you must change this password immediately;
  • Password history of at least the last 10; and
  • Devices unable to meet these best practices (e.g. Multi-Function Devices, Network Devices, Legacy Systems, etc.) should have password settings at the maximum complexity allowed by the system.

Additional best practices include:

  • Change all default passwords. These pre-configured passwords usually have administrator level privileges and are readily known on the internet.
  • Do not use the same password with multiple accounts.

Password Managers:

  • Password managers can help you generate, store, and manage long, complex passwords for each of your accounts.
  • The only way to access your password vault is by using one strong master password, which greatly reduces the amount of information you need to remember and protect.
  • The following article discusses the use of password managers: https://www.hawaii.edu/infosec/resources-tips/password-manager/
5 Use Encryption

Data resides in numerous places, whether it be desktops, laptops, and removable storage media (USBs, external hard drives, and CD/DVDs). Attention is especially necessary if this data is considered sensitive. In order to protect sensitive information, the use of encryption is a key way to safeguard this data.

The following article discusses the encryption options available: https://www.hawaii.edu/infosec/resources-tips/encryption/

When sending files, consider using the UH File Drop service: https://www.hawaii.edu/filedrop/

6 Back Up Your Data Regularly back up your data, either on removable media or within a cloud based service like Google Drive. This includes ensuring your data is encrypted when backed up. Backing up data is critical in the event your data is corrupt, lost, stolen, or is no longer recoverable.
  • US-CERT Home Network Security Tips (ST15-002): https://www.us-cert.gov/ncas/tips/ST15-002
  • ITS MSS 11.2 – Perform Automated Backups (CIS Control 11.2)
  • ITS MSS 11.3 – Protect Recovery Data (CIS Control 11.3)
  • ITS MSS 11.4 – Establish and Maintain an Isolated Instance of Recovery Data (CIS Control 11.4)
7 Lock your Devices

Whenever you step away from your device, lock the device so that a password is needed to regain access. This prevents others from accessing your information without the need for a password.

Configure your device to also automatically lock after a period of inactivity. The recommended setting is to automatically lock the device after 10 minutes or less of inactivity.

If you are done working with your workstation for the day, consider shutting it down or at the very least log out.

8 Limit the use of Administrative Accounts

Administrative accounts are privileged accounts which can perform many actions a non-privileged user account cannot. Examples of these privileged actions include installing software, disabling anti-malware software, adding and removing user accounts, and stopping/starting services.

If a non-privileged account is compromised, the amount of damage done will most likely be minimized. The recommended best practice is to use a non-privileged user account for normal day to-day activities like using the internet and email. When you need to perform actions like installing or removing software, you log in with a privileged account, and then log out when done.

  • ITS MSS 4.7 – Manage Default Accounts on University Assets and Software (CIS Control 4.7)
  • ITS MSS 5.2 – Restrict Administrator Privileges to Dedicated Administrator Accounts (CIS Control 5.4)
9 Recognize Phishing

Phishing is one of the most common and simplest ways attackers attempt to compromise your device and steal your sensitive information. Best practices to minimize your chances of becoming a victim:

  • Never open suspicious or unknown links or attachments in emails.
  • Hover over links in your emails to see if they are for the correct site.
  • Is the email poorly worded with misspellings? This is a common indicator of phishing.

For more details, please visit the following:

10 Mobile Device Security

Mobile devices also have cyber hygiene best practices due to their portability and common every day use. In addition to the other cyber hygiene best practices:

  • Ensure you have a PIN or password set.
  • Keep the mobile device’s OS up to date and patched.
  • Only use trusted sources to install apps (Apple App Store; Google Play).
  • Limit or avoid the amount of sensitive information you store or transmit on your mobile device.
  • Consider the use of encryption on your mobile device. Due to the portable size of mobile devices, they are at increased risk of being lost or stolen.
11 Internet of Things (IoT) Devices

US-CERT refers to the Internet of Things (IoT) as any “object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.”

Common IoT devices include Network Attached Storage (NAS), sensors (e.g., Temperature Readers), Universal Plug and Play (UPnP), and IP devices like routers, cameras and printers.

Due to the increasing popularity of IoT devices at work and home, this section will discuss the risks, best practices, and how other Cyber Hygiene Best Practices (CHBP) work together to collectively reduce the risk exposure of these devices.

Risks

  • Attackers are looking for sensitive data on IoT devices to exfiltrate. Especially concerning is if you have UH Institutional Data at the Protected level (Restricted, Sensitive, Regulated) stored on these devices.
  • A compromised IoT device could become a part of a botnet, which then performs other attacks.
  • Compromised IoT devices are often used to attack other computers or devices for additional malicious activity.

Best Practices

When evaluating IoT devices for a work or home environment, if the IoT device does not have these basic features, you are increasing the risk of the device being compromised.

  • Strong Passwords (CHBP #4): A strong password is key to preventing unauthorized access. Most IoT devices are configured with default passwords which are commonly known on the internet.
  • Evaluate Security Settings: Enable and select options making the device more secure. Examples include using encryption (CHBP #5), enabling the device firewall (CHBP #1), disabling unnecessary components, and limiting access to local and network interfaces (e.g., to access the device you must provide a username and strong password).
  • Keep the Device Updated (CHBP #2): Regularly update the device software and firmware from the manufacturer.
  • Connect Only When Necessary:
    • Determine if this device needs to be connected to the internet. Once connected to the internet, attackers are able to scan this device for vulnerabilities, misconfigurations, and weak and commonly known usernames and passwords.
    • If you must connect the device to the network, place it behind a firewall.
    • If possible, only connect the device to the network when needed to perform a function or access information. Once done, disconnect from the network.
  • Create an Inventory: Having an inventory of IoT devices will help track what is connected to your network.
  • Physical Security: if the device is accessible to the public, ensure the device, ports, and any cables are protected from tampering.
  • US-CERT Security Tip (ST17-001) Securing the Internet of Things: https://us-cert.cisa.gov/ncas/tips/ST17-001
  • From Homes to the Office: Revisiting Network Security in the Age of the IoT: https://www.trendmicro.com/vinfo/au/security/news/internet-of-things/from-homes-to-the-office-revisiting-network-security-in-the-age-of-the-iot
  • ITS MSS 1.1 – Establish and Maintain Detailed University Asset Inventory (CIS Control 1.1)
  • ITS MSS 3.5 – Encrypt Institutional Data on End-User Devices (CIS Control 3.6)
  • ITS MSS 3.7 – Encrypt Institutional Data on Removable Media (CIS Control 3.9)
  • ITS MSS 3.8 – Encrypt Institutional Data in Transit (CIS Control 3.10)
  • ITS MSS 3.9 – Encrypt Institutional Data at Rest (CIS Control 3.11)
  • ITS MSS 4.1 – Establish and Maintain a Secure Configuration Process (CIS Control 4.1)
  • ITS MSS 4.4 – Implement and Manage a Firewall on Servers (CIS Control 4.4)
  • ITS MSS 4.5 – Implement and Manage a Firewall on End-User Devices (CIS Control 4.5)
  • ITS MSS 4.7 – Manage Default Accounts on University Assets and Software (CIS Control 4.7)
  • ITS MSS 4.8 – Uninstall or Disable Unnecessary Services on University Assets and Software (CIS Control 4.8)
  • ITS MSS 7.3 – Perform Automated Operating System Patch Management (CIS Control 7.3)
  • ITS MSS 7.4 – Perform Automated Application Patch Management (CIS Control 7.4)