Experts are going hoarse telling organizations they have to build their cyber security strategies around doing the basics, including having an accurate inventory of everything on the network.
But if a survey sponsored by Tripwire is accurate not many are following even the top six of the 20 recommended Critical Security Controls set by the Center for Internet Security (CIS).
Among the survey’s findings:
- Only 11 per cent of respondents believe their organization tracks all hardware devices on their networks;
- Only 21 per cent say their organization tracks more 90 per cent of their software, while 56 per cent track less than 70 percent;
- A third of respondents said their organization doesn’t require changed default passwords, 41 per cent still don’t use multifactor authentication for accessing administrative accounts, and 43 per cent do not require unique passwords for each system;
- More than a third (38 per cent) said they still struggle to enforce configuration settings;
- Almost two-thirds of the organizations admit they do not use hardening benchmarks, like CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.
“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience,” Tim Erlin, Tripwire’s vice-president of product management and strategy, said in a statement. “It’s surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward.”
The survey was completed by 306 participants in Canada and the U.S. last month, all of whom are responsible for IT security at companies with more than 100 employees.
Many organizations still struggle to maintain the adequate visibility into their environments needed to address potential issues quickly, an analysis of the survey results found. “Results showed that organizations need to improve visibility into the devices and software on their networks, logs from critical systems, and configuration changes.”
Almost all participants said their organization uses vulnerability scanning, but only half run comprehensive, authenticated scans. Only 59 percent are scanning weekly or more, as recommended by CIS.
Other interesting findings:
–More than half (54 percent) of respondents said their organization doesn’t pour logs from critical systems into a central location;
— 44 per cent said they only review logs weekly, monthly, quarterly or less. Nine per cent never review logs at all. The report’s authors say logs should be looked at daily.
The top six CIS Security Controls are inventory and control hardware assets; inventory and control software assets; perform vulnerability management; secure hardware and software configuration; control administrative privileges; and monitor and analyze logs.
A combination of security solutions is required to provide suitable threat prevention, detection and mitigation, says the report. But implementing cyber hygiene –defined as following the first six of the CIS security controls — provides organizations with the foundational breadth necessary to manage risk.
The report, called The State of Cyber Hygiene, can be downloaded here. Registration is required.