Wednesday, 20th February 2019

Security hygiene in the spotlight

More than 60 percent of organisations not leveraging established hardening benchmarks.

Tripwire has released its State of Cyber Hygiene report. The survey, conducted in July in partnership with Dimensional Research, included responses from 306 IT security professionals.

Tripwire examined how organisations are implementing security controls that the Center for Internet Security (CIS) refers to as "Cyber Hygiene." The survey found that almost two-thirds of the organisations admit they do not use hardening benchmarks, like CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.

“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organisations experience," said Tim Erlin, vice president of product management and strategy at Tripwire. "It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward."

Tripwire's State of Cyber Hygiene report explores how organisations are implementing cybersecurity practices related to network visibility, vulnerability management, configuration management, administrative privileges and logging.

Other key findings in the report include:

  • Many organisations still struggle to maintain visibility of their environments and quickly address unauthorized potential issues. Attackers may only need minutes on a network to launch a successful attack, yet 57 percent said it takes hours, weeks, months or longer to detect new devices connecting to their organization’s network.
  • Forty percent of organisations are not scanning for vulnerabilities weekly or on a more frequent basis despite recommendations, and only half run the more comprehensive authenticated scans. It takes 27 percent of organizations anywhere from a month to more than one year to deploy a security patch.
  • Fifty-four percent are not collecting logs from all critical systems into a central location, and 97 percent believe they need to get more efficient at checking logs. About 25 percent said they were not efficient at all, while another 73 percent said they were fairly efficient but could improve.
  • Most organisations implement good basic protections around administrative privileges, but as low-hanging fruit, these controls should be in place at more organisations. Thirty-one percent of organisations still do not require default passwords to be changed, and 41 percent still don't use multifactor authentication for accessing administrative accounts.

"When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case," said Erlin. "Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment."

Businesses see positive impact of data regulation and develop their data privacy awareness.
Governing diverse data sources with speed on Microsoft Azure, Talend helps support the delivery of a...
44% of decision makers are spending a day each week dealing with cybersecurity issues.
Netwrix Auditor helps Credissimo optimise security and auditing routines to achieve day-to-day compl...
Postquantum cryptography and machine learning research initiatives currently underway in collaborati...
RSA Security survey uncovers growing disconnect between consumers and businesses as companies capita...
New report sets out awareness of vulnerability as a major problem amongst senior executives.
CertCentral Enterprise adds notable enterprise controls and anchors the DigiCert flagship TLS platfo...