alphaspirit - Fotolia
Incomplete visibility a top security failing
Incomplete visibility of IT environments is among the most common basic enterprise security failings, as most organisations are still failing to achieve basic cyber security hygiene, a survey reveals
Real-world breaches and security incidents continue to show that many of the most widespread issues still stem from a lack of basic cyber hygiene, according to a report by security firm Tripwire.
Therefore, organisations cannot overlook the fundamentals such as addressing known vulnerabilities, ensuring secure configuration and monitoring systems for change, the report said.
A key finding of the report based on a survey of more than 300 security professionals is that many organisations still struggle to maintain the adequate visibility into their environments needed to address potential issues quickly.
Attackers may only need minutes on a network to launch a successful attack, the report said, yet 57% of respondents said it takes hours, weeks, months or longer to detect new devices connecting to their organisation’s network.
The survey shows that organisations need to improve visibility into the devices and software on their networks, logs from critical systems and configuration changes.
More than half (54%) of respondents are not collecting logs from all critical systems into a central location, and 97% believe they need to get more efficient at checking logs. About a quarter said they were not efficient at all, while another 73% said they were fairly efficient, but could improve.
The report also highlights that vulnerability scans are not as extensive as they should be, with only half of respondents running comprehensive, authenticated scans and only 59% scanning weekly – or more in line with industry best practice.
Read more about cyber hygiene
- NCSC report underlines the importance of following best practice and putting processes in place to ensure basic cyber hygiene.
- The government's Cyber Essentials Scheme that is aimed at ensuring basic cyber hygiene through firewalls, malware protection, patch management, user access control and secure configuration.
- While basic cyber hygiene could prevent attacks similar to WannaCry, many individuals and organisations are still making the same old security mistakes.
- Many firms focus too much on box-ticking and compliance, but that is not necessarily synonymous with good security, which requires good, basic cyber hygiene and an establish culture of security.
Hardening benchmarks are also a missed opportunity, the report said, with 60% of respondents admitting they do not use hardening benchmarks such as those provided by the US Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) to establish a secure baseline.
While many security teams implement good basic protections around administrative privileges, the report said these low-hanging-fruit controls should be in place at more organisations, with 31% of organisations still not requiring default passwords to be changed, and 41% still not using multifactor authentication for accessing administrative accounts.
Organisations can start to build up cyber hygiene by following established best practices such as the Critical Security Controls, a prioritised set of steps maintained by the CIS. Although there are 20 controls, the report said implementing just the top six establishes what CIS calls “cyber hygiene.”
“Industry standards are one way to leverage the broader community, which is important with the resource constraints that most organisations experience,” said Tim Erlin, vice-president of product management and strategy at Tripwire.
“It’s surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so you can plan a path forward.”
Deploying security patches
Tripwire’s State of cyber hygiene report also reveals it takes 27% of organisations anywhere from a month to more than one year to deploy a security patch.
“When cyber attacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case,” said Erlin.
“Many of the most impactful and widespread cyber security issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cyber security investment.”
The fundamentals of finding and patching vulnerabilities, ensuring systems are securely configured and monitoring them for change go a long way in maintaining a strong security posture, the report concludes.