Tripwire, Inc., a global provider of security and compliance solutions for enterprises and industrial organizations, today released its State of Cyber Hygiene report. The survey, conducted in July in partnership with Dimensional Research, included responses from 306 IT security professionals.
In the report, Tripwire examined how organizations are implementing security controls that the Center for Internet Security (CIS) refers to as “Cyber Hygiene.” The survey found that nearly two-thirds of the organizations admit they do not use hardening benchmarks, like CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.
The report included six different controls. Control one, Inventory and Control of Hardware Assets, advises organizations to keep an accurate network inventory. Doing this provides visibility into devices that could pose security threats or that shouldn’t be on your network at all.
Control two, Inventory and Control of Software Assets, focuses on inventorying software. By implementing this control, organizations can weed out malware and software that should not be running on their network.
Control three, Continuous Vulnerability Management, found that while all participants ran vulnerability scans, only 50 percent ran authenticated scans, the most comprehensive kind.
Control four, Controlled Use of Administrative Privileges, found that only 47 percent use dedicated workstations for administrative activities. It’s recommended that tasks requiring administrative access be done on dedicated workstations that are segmented from the primary network and not be allowed Internet access
Control five covered secure configurations for hardware and software on mobile devices, laptops, workstations, and servers. The report found that most software and operating systems are configured in an open and insecure state when in fact systems should be configured to a defined, ideal and secure state.
The last control, maintenance, monitoring and analysis of audit logs discovered that more than half (54 percent) of organizations are not collecting logs from critical systems into a central location. Centralized logging is conducive to effective event monitoring and analysis.
“When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case,” said Tim Erlin, director of IT Security and Risk Strategy at Tripwire. “Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment.”