6 Basic Cyber Hygiene Practices Organizations Fail to Implement
A new survey has shown that many organizations today are leaving themselves vulnerable to cyberattacks by failing to implement the basic cyber hygiene practices.
The study “State of Cyber Hygiene Report” conducted by Tripwire and Dimensional Research surveyed 306 IT professionals last July 2018 to examine whether organizations are implementing the security controls that the Center for Internet Security (CIS)referred to as “Cyber Hygiene”.
CIS considers the following 6 security controls as the basic cyber hygiene practices:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
CIS Control 1: Inventory and Control of Hardware Assets
CIS Control 1 advises organizations to keep an inventory and control over their hardware assets. Conducting an inventory of devices connected to your organization’s network can provide visibility of devices that should or shouldn’t be connected with your organization’s network.
A new device connecting to your organization’s network may be harmless as this could simply come from a smartphone officially issued to a newly hired staff. An unknown device connecting to your organization’s network, however, could come from attackers trying to infiltrate your organization’s network.
The study conducted by Tripwire and Dimensional Research found that only 29% of organizations track more than 90% of devices, and a third track less than 70%.
It only takes minutes for attackers to connect their malicious devices to the networks of their victims. The Tripwire and Dimensional Research study, however, found that 57% of organizations take hours, weeks, months or longer to detect new devices connecting to their network.
CIS Control 2: Inventory and Control of Software Assets
CIS Control 2 advises organizations to have visibility of their software assets, similar to how organizations keep an eye on hardware assets. Software inventory is important in weeding out malicious software that shouldn’t be running in your organization’s network.
The Tripwire and Dimensional Research study found that only 21% of organizations track more 90% of their software, while 56% track less than 70% of their software. While it takes only minutes for attackers to run malware on their victims’ networks, the study found that only 14% of organizations detect malware within minutes; 12% take weeks; and another 12% take months or longer.
The study also found that 36% of organizations aren’t using application whitelisting – a measure that can prevent problematic software to be downloaded onto your organization’s network.
CIS Control 3: Continuous Vulnerability Management
CIS Control 3 advises organizations to continuously assess and address vulnerabilities in their environments. High impact security breaches like the WannaCry cyberattack stem from failure to patch known security vulnerabilities.
WannaCry, which locked out hundreds of thousands of computers in 150 countries in less than 24 hours on May 12, 2017, was a result of many organizations’ failure to install Microsoft Window’s March 2017 security update.
Even as weekly or more software vulnerability scans is recommended, the Tripwire and Dimensional Research study found that only 41% of organizations run vulnerability scans monthly, quarterly or less often. The study also found that most or 56% were able to deploy a patch within a week, while about a quarter take about a month or longer to patch known security vulnerabilities.
It’s important to deploy patches as soon as possible as cyberattackers are known to exploit known security vulnerabilities.
CIS Control 4: Controlled Use of Administrative Privileges
CIS Control 4 advises organizations to protect administrative accounts as attackers are often after these accounts. When attackers successfully access administrative accounts, they can infiltrate networks without much noise. As such, protecting administrative account credentials are as valuable as the data that your organization is trying to protect.
The Tripwire and Dimensional Research study found that while it’s recommended that tasks requiring administrative access should be done on dedicated workstations that have no internet access and segmented from the primary network, only 47% of organizations use dedicated workstations for administrative activities.
The study also found that a third of organizations don’t require changed default passwords for administrative accounts, and 41% don’t use multifactor authentication for accessing administrative accounts.
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
CIS Control 5 advises organizations to secure configurations as most software and operating systems are configured in an open and insecure setting. Accidental misconfigurations are responsible for the millions of sensitive corporate data being exposed online.
While it’s recommended to detect configuration changes in minutes, the Tripwire and Dimensional Research study found that only 18% of organizations are detecting configuration changes within this recommended time-frame.
CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs
CIS Control 6 advises organizations to continuously monitor and analyze logs. When monitored and analyzed on a daily basis, logs can be used in identifying abnormal activities. These abnormal activities could either come from an insider threat or an external attacker.
The Tripwire and Dimensional Research study found that more than half or 54% of organizations aren’t collecting logs from critical systems; 44% are only reviewing logs weekly, monthly, quarterly or less; and a quarter of organizations aren’t efficient at all in log analysis.
Many of today’s cyberattacks stem from the failure of individuals and organizations’ failure to implement the most basic cyber hygiene practices.
Contact us today at (416) 920-3000, if your organization needs assistance in implementing these basic cyber hygiene practices.