Many companies are failing to implement the most basic security controls to lock down their networks and data, an oversight that leaves them less able to respond to attacks and security incidents.
While security hardening guides that prioritize the most basic steps are freely available from the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and the Defense Information Systems Agency (DISA), 60 percent of companies do not benchmark their progress against those guides, according to a survey conducted by security technology company Tripwire.
Those companies are forgoing a significant source of security knowledge to put them on the right path, Tim Erlin, vice president of product management and strategy for Tripwire, told eWEEK.
"There is a lot of research and community contributions that go into those hardening guidelines," he said. "These days, they are generally evidence-based recommendations about what you should do to eliminate risk in your environment. For those companies, it is a missed opportunity."
The CIS Controls guide, for example, breaks down security measures into six groups of basic controls, 10 foundational controls, and four organizational controls. Among the basic steps companies should take are creating an inventory of hardware and software assets, manage vulnerabilities continuously, separate privileged access from normal user accounts, and monitoring log files.
"We focus pretty tightly on the current problems—what bad guys are doing today and what are the challenges," Tony Sager, senior vice president CIS, told eWEEK. "The problem in this business is that there is an infinite number of ways that you could improve your security. They are important things, but it can be overwhelming with hundreds and thousands of pages of things to do."
Sager often finds companies who want to know how to get started on improving and institutionalizing their security. He recommends that the foundational controls first be implemented.
"On their own, these will not help you stop any specific attack," Sager said. "They are part of the infrastructure you need to stop big classes of attacks."
1. Get better visibility into your network operations
Companies still do not have good visibility into the devices and software on their network and the complexity of their networks appear to be getting the better of them.
Only 29 percent of companies track 90 percent or more of their devices, according to the Tripwire survey. In 2018, only 75 percent of companies were able to remove or isolate an unauthorized device from their network, and 18 percent of companies required days to remove the unknown device. In 2015, 89 percent of companies could claim the same efficiency.
"It has gotten worse—I don't know how this can be anything but worse," Erlin said. "Part of it, no doubt, is that organizations have a skills gap and a talent shortage. But vendors should be responding to these trends and filling the gap."
Yet, companies seem to be doing a decent job of keeping track of devices, if not removing them. In 2018, three-quarters of companies detected a new device on the network in hours, compared to 71 percent of companies in 2015.
2. Vulnerability scans: Checking the box is not enough
While vulnerability scanning has become widespread, with 89 percent of companies conducting regular scans, only half of companies do an authenticated scan that uses access to the device to check for specific software flaws.
This is a major oversight, said Erlin. In addition, only 59 percent of companies are scanning on at least a weekly basis, with 23 percent conducting scans each month and 18 percent conducting scans quarterly or less often.
"If you are not doing authenticated vulnerability scans, then you are only giving yourself a partial picture of the vulnerability risk in your environment," he said.
While DevOps is often seen as a way to integrate software testing into the development process, even DevOps shops are having trouble scanning for vulnerabilities as part of the agile process. Only 54 percent of organizations have implemented a DevOps pipeline scan for vulnerabilities throughout the development lifecycle.
3. Monitor system logs to improve response
Knowing what devices are on your network is only part of the battle. Companies also need to gather logs from critical systems and use systems that glean high-quality security events from those logs, said Tripwire's Erlin. Only 46 percent of organizations have centralized their log collection, according to the company's study.
"If you are not collecting logs, then you have no idea what happened on these systems in the case of an incident," he said. "And it is difficult to collect them after an incident, especially because an attacker can change them."
Companies that do not collect logs are also putting themselves in legal jeopardy because most industry requirements and government regulations require that companies monitor—and in some cases, continuously monitor—the logs of critical systems and devices.
4. Simplify by outsourcing, moving to the cloud
While companies have a reasonable handle on defending their perimeter, keeping data secure means encrypting data, knowing where your data is and securing mobile devices. About 38 percent of companies are not able to reliably enforce configuration settings on devices.
These are issues that managed security startup Expel commonly sees among its prospective clients. Part of the problem is that the IT and security teams are overwhelmed dealing with bespoke hardware on site.
"One of the biggest challenges they have is that they still run their own stuff and they have huge amounts of legacy infrastructure that they need to maintain," Bruce Potter, Expel’s chief information security officer, told eWEEK.
"When you look at these organizations, there are things that most companies shouldn't do anymore, such as run their own mail servers, or run their own accounting systems, or host their own Web site. These are things that other providers do professionally, singularly and very well. So companies should get that outside of their walls."
5. Focus on privilege access
Most companies—88 percent—use a dedicated account for administrative tasks, a basic control in the CIS document. Yet, less than half of companies take the extra step to use dedicated workstations for administrative activities, according to the Tripwire survey.
"If you control administrative access, especially within your user community, you can dramatically reduce the amount of risk, because many of the attacks that occur in a user environment," Tripwire's Erlin said.
In general, companies need to do better with their password policies, according to the study, which found that 41 percent of companies do not use multi-factor authentication and a third allow default passwords to be used without changes.
While every organization is different, the basic security measures are useful across almost every industry and size of company, CIS's Sager said.
"We are all kind of drowning in a soup of bad things," he said. "So 99 percent of what is going on out there applies to everyone."