Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Five Basic Controls Companies Can Implement to Improve Data Hygiene

    By
    Robert Lemos
    -
    August 17, 2018
    Share
    Facebook
    Twitter
    Linkedin
      bug finder

      Many companies are failing to implement the most basic security controls to lock down their networks and data, an oversight that leaves them less able to respond to attacks and security incidents.

      While security hardening guides that prioritize the most basic steps are freely available from the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and the Defense Information Systems Agency (DISA), 60 percent of companies do not benchmark their progress against those guides, according to a survey conducted by security technology company Tripwire.

      Those companies are forgoing a significant source of security knowledge to put them on the right path, Tim Erlin, vice president of product management and strategy for Tripwire, told eWEEK.

      “There is a lot of research and community contributions that go into those hardening guidelines,” he said. “These days, they are generally evidence-based recommendations about what you should do to eliminate risk in your environment. For those companies, it is a missed opportunity.”

      The CIS Controls guide, for example, breaks down security measures into six groups of basic controls, 10 foundational controls, and four organizational controls. Among the basic steps companies should take are creating an inventory of hardware and software assets, manage vulnerabilities continuously, separate privileged access from normal user accounts, and monitoring log files.

      “We focus pretty tightly on the current problems—what bad guys are doing today and what are the challenges,” Tony Sager, senior vice president CIS, told eWEEK. “The problem in this business is that there is an infinite number of ways that you could improve your security. They are important things, but it can be overwhelming with hundreds and thousands of pages of things to do.”

      Sager often finds companies who want to know how to get started on improving and institutionalizing their security. He recommends that the foundational controls first be implemented.

      “On their own, these will not help you stop any specific attack,” Sager said. “They are part of the infrastructure you need to stop big classes of attacks.”

      Here are the top five ways that companies can incorporate the foundational controls into their security process and improve their cyber hygiene.

      1. Get better visibility into your network operations

      Companies still do not have good visibility into the devices and software on their network and the complexity of their networks appear to be getting the better of them.

      Only 29 percent of companies track 90 percent or more of their devices, according to the Tripwire survey. In 2018, only 75 percent of companies were able to remove or isolate an unauthorized device from their network, and 18 percent of companies required days to remove the unknown device. In 2015, 89 percent of companies could claim the same efficiency.

      “It has gotten worse—I don’t know how this can be anything but worse,” Erlin said. “Part of it, no doubt, is that organizations have a skills gap and a talent shortage. But vendors should be responding to these trends and filling the gap.”

      Yet, companies seem to be doing a decent job of keeping track of devices, if not removing them. In 2018, three-quarters of companies detected a new device on the network in hours, compared to 71 percent of companies in 2015.

      2. Vulnerability scans: Checking the box is not enough

      While vulnerability scanning has become widespread, with 89 percent of companies conducting regular scans, only half of companies do an authenticated scan that uses access to the device to check for specific software flaws.

      This is a major oversight, said Erlin. In addition, only 59 percent of companies are scanning on at least a weekly basis, with 23 percent conducting scans each month and 18 percent conducting scans quarterly or less often.

      “If you are not doing authenticated vulnerability scans, then you are only giving yourself a partial picture of the vulnerability risk in your environment,” he said.

      While DevOps is often seen as a way to integrate software testing into the development process, even DevOps shops are having trouble scanning for vulnerabilities as part of the agile process. Only 54 percent of organizations have implemented a DevOps pipeline scan for vulnerabilities throughout the development lifecycle.

      3. Monitor system logs to improve response

      Knowing what devices are on your network is only part of the battle. Companies also need to gather logs from critical systems and use systems that glean high-quality security events from those logs, said Tripwire’s Erlin. Only 46 percent of organizations have centralized their log collection, according to the company’s study.

      “If you are not collecting logs, then you have no idea what happened on these systems in the case of an incident,” he said. “And it is difficult to collect them after an incident, especially because an attacker can change them.”

      Companies that do not collect logs are also putting themselves in legal jeopardy because most industry requirements and government regulations require that companies monitor—and in some cases, continuously monitor—the logs of critical systems and devices.

      “I don’t know how the companies are complying with regulations if they are not collecting log functions,” Erlin said.

      4. Simplify by outsourcing, moving to the cloud

      While companies have a reasonable handle on defending their perimeter, keeping data secure means encrypting data, knowing where your data is and securing mobile devices. About 38 percent of companies are not able to reliably enforce configuration settings on devices.

      These are issues that managed security startup Expel commonly sees among its prospective clients. Part of the problem is that the IT and security teams are overwhelmed dealing with bespoke hardware on site.

      “One of the biggest challenges they have is that they still run their own stuff and they have huge amounts of legacy infrastructure that they need to maintain,” Bruce Potter, Expel’s chief information security officer, told eWEEK. 

      “When you look at these organizations, there are things that most companies shouldn’t do anymore, such as run their own mail servers, or run their own accounting systems, or host their own Web site. These are things that other providers do professionally, singularly and very well. So companies should get that outside of their walls.”

      5. Focus on privilege access

      Most companies—88 percent—use a dedicated account for administrative tasks, a basic control in the CIS document. Yet, less than half of companies take the extra step to use dedicated workstations for administrative activities, according to the Tripwire survey.

      “If you control administrative access, especially within your user community, you can dramatically reduce the amount of risk, because many of the attacks that occur in a user environment,” Tripwire’s Erlin said.

      In general, companies need to do better with their password policies, according to the study, which found that 41 percent of companies do not use multi-factor authentication and a third allow default passwords to be used without changes.

      While every organization is different, the basic security measures are useful across almost every industry and size of company, CIS’s Sager said.

      “We are all kind of drowning in a soup of bad things,” he said. “So 99 percent of what is going on out there applies to everyone.”

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×